These 2 should not have been excluded by Jetty, and should be the ones in common for IE 8-10
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256 Those are listed as a supported cipher suite for Java 7 and Java 8 https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html Joakim Erdfelt / [email protected] On Thu, Apr 21, 2016 at 4:15 PM, Greg Wilkins <[email protected]> wrote: > Steve, > > running stock jetty-9.3 in latest java8 gives me the following > protocols and ciphers: > > [TLSv1, TLSv1.1, TLSv1.2] > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_RSA_WITH_AES_128_CBC_SHA256 > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA > TLS_DHE_DSS_WITH_AES_128_CBC_SHA > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_RSA_WITH_AES_128_GCM_SHA256 > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA > TLS_ECDH_ECDSA_WITH_RC4_128_SHA > TLS_EMPTY_RENEGOTIATION_INFO_SCSV > > > Following the link on ssllabs shows that IE 8-10 will only speak > SSL3.0 or TLS1.0.... so TLS1.0 it will have to be. It has the > following ciphers: > > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128 > TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256 > TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK128 > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy128 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy256 > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128 > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256 > TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy2128 > TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy2256 > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Forward Secrecy2112 > TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK > > > So there are indeed no ciphers in common! > > You would think that TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256 should be > acceptable to the server as it does accept > TLS_RSA_WITH_AES_128_CBC_SHA256 ? > > Let me investigate why that is not being offered.... > > > > > > > On 22 April 2016 at 07:47, Steve Sobol - Lobos Studios > <[email protected]> wrote: > > Ok. This is not cool. After the upgrade to 9.3.8 and a modification of my > > SSLContextFactory > > > > <?xml version="1.0"?> > > <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" > > "http://www.eclipse.org/jetty/configure_9_3.dtd";> > > > > <!-- ============================================================= --> > > <!-- SSL ContextFactory configuration --> > > <!-- ============================================================= --> > > <Configure id="sslContextFactory" > > class="org.eclipse.jetty.util.ssl.SslContextFactory"> > > <Set name="KeyStorePath"><Property name="jetty.base" default="." > > />/keystores/www6-production-keystore.jks</Set> > > <Set > > > name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set> > > <Set name="TrustStorePath"><Property name="jetty.base" default="." > > />/keystores/truststore.jks</Set> > > <Set > > > name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set> > > <Set name="NeedClientAuth">false</Set> > > <Set name="WantClientAuth">false</Set> > > <Call name="addExcludeCipherSuites"> > > <Arg> > > <Array type="String"> > > <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item> > > <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> > > </Array> > > </Arg> > > </Call> > > <Set name="useCipherSuitesOrder"><Property > > name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> > > </Configure> > > > > the weak cipher warnings are all gone, but the server only speaks TLS 1.2 > > now, and a the test's simulated IE 10 connection is failing. I'm OK not > > supporting Android browsers prior to 4.4; they're old. I'm fine not > > supporting IE 6, 7, 8 and Safari browsers that are three versions older > than > > the current version (those tests all failed). But I need to support IE > 9, 10 > > and 11. > > > > https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com > > > > Also, does ANYONE know how to fix the allegedly broken certificate chain? > > > > Thanks > > > > > > > > On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote: > > > > So in the future, if I need to update the list and am not able to > > immediately upgrade Jetty for whatever reason, I'm thinking I should use > > > > addExcludeCipherSuites() > > > > instead, yes? > > > > > > On 4/21/2016 12:57 PM, Joakim Erdfelt wrote: > > > > When you used <Set name="ExcludeCipherSuites"> > > > > You undid the existing exclusions in Jetty 9.3.3 > > > > > https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259 > > > > public SslContextFactory(boolean trustAll) > > { > > setTrustAll(trustAll); > > addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); > > setExcludeCipherSuites( > > "SSL_RSA_WITH_DES_CBC_SHA", > > "SSL_DHE_RSA_WITH_DES_CBC_SHA", > > "SSL_DHE_DSS_WITH_DES_CBC_SHA", > > "SSL_RSA_EXPORT_WITH_RC4_40_MD5", > > "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", > > "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", > > "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); > > } > > > > If you use Jetty 9.3.8, you'll find the exclusion list is more strict ... > > > > > https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255 > > > > public SslContextFactory(boolean trustAll) > > { > > setTrustAll(trustAll); > > addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); > > setExcludeCipherSuites( > > "^.*_RSA_.*_(MD5|SHA|SHA1)$", > > "SSL_DHE_DSS_WITH_DES_CBC_SHA", > > "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); > > } > > > > > > Joakim Erdfelt / [email protected] > > > > On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios > > <[email protected]> wrote: > >> > >> Jetty 9.3.3.v20150827 > >> > >> I have two problems the Qualys SSL Test is reporting with one of my > >> Jetty-hosted websites and I'm not sure how to fix them. > >> > >> Both are preventing this website from getting an "A" rating. I'm at a > "B" > >> now. > >> > >> First: "This server supports weak Diffie-Hellman (DH) key exchange > >> parameters." > >> There were a half-dozen weak ciphers I was able to disable. Only one is > >> still being reported active: > >> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > >> > >> But I am doing this: > >> <?xml version="1.0"?> > >> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" > >> "http://www.eclipse.org/jetty/configure_9_3.dtd";> > >> > >> <!-- ============================================================= --> > >> <!-- SSL ContextFactory configuration --> > >> <!-- ============================================================= --> > >> <Configure id="sslContextFactory" > >> class="org.eclipse.jetty.util.ssl.SslContextFactory"> > >> <Set name="KeyStorePath"><Property name="jetty.base" default="." > >> />/path/to/keystore.jks</Set> > >> <Set name="KeyStorePassword">OBF:NoneYoBizness</Set> > >> <Set name="TrustStorePath"><Property name="jetty.base" default="." > >> />/path/to/keystore.jks</Set> > >> <Set name="TrustStorePassword">OBF:NoneYoBizness</Set> > >> <Set name="NeedClientAuth">false</Set> > >> <Set name="WantClientAuth">false</Set> > >> <Set name="ExcludeCipherSuites"> > >> <Array type="String"> > >> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> > >> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> > >> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> > >> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> > >> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> > >> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> > >> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> > >> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> > >> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> > >> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> > >> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> > >> </Array> > >> </Set> > >> <Set name="useCipherSuitesOrder"><Property > >> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> > >> </Configure> > >> > >> I specifically exclude the cipher SSL Labs is complaining about. > >> > >> The other problem: The SSL Labs test says that my certificate chain is > >> incomplete. But I have the Comodo certificate for the website in the > >> server's keystore, and I have all three intermediate certificates in the > >> truststore. > >> > >> Any ideas? > >> > >> Thanks. > >> > >> > >> > >> > >> -- > >> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | > >> Facebook.com/LobosStudios | @LobosStudios > >> Web Development - Mobile Development - Helpdesk/Tech Support - Computer > >> Sales & Service > >> Acer Authorized Reseller - Computers, Windows and Android Tablets, > >> Accessories > >> > >> Steve Sobol - CEO, Senior Developer and Server Jockey > >> [email protected] > >> > >> _______________________________________________ > >> jetty-users mailing list > >> [email protected] > >> To change your delivery options, retrieve your password, or unsubscribe > >> from this list, visit > >> https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > > > > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > To change your delivery options, retrieve your password, or unsubscribe > from > > this list, visit > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > > > -- > > Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | > > Facebook.com/LobosStudios | @LobosStudios > > Web Development - Mobile Development - Helpdesk/Tech Support - Computer > > Sales & Service > > Acer Authorized Reseller - Computers, Windows and Android Tablets, > > Accessories > > > > Steve Sobol - CEO, Senior Developer and Server Jockey > > [email protected] > > > > > > -- > > Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | > > Facebook.com/LobosStudios | @LobosStudios > > Web Development - Mobile Development - Helpdesk/Tech Support - Computer > > Sales & Service > > Acer Authorized Reseller - Computers, Windows and Android Tablets, > > Accessories > > > > Steve Sobol - CEO, Senior Developer and Server Jockey > > [email protected] > > > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > To change your delivery options, retrieve your password, or unsubscribe > from > > this list, visit > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > -- > Greg Wilkins <[email protected]> CTO http://webtide.com > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
