According to Qualsys you are missing certificates listed in Certification Paths, are you really sure you have them? Your server only provides the server certificate and hence the error/warning.
On 22 April 2016 at 15:51, Steve Sobol - Lobos Studios < [email protected]> wrote: > Yes. It doesn't work with Qualys, and openssl s_client is reporting error > 21, unable to verify the first certiicate. > > Also, I grabbed the list of supported certificate from the logs, and I put > them into my SSLContextFactory config and added the two missing ones, and > it doesn't matter - TLS 1.0 is still not available. > > Tried putting all of the CA certs in the keystore with the website certs, > too. No love. > > On 4/21/2016 11:23 PM, Peter Ondruška wrote: > > As for the broken certificate chain, are you sure you included all the > certificates in chain (including root, all intermediaries)? > > On 21 April 2016 at 23:47, Steve Sobol - Lobos Studios < > [email protected]> wrote: > >> Ok. This is not cool. After the upgrade to 9.3.8 and a modification of my >> SSLContextFactory >> >> <?xml version="1.0"?> >> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" >> "http://www.eclipse.org/jetty/configure_9_3.dtd"; >> <http://www.eclipse.org/jetty/configure_9_3.dtd>> >> >> <!-- ============================================================= --> >> <!-- SSL ContextFactory configuration --> >> <!-- ============================================================= --> >> <Configure id="sslContextFactory" >> class="org.eclipse.jetty.util.ssl.SslContextFactory"> >> <Set name="KeyStorePath"><Property name="jetty.base" default="." >> />/keystores/www6-production-keystore.jks</Set> >> <Set >> name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set> >> <Set name="TrustStorePath"><Property name="jetty.base" default="." >> />/keystores/truststore.jks</Set> >> <Set >> name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set> >> <Set name="NeedClientAuth">false</Set> >> <Set name="WantClientAuth">false</Set> >> <Call name="addExcludeCipherSuites"> >> <Arg> >> <Array type="String"> >> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item> >> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> >> </Array> >> </Arg> >> </Call> >> <Set name="useCipherSuitesOrder"><Property >> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> >> </Configure> >> >> the weak cipher warnings are all gone, but the server only speaks TLS 1.2 >> now, and a the test's simulated IE 10 connection is failing. I'm OK not >> supporting Android browsers prior to 4.4; they're old. I'm fine not >> supporting IE 6, 7, 8 and Safari browsers that are three versions older >> than the current version (those tests all failed). But I need to support IE >> 9, 10 and 11. >> >> https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com >> >> Also, does ANYONE know how to fix the allegedly broken certificate chain? >> >> Thanks >> >> >> On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote: >> >> So in the future, if I need to update the list and am not able to >> immediately upgrade Jetty for whatever reason, I'm thinking I should use >> >> addExcludeCipherSuites() >> >> instead, yes? >> >> On 4/21/2016 12:57 PM, Joakim Erdfelt wrote: >> >> When you used <Set name="ExcludeCipherSuites"> >> >> You undid the existing exclusions in Jetty 9.3.3 >> >> >> https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259 >> >> public SslContextFactory(boolean trustAll) >> { >> setTrustAll(trustAll); >> addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); >> setExcludeCipherSuites( >> "SSL_RSA_WITH_DES_CBC_SHA", >> "SSL_DHE_RSA_WITH_DES_CBC_SHA", >> "SSL_DHE_DSS_WITH_DES_CBC_SHA", >> "SSL_RSA_EXPORT_WITH_RC4_40_MD5", >> "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", >> "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", >> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); >> } >> >> If you use Jetty 9.3.8, you'll find the exclusion list is more strict ... >> >> >> https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255 >> >> public SslContextFactory(boolean trustAll) >> { >> setTrustAll(trustAll); >> addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); >> setExcludeCipherSuites( >> "^.*_RSA_.*_(MD5|SHA|SHA1)$", >> "SSL_DHE_DSS_WITH_DES_CBC_SHA", >> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); >> } >> >> >> Joakim Erdfelt / [email protected] >> >> On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios < >> [email protected]> wrote: >> >>> Jetty 9.3.3.v20150827 >>> >>> I have two problems the Qualys SSL Test is reporting with one of my >>> Jetty-hosted websites and I'm not sure how to fix them. >>> >>> Both are preventing this website from getting an "A" rating. I'm at a >>> "B" now. >>> >>> First: "This server supports weak Diffie-Hellman (DH) key exchange >>> parameters." >>> There were a half-dozen weak ciphers I was able to disable. Only one is >>> still being reported active: >>> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA >>> >>> But I am doing this: >>> <?xml version="1.0"?> >>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" " >>> <http://www.eclipse.org/jetty/configure_9_3.dtd> >>> http://www.eclipse.org/jetty/configure_9_3.dtd";> >>> >>> <!-- ============================================================= --> >>> <!-- SSL ContextFactory configuration --> >>> <!-- ============================================================= --> >>> <Configure id="sslContextFactory" >>> class="org.eclipse.jetty.util.ssl.SslContextFactory"> >>> <Set name="KeyStorePath"><Property name="jetty.base" default="." >>> />/path/to/keystore.jks</Set> >>> <Set name="KeyStorePassword">OBF:NoneYoBizness</Set> >>> <Set name="TrustStorePath"><Property name="jetty.base" default="." >>> />/path/to/keystore.jks</Set> >>> <Set name="TrustStorePassword">OBF:NoneYoBizness</Set> >>> <Set name="NeedClientAuth">false</Set> >>> <Set name="WantClientAuth">false</Set> >>> <Set name="ExcludeCipherSuites"> >>> <Array type="String"> >>> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> >>> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> >>> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> >>> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> >>> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> >>> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> >>> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> >>> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> >>> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> >>> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> >>> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> >>> </Array> >>> </Set> >>> <Set name="useCipherSuitesOrder"><Property >>> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> >>> </Configure> >>> >>> I specifically exclude the cipher SSL Labs is complaining about. >>> >>> The other problem: The SSL Labs test says that my certificate chain is >>> incomplete. But I have the Comodo certificate for the website in the >>> server's keystore, and I have all three intermediate certificates in the >>> truststore. >>> >>> Any ideas? >>> >>> Thanks. >>> >>> >>> >>> >>> -- >>> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | >>> Facebook.com/LobosStudios | @LobosStudios >>> Web Development - Mobile Development - Helpdesk/Tech Support - Computer >>> Sales & Service >>> Acer Authorized Reseller - Computers, Windows and Android Tablets, >>> Accessories >>> >>> Steve Sobol - CEO, Senior Developer and Server Jockey >>> [email protected] >>> >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>> >> >> >> >> _______________________________________________ >> jetty-users mailing [email protected] >> To change your delivery options, retrieve your password, or unsubscribe from >> this list, visithttps://dev.eclipse.org/mailman/listinfo/jetty-users >> >> >> -- >> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | >> Facebook.com/LobosStudios | @LobosStudios >> Web Development - Mobile Development - Helpdesk/Tech Support - Computer >> Sales & Service >> Acer Authorized Reseller - Computers, Windows and Android Tablets, >> Accessories >> >> Steve Sobol - CEO, Senior Developer and Server [email protected] >> >> >> -- >> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | >> Facebook.com/LobosStudios | @LobosStudios >> Web Development - Mobile Development - Helpdesk/Tech Support - Computer >> Sales & Service >> Acer Authorized Reseller - Computers, Windows and Android Tablets, >> Accessories >> >> Steve Sobol - CEO, Senior Developer and Server [email protected] >> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > kaibo, s.r.o., ID 28435036, registered with the commercial register > administered by the Municipal Court in Prague, section C, insert 141269. > Registered office and postal address: kaibo, s.r.o., Kališnická 379/10, > Prague 3, 130 00, Czech Republic. > https://www.kaibo.eu > > > _______________________________________________ > jetty-users mailing [email protected] > To change your delivery options, retrieve your password, or unsubscribe from > this list, visithttps://dev.eclipse.org/mailman/listinfo/jetty-users > > > -- > Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | > Facebook.com/LobosStudios | @LobosStudios > Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales > & Service > Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories > > Steve Sobol - CEO, Senior Developer and Server [email protected] > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- kaibo, s.r.o., ID 28435036, registered with the commercial register administered by the Municipal Court in Prague, section C, insert 141269. Registered office and postal address: kaibo, s.r.o., Kališnická 379/10, Prague 3, 130 00, Czech Republic. https://www.kaibo.eu
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
