The cipher suites names are part of the RFC standard. The names starting with SSL_* are all deprecated according to various recommendations across the industry. (The ones starting with SSL_* are part of the SSLv3 spec per the various standards, and as such are excluded). You appear to be using a JVM that reports non-standard Cipher Suite names. (you should file a report against your JVM to have them report the supported cipher suite names using the RFC standard and IANA registered names) This kind of non-standard JVM behavior is not supported "out of the box" on Jetty.
You will have to identify each reported Cipher Suite from your JVM against the various standards and specifically include each one using the non-standard names your JVM appears to want in the SslContextFactory include cipher suites configuration. Make sure you empty out the default excluded cipher suites first (set it to a null or empty array). Joakim Erdfelt / [email protected] On Tue, Feb 2, 2021 at 2:05 PM Eze Ikonne <[email protected]> wrote: > Hi all, > > > > I need some clarifications regarding the proper names for TLSv1.3 cipher > suites. So, in the previous versions of our embedded Jetty, > > we had to prefix ciphersuites with “SSL_” otherwise the configured > ciphersuites were not recognized by Jetty SSL context modules. > > Now, we want to support TLSv1.3 and we are getting the following error > messages. On the surface, it appears that Jetty doesn’t > > allow the TLSv1.3 cipher suites prefixed with “SSL_”, please could some > one help me out with clarification on how to specify TLSv1.3 cipher suites > for Jetty. Please see below. > > > > 2021-02-02 14:22:08,771 [main] INFO ContextHandler - Started > o.e.j.w.WebAppContext@471d9180 > {sspcmrest,/sspcmrest,file:///C:/Users/xxx/sandbox/xxxx6020-20201124-MAINT-BUILD110/apps/jetty/webservices/webapps/sspcmrest/,AVAILABLE}{C:\Users\xxxxx\sandbox\xxxx6020-20201124-MAINT-BUILD110\apps\jetty\webservices\webapps\sspcmrest} > > 2021-02-02 14:22:08,771 [main] INFO session - DefaultSessionIdManager > workerName=node0 > > 2021-02-02 14:22:08,771 [main] INFO session - No SessionScavenger set, > using defaults > > 2021-02-02 14:22:08,771 [main] INFO session - node0 Scavenging every > 600000ms > > 2021-02-02 14:22:08,865 [main] INFO SslContextFactory - x509=X509@979e5720 > (webserverkeycert,h=[xxxx.com, xxxx.com, xxxx.com, xxxx.com, xxxx.com, > xxxx.com, xxxx.com],w=[]) for JettySslContextFactory@3d4b29ca > [provider=null,keyStore=null,trustStore=null] > > 2021-02-02 14:22:09,005 [main] INFO SslContextFactory - No Cipher Suite > matching 'SSL_AES_256_GCM_SHA384' is supported > > 2021-02-02 14:22:09,005 [main] INFO SslContextFactory - No Cipher Suite > matching 'SSL_CHACHA20_POLY1305_SHA256' is supported > > 2021-02-02 14:22:09,005 [main] INFO SslContextFactory - No Cipher Suite > matching 'SSL_AES_128_GCM_SHA256' is supported > > 2021-02-02 14:22:09,005 [main] WARN SslContextFactory - No supported > Cipher Suite from [TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, > TLS_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, > SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, > SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, > SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, > SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, > SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, > SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, > SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, > SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, > SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, > SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, > SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, > SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, > SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, > SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, > SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, > SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, > SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, > TLS_EMPTY_RENEGOTIATION_INFO_SCSV, > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256] > > 2021-02-02 14:22:09,068 [main] INFO AbstractConnector - Started > ServerConnector@40dd70fc{SSL, (ssl, http/1.1)}{0.0.0.0:8443} > > 2021-02-02 14:22:09,068 [main] INFO Server - Started @20296ms > ===================================================== > Please refer to https://northamerica.altran.com/email-disclaimer > for important disclosures regarding this electronic communication. > ===================================================== > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
