Hi Joakim, Thanks, I did normalize the cipher suites and TLSv1.3 is now successful. Thanks for the suggestions.
Ike From: jetty-users <[email protected]> On Behalf Of Joakim Erdfelt Sent: Tuesday, February 2, 2021 2:50 PM To: JETTY user mailing list <[email protected]> Subject: Re: [jetty-users] Issue with Establishing TLSv1.3 - Jetty-9.4.34 ** This mail has been sent from an external source ** The cipher suites names are part of the RFC standard. The names starting with SSL_* are all deprecated according to various recommendations across the industry. (The ones starting with SSL_* are part of the SSLv3 spec per the various standards, and as such are excluded). You appear to be using a JVM that reports non-standard Cipher Suite names. (you should file a report against your JVM to have them report the supported cipher suite names using the RFC standard and IANA registered names) This kind of non-standard JVM behavior is not supported "out of the box" on Jetty. You will have to identify each reported Cipher Suite from your JVM against the various standards and specifically include each one using the non-standard names your JVM appears to want in the SslContextFactory include cipher suites configuration. Make sure you empty out the default excluded cipher suites first (set it to a null or empty array). Joakim Erdfelt / [email protected]<mailto:[email protected]> On Tue, Feb 2, 2021 at 2:05 PM Eze Ikonne <[email protected]<mailto:[email protected]>> wrote: Hi all, I need some clarifications regarding the proper names for TLSv1.3 cipher suites. So, in the previous versions of our embedded Jetty, we had to prefix ciphersuites with “SSL_” otherwise the configured ciphersuites were not recognized by Jetty SSL context modules. Now, we want to support TLSv1.3 and we are getting the following error messages. On the surface, it appears that Jetty doesn’t allow the TLSv1.3 cipher suites prefixed with “SSL_”, please could some one help me out with clarification on how to specify TLSv1.3 cipher suites for Jetty. Please see below. 2021-02-02 14:22:08,771 [main] INFO ContextHandler - Started o.e.j.w.WebAppContext@471d9180{sspcmrest,/sspcmrest,file:///C:/Users/xxx/sandbox/xxxx6020-20201124-MAINT-BUILD110/apps/jetty/webservices/webapps/sspcmrest/,AVAILABLE}{C:\Users\xxxxx\sandbox\xxxx6020-20201124-MAINT-BUILD110\apps\jetty\webservices\webapps\sspcmrest}<mailto:o.e.j.w.WebAppContext@471d9180%7bsspcmrest,/sspcmrest,file:///C:/Users/xxx/sandbox/xxxx6020-20201124-MAINT-BUILD110/apps/jetty/webservices/webapps/sspcmrest/,AVAILABLE%7d%7bC:\Users\xxxxx\sandbox\xxxx6020-20201124-MAINT-BUILD110\apps\jetty\webservices\webapps\sspcmrest%7d> 2021-02-02 14:22:08,771 [main] INFO session - DefaultSessionIdManager workerName=node0 2021-02-02 14:22:08,771 [main] INFO session - No SessionScavenger set, using defaults 2021-02-02 14:22:08,771 [main] INFO session - node0 Scavenging every 600000ms 2021-02-02 14:22:08,865 [main] INFO SslContextFactory - x509=X509@979e5720(webserverkeycert,h=[xxxx.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__xxxx.com&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=qq_8-DBWQoGV2zB3EbxjJsA3D3beAUwp7I1Oxm-lpiY&e=>, xxxx.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__xxxx.com&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=qq_8-DBWQoGV2zB3EbxjJsA3D3beAUwp7I1Oxm-lpiY&e=>, xxxx.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__xxxx.com&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=qq_8-DBWQoGV2zB3EbxjJsA3D3beAUwp7I1Oxm-lpiY&e=>, xxxx.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__xxxx.com&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=qq_8-DBWQoGV2zB3EbxjJsA3D3beAUwp7I1Oxm-lpiY&e=>, xxxx.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__xxxx.com&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=qq_8-DBWQoGV2zB3EbxjJsA3D3beAUwp7I1Oxm-lpiY&e=>, xxxx.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__xxxx.com&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=qq_8-DBWQoGV2zB3EbxjJsA3D3beAUwp7I1Oxm-lpiY&e=>, xxxx.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__xxxx.com&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=qq_8-DBWQoGV2zB3EbxjJsA3D3beAUwp7I1Oxm-lpiY&e=>],w=[]) for JettySslContextFactory@3d4b29ca[provider=null,keyStore=null,trustStore=null] 2021-02-02 14:22:09,005 [main] INFO SslContextFactory - No Cipher Suite matching 'SSL_AES_256_GCM_SHA384' is supported 2021-02-02 14:22:09,005 [main] INFO SslContextFactory - No Cipher Suite matching 'SSL_CHACHA20_POLY1305_SHA256' is supported 2021-02-02 14:22:09,005 [main] INFO SslContextFactory - No Cipher Suite matching 'SSL_AES_128_GCM_SHA256' is supported 2021-02-02 14:22:09,005 [main] WARN SslContextFactory - No supported Cipher Suite from [TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256] 2021-02-02 14:22:09,068 [main] INFO AbstractConnector - Started ServerConnector@40dd70fc{SSL, (ssl, http/1.1)}{0.0.0.0:8443<https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8443&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=9EhYabrbBNvJhLb9eW1k973v8ouhMLndFRJB8Bp9aFE&m=wWQ_0otXOUH6dKcuQ2Mh4W0fViz8mGgFhgaF4tqX-V4&s=yBY2z7P5zj6Bh8PrMznXvsuScB7eWcs4f9nj49TD6-M&e=>} 2021-02-02 14:22:09,068 [main] INFO Server - Started @20296ms ===================================================== Please refer to https://northamerica.altran.com/email-disclaimer for important disclosures regarding this electronic communication. ===================================================== _______________________________________________ jetty-users mailing list [email protected]<mailto:[email protected]> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users ===================================================== Please refer to https://northamerica.altran.com/email-disclaimer for important disclosures regarding this electronic communication. =====================================================
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
