Re: Restlet 2.2.2, Jetty 8.1, disable SSLv3
Jared, The additional "disabledPrototols" parameter worked for me. But I also set the list of enabled ciphers with this: private static String _mediumStrongCiphers = // A list found on jetty website 25-Oct-2014 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA " + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA " + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA " + "TLS_RSA_WITH_AES_128_CBC_SHA " + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA " + "TLS_RSA_WITH_AES_256_CBC_SHA"; parameters.add("enabledCipherSuites", _mediumStrongCiphers); -- Timothy On 10/22/2014 7:35 PM, Jared Davis wrote: > Hi, > > What is the correct way to disable SSLv3 with Jetty 8.1? > > I've tried disabledProtocols but it seems to have no effect. > > Server server = component.getServers().add(Protocol.HTTPS, ip, port); > server.getContext().getParameters().add("keystorePath", keyPathname); > server.getContext().getParameters().add("keystorePassword", > storepass); > server.getContext().getParameters().add("keyPassword",keypass ); > server.getContext().getParameters().add("disabledProtocols", > "SSLv3"); > > Thanks, > > Jared > > -- > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090338 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090439
RE: Restlet 2.2.2, Jetty 8.1, disable SSLv3
More info: Adding server.getContext().getParameters().add("protocol","TLS"); blocks a curl request with a -3 (use SSLv3.) Still a WIP as curl reports unknown protocol on a -1 (Use => TLSv1 (SSL)) command. * Connected to localhost (127.0.0.1) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using unknown / ECDHE-RSA-DES-CBC3-SHA Here is the output on -3 (which I think is correct) * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * Unknown SSL protocol error in connection to localhost:443 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to localhost:443 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090355
Restlet 2.2.2, Jetty 8.1, disable SSLv3
Hi, What is the correct way to disable SSLv3 with Jetty 8.1? I've tried disabledProtocols but it seems to have no effect. Server server = component.getServers().add(Protocol.HTTPS, ip, port); server.getContext().getParameters().add("keystorePath", keyPathname); server.getContext().getParameters().add("keystorePassword", storepass); server.getContext().getParameters().add("keyPassword",keypass ); server.getContext().getParameters().add("disabledProtocols", "SSLv3"); Thanks, Jared -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090338