Re: Restlet 2.2.2, Jetty 8.1, disable SSLv3

2014-10-25 Thread Timothy Aanerud 
Jared,
The additional "disabledPrototols" parameter worked for me.  But I also 
set the list of enabled ciphers with this:

private static String _mediumStrongCiphers =

// A list found on jetty website 25-Oct-2014
 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA " +
 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA " +
 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA " +
 "TLS_RSA_WITH_AES_128_CBC_SHA " +
 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA " +
 "TLS_RSA_WITH_AES_256_CBC_SHA";


 parameters.add("enabledCipherSuites", _mediumStrongCiphers);
--
Timothy


On 10/22/2014 7:35 PM, Jared Davis wrote:
> Hi,
>
> What is the correct way to disable SSLv3 with Jetty 8.1?
>
> I've tried disabledProtocols but it seems to have no effect.
>
>  Server server = component.getServers().add(Protocol.HTTPS, ip, port);
>  server.getContext().getParameters().add("keystorePath", keyPathname);
>  server.getContext().getParameters().add("keystorePassword", 
> storepass);
>  server.getContext().getParameters().add("keyPassword",keypass );
>  server.getContext().getParameters().add("disabledProtocols", 
> "SSLv3");
>  
> Thanks,
>
> Jared
>
> --
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090338

--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090439

RE: Restlet 2.2.2, Jetty 8.1, disable SSLv3

2014-10-23 Thread Jared Davis 
More info:

Adding

 server.getContext().getParameters().add("protocol","TLS");

blocks a curl request with a -3 (use SSLv3.)

Still a WIP as curl reports unknown protocol on a -1 (Use => TLSv1 (SSL)) 
command.

* Connected to localhost (127.0.0.1) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using unknown / ECDHE-RSA-DES-CBC3-SHA

Here is the output on -3 (which I think is correct)

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* Unknown SSL protocol error in connection to localhost:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to localhost:443

--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090355

Restlet 2.2.2, Jetty 8.1, disable SSLv3

2014-10-22 Thread Jared Davis 
Hi,

What is the correct way to disable SSLv3 with Jetty 8.1?

I've tried disabledProtocols but it seems to have no effect.

Server server = component.getServers().add(Protocol.HTTPS, ip, port);
server.getContext().getParameters().add("keystorePath", keyPathname);
server.getContext().getParameters().add("keystorePassword", storepass);
server.getContext().getParameters().add("keyPassword",keypass );
server.getContext().getParameters().add("disabledProtocols", "SSLv3");

Thanks,

Jared

--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090338