Restlet 2.2.2, Jetty 8.1, disable SSLv3

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Restlet 2.2.2, Jetty 8.1, disable SSLv3

Jared Davis
Hi,

What is the correct way to disable SSLv3 with Jetty 8.1?

I've tried disabledProtocols but it seems to have no effect.

    Server server = component.getServers().add(Protocol.HTTPS, ip, port);
        server.getContext().getParameters().add("keystorePath", keyPathname);
        server.getContext().getParameters().add("keystorePassword", storepass);
        server.getContext().getParameters().add("keyPassword",keypass );
        server.getContext().getParameters().add("disabledProtocols", "SSLv3");
       
Thanks,

Jared

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090338
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Restlet 2.2.2, Jetty 8.1, disable SSLv3

Jared Davis
More info:

Adding

 server.getContext().getParameters().add("protocol","TLS");

blocks a curl request with a -3 (use SSLv3.)

Still a WIP as curl reports unknown protocol on a -1 (Use => TLSv1 (SSL)) command.

* Connected to localhost (127.0.0.1) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using unknown / ECDHE-RSA-DES-CBC3-SHA

Here is the output on -3 (which I think is correct)

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* Unknown SSL protocol error in connection to localhost:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to localhost:443

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090355
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restlet 2.2.2, Jetty 8.1, disable SSLv3

Timothy Aanerud
In reply to this post by Jared Davis
Jared,
The additional "disabledPrototols" parameter worked for me.  But I also
set the list of enabled ciphers with this:

private static String _mediumStrongCiphers =

// A list found on jetty website 25-Oct-2014
     "TLS_DHE_DSS_WITH_AES_128_CBC_SHA " +
     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA " +
     "TLS_DHE_DSS_WITH_AES_256_CBC_SHA " +
     "TLS_RSA_WITH_AES_128_CBC_SHA " +
     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA " +
     "TLS_RSA_WITH_AES_256_CBC_SHA";

....
     parameters.add("enabledCipherSuites", _mediumStrongCiphers);
--
Timothy


On 10/22/2014 7:35 PM, Jared Davis wrote:

> Hi,
>
> What is the correct way to disable SSLv3 with Jetty 8.1?
>
> I've tried disabledProtocols but it seems to have no effect.
>
>      Server server = component.getServers().add(Protocol.HTTPS, ip, port);
>          server.getContext().getParameters().add("keystorePath", keyPathname);
>          server.getContext().getParameters().add("keystorePassword", storepass);
>          server.getContext().getParameters().add("keyPassword",keypass );
>          server.getContext().getParameters().add("disabledProtocols", "SSLv3");
>          
> Thanks,
>
> Jared
>
> ------------------------------------------------------
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090338

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3090439
Loading...