Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-6594

Allow configuring SSL cipher suites and protocols in jetty ssl connector

    • Icon: Suggestion Suggestion
    • Resolution: Fixed
    • 3.6.0
    • None
    • None
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      This would allow advanced customers to manually exclude cipher suites that they consider weak.

      See http://wiki.eclipse.org/Jetty/Howto/CipherSuites and http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/ssl/SslContextFactory.html


      Workaround available

      See comment-657020 comment below

            [CRUC-6594] Allow configuring SSL cipher suites and protocols in jetty ssl connector

            There is a workaround, to allow configuring your own Jetty connector, instead of using FishEye's, which allows you to configure your own protocol and cipher suite exclusions.

            To do so, you can create a jetty-web.xml in your FISHEYE_HOME/content/WEB-INF directory.
            Below is a sample that will configure a new SSL connector, with SSLv3 disabled:

            <?xml version="1.0" encoding="ISO-8859-1"?>
            <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd" >
            <Configure class="org.eclipse.jetty.webapp.WebAppContext">
                <Get name="server">
                  <Call name="addConnector">
                    <Arg>
                        <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                         <Set name="keystore">/path/to/keystore</Set>
                         <Set name="password">keystorepassword</Set>
                         <Set name="Port">8443</Set>
                          <Get name="sslContextFactory">
                            <Set name="excludeProtocols">
                              <Array type="java.lang.String">
                                <Item>SSLv3</Item>
                              </Array>
                            </Set>
                          </Get>
                        </New>
                        </Arg>
                  </Call>
                </Get>
            </Configure>
            

            If configured correctly you should see a similar message in the logs after server startup:

            2014-10-15 17:33:39,614 INFO  [main ] org.eclipse.jetty.util.ssl.SslContextFactory SslContextFactory-doStart - Enabled Protocols [SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
            

            Note that this connector is completely separate from those set in the UI. You might want to disable/restrict the binds (for example set them to localhost:portnumber to disallow remote connections) on the UI-set connectors if using a custom connector like this.

            See also https://confluence.atlassian.com/display/FISHEYE035/Configuring+SSL+cipher+suites+for+Jetty for more details, and https://wiki.eclipse.org/Jetty/Howto/Configure_SSL for available configuration options.

            Lukasz Pater added a comment - There is a workaround, to allow configuring your own Jetty connector, instead of using FishEye's, which allows you to configure your own protocol and cipher suite exclusions. To do so, you can create a jetty-web.xml in your FISHEYE_HOME/content/WEB-INF directory. Below is a sample that will configure a new SSL connector, with SSLv3 disabled: <?xml version= "1.0" encoding= "ISO-8859-1" ?> <!DOCTYPE Configure PUBLIC "- //Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd" > <Configure class= "org.eclipse.jetty.webapp.WebAppContext" > <Get name= "server" > <Call name= "addConnector" > <Arg> <New class= "org.eclipse.jetty.server.ssl.SslSocketConnector" > <Set name= "keystore" >/path/to/keystore</Set> <Set name= "password" >keystorepassword</Set> <Set name= "Port" >8443</Set> <Get name= "sslContextFactory" > <Set name= "excludeProtocols" > <Array type= "java.lang. String " > <Item>SSLv3</Item> </Array> </Set> </Get> </New> </Arg> </Call> </Get> </Configure> If configured correctly you should see a similar message in the logs after server startup: 2014-10-15 17:33:39,614 INFO [main ] org.eclipse.jetty.util.ssl.SslContextFactory SslContextFactory-doStart - Enabled Protocols [SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] Note that this connector is completely separate from those set in the UI. You might want to disable/restrict the binds (for example set them to localhost:portnumber to disallow remote connections) on the UI-set connectors if using a custom connector like this. See also https://confluence.atlassian.com/display/FISHEYE035/Configuring+SSL+cipher+suites+for+Jetty for more details, and https://wiki.eclipse.org/Jetty/Howto/Configure_SSL for available configuration options.

              lpater Lukasz Pater
              lpater Lukasz Pater
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: