Allow SSL cipher suites to be configured, preferably in the administration panel but at a minimum by editing the config.xml. Currently we are relying on the default cipher suites for jetty which includes some outdated ones that are considered insecure these days.

      See configuring cipher suites

      It looks like a change needs to be made in com.cenqua.fisheye.web.WebServer, where we set up the SslContextFactory. We need to call setIncludeCipherSuites to provide a list of cipher suites.

          Form Name

            [FE-4896] SSL Cipher suites are not configurable

            nickpellow - thanks! I've published that now.

            paulwatson (Inactive) added a comment - nickpellow - thanks! I've published that now.

            Nick added a comment - - edited

            It is currently possible to allow the webserver FishEye bundles (Jetty) to use other Cipher Suites.
            To do this:

            1. create a file called: jetty-web.xml in FISHEYE_HOME/content/WEB-INF/jetty-web.xml
            2. add the following content to the file. Modify parameters as needed:
              <?xml version="1.0" encoding="ISO-8859-1"?>
              <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd" >
              <Configure class="org.eclipse.jetty.webapp.WebAppContext">
                  <Get name="server">
                    <Call name="addConnector">
                      <Arg>
                          <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                            <Set name="Port">8443</Set>
                            <Set name="maxIdleTime">30000</Set>
                            <Set name="keyPassword">XXX</Set>
                            <Set name="trustPassword">XXX</Set>
                            <Set name="IncludeCipherSuites">
                              <Array type="java.lang.String">
                                <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
                                <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                                <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
                                <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                                <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                                <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
                              </Array>
                            </Set>
                          </New>
                          </Arg>
                    </Call>
                  </Get>
              </Configure>
              
            3. restart FishEye

            The above configuration will mean that you have a new SSL Connector listening on port 8443, using whatever Cipher Suites you've configured there.

            We could potentially update our config.xml to allow this to be done there as well.

            Nick added a comment - - edited It is currently possible to allow the webserver FishEye bundles (Jetty) to use other Cipher Suites. To do this: create a file called: jetty-web.xml in FISHEYE_HOME/content/WEB-INF/jetty-web.xml add the following content to the file. Modify parameters as needed: <?xml version= "1.0" encoding= "ISO-8859-1" ?> <!DOCTYPE Configure PUBLIC "- //Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd" > <Configure class= "org.eclipse.jetty.webapp.WebAppContext" > <Get name= "server" > <Call name= "addConnector" > <Arg> <New class= "org.eclipse.jetty.server.ssl.SslSocketConnector" > <Set name= "Port" >8443</Set> <Set name= "maxIdleTime" >30000</Set> <Set name= "keyPassword" >XXX</Set> <Set name= "trustPassword" >XXX</Set> <Set name= "IncludeCipherSuites" > <Array type= "java.lang. String " > <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item> </Array> </Set> </New> </Arg> </Call> </Get> </Configure> restart FishEye The above configuration will mean that you have a new SSL Connector listening on port 8443, using whatever Cipher Suites you've configured there. We could potentially update our config.xml to allow this to be done there as well.

              Unassigned Unassigned
              rstephens Richard Stephens (Inactive)
              Affected customers:
              1 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: