I've been trying to get that A+ on the SSL Server Test @ SSL Labs. However, I can't figure out how to pass the "downgrade attack prevention" test:
I'm running Jetty 9.3.0.v20150612 alongside OpenJDK 8, on Linux Ubuntu 15.04 (Vivid Vervet).
hristo@test:~$ java -version
openjdk version "1.8.0_45-internal"
OpenJDK Runtime Environment (build 1.8.0_45-internal-b14)
OpenJDK 64-Bit Server VM (build 25.45-b02, mixed mode)
I've read through and followed the instructions from Jetty's SSL config documentation, and tried my best to edit the relevant XML config files. No matter what I try, I still see "No, TLS_FALLBACK_SCSV not supported".
I've enabled the https
and ssl
modules for Jetty by running this command:
$ java -jar start.jar --add-to-startd=https,ssl
INFO: ssl initialised in ${jetty.base}/start.d/ssl.ini
INFO: https initialised in ${jetty.base}/start.d/https.ini
INFO: Base directory was modified
I haven't modified the vanilla jetty.xml
nor jetty-https.xml
because I'm not sure what I need to change there. Here's what I have for my configs:
start.ini
# added this to the bottom of start.ini
# TLS configuration
-Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"
-Djdk.tls.ephemeralDHKeySize=2048
jetty-ssl-context.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- ============================================================= -->
<!-- SSL ContextFactory configuration -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<!-- ===================== -->
<!-- other default configs -->
<!-- ===================== -->
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
<Set name="IncludeProtocols">
<Array type="java.lang.String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
</Array>
</Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL.*</Item>
<Item>.*DES.*</Item>
<Item>.*DSS.*</Item>
<Item>.*KRB.*</Item>
<Item>.*MD5.*</Item>
<Item>.*NULL.*</Item>
<Item>.*RC4.*</Item>
</Array>
</Set>
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSL</Item>
<Item>SSLv2</Item>
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Set>
<Set name="renegotiationAllowed" type="boolean">false</Set>
<Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>
What else am I missing? Do I need to configure Jetty some more? Do I need to configure Java 8 somehow? Do I need to modify some special Ubuntu configs?
Best Answer
It's simply not implemented in Java yet – it is planned for Java 9 though.
You can follow #JDK-8061798 for updates.