Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA for Jetty server

3desjettypci-compliancessl

To be PCI compliance, I use nmap to scan for SSL vulnerability:

nmap -p 8443 –script ssl-enum-ciphers myJettyServer.com

>
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) – C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) – B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) – C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) – B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) – C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 768) – C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) – B
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 768) – B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp160k1) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
|_ least strength: C

I discover that an SWEET32 exists on my embedded Jetty 9.1.5 server. To resolve this, I add these lines to jetty.xml:

  <Set name="ExcludeProtocols">
     <Array type="java.lang.String">
        <Item>SSLv3</Item>
     </Array>
  </Set>
  <Set name="ExcludeCipherSuites">
     <Array type="java.lang.String">
        <!-- default -->
        <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_RC4_128_SHA</Item>
        <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA</Item>
        <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>

        <!--3DES-->
        <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>         
        <Item>TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>            
        <Item>TLS_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>

        <!-- RC4 -->
        <Item>PCT_SSL_CIPHER_TYPE_1ST_HALF</Item>
        <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
        <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
        <Item>SSL2_RC4_128_EXPORT40_WITH_MD5</Item>
        <Item>SSL2_RC4_128_WITH_MD5</Item>
        <Item>SSL2_RC4_64_WITH_MD5</Item>
        <Item>TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_DH_Anon_WITH_RC4_128_MD5</Item>
        <Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA</Item>
        <Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256</Item>
        <Item>TLS_DHE_DSS_WITH_RC4_128_SHA</Item>
        <Item>TLS_DHE_DSS_WITH_RC4_128_SHA256</Item>
        <Item>TLS_DHE_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_DHE_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDH_Anon_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDH_Anon_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA256</Item>
        <Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
        <Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
        <Item>TLS_KRB5_WITH_RC4_128_SHA256</Item>
        <Item>TLS_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_RSA_EXPORT1024_WITH_RC4_56_MD5</Item>
        <Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA</Item>
        <Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256</Item>
        <Item>TLS_RSA_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_RSA_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_RSA_WITH_RC4_128_MD5</Item>
        <Item>TLS_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_RSA_WITH_RC4_128_SHA256</Item>
     </Array>
  </Set>

All other 3DES ciphers gone, except this one TLS_RSA_WITH_3DES_EDE_CBC_SHA. It's so weird!

How can I get rid of this cipher?
Thanks in advance.

Best Answer

Using a recent stable version of Jetty, you can ask for a server dump and see the list of enabled / disabled ciphers, along with (most importantly!) where they are disabled.

Example:

 $ cd /path/to/my/jettybase
 $ java -jar /path/to/jetty-dist/start.jar jetty.server.dumpAfterStart=true

 |   += SslConnectionFactory@cc285f4{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@77659b30(file:///path/to/my/jettybase/etc/keystore,file:///path/to/my/jettybase/etc/keystore) trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

You'll quickly see that the ciphers you specifically are calling out are already disabled by default in the Jetty configuration, with others being disabled by the running JRE.

As for configuring the list of Ciphers, you would configure the SslContextFactory to have the excludes you need. There are many ways to configure it, it would be best if you choose a technique that best fits your needs from the official documentation at ...

https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites

Best Answer

Related Solutions

Java – JBWEB003006: Handshake failed: java.io.IOException: JBWEB002042: SSL handshake failed, cipher suite in SSL Session is SSL_NULL_WITH_NULL_NULL

Related Topic