How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack

Question

Is there any specific exclusion list available which disables only SSLv3 ciphers are not TLSv1/2.

I have jetty 8, and upgrading to 9 is not an option now. My current jetty-ssl.xml looks as follows

<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
            <Arg>
                <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                    .........
                </New>
            </Arg>
            <Set name="ExcludeCipherSuites">
                <Array type="java.lang.String">             
                <Item>SSL_RSA_WITH_NULL_MD5</Item>
                <Item>SSL_RSA_WITH_NULL_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
                <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
                <Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item>
                <Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item>
                <Item>SSL_FORTEZZA_KEA_WITH_RC4_128_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                <Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item>   
                </Array>
            </Set>
        </New>
    </Arg>
</Call>

still when i run "sslscan --no-failed --ssl3 localhost:443" i get

    Supported Server Cipher(s):
  Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
  Accepted  SSLv3  128 bits  AES128-SHA

Prefered Server Cipher(s):
  SSLv3  128 bits  DHE-RSA-AES128-SHA

Opened new bug at Jetty to have SSLv3 disabled by default starting in Jetty 9.3 - https://bugs.eclipse.org/447381 — Joakim Erdfelt, Oct 15 '14 at 14:37

score 13 · Accepted Answer · answered Oct 15 '14 at 14:10

13

I had to disable SSLv3 in an application where we integrate Jetty source code. Based on what I changed in code, I would guess you add the following:

<Set name="ExcludeProtocols">
    <Array type="java.lang.String">             
       <Item>SSLv3</Item>
    </Array>
</Set>

Give it a shot and let me know if it works for you.

answered Oct 15 '14 at 14:10

Lars

626
7
8

please update your answer to state that this configuration is for the SslContextFactory, and works for Jetty 7/8/9 (just tested all 3, and it works) – Joakim Erdfelt Oct 15 '14 at 17:22

Joakim Erdfelt · Answer 2 · 2014-10-16T17:12:44.963

4

To expand on @Lars answer ..

For Jetty 7, Jetty 8, and Jetty 9 you have to exclude the protocol SSLv3 (not the cipher) on any SslContextFactory you are using to configure for an SSL based Connector.

For a Jetty Distribution

Edit the ${jetty.home}/etc/jetty-ssl.xml and add the following XML snippet.

<Set name="ExcludeProtocols">
  <Array type="java.lang.String">
     <Item>SSLv3</Item>
  </Array>
</Set>

Inside of any element that manages a org.eclipse.jetty.http.ssl.SslContextFactory

For Jetty Embedded

Any SslContextFactory you create/manage for your SSL based Connectors you just need to set the excluded protocols.

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.addExcludeProtocols("SSLv3");
    sslContextFactory.setKeyStorePath(...);
    ...

edited Oct 16 '14 at 17:12

answered Oct 15 '14 at 17:30

Joakim Erdfelt

46,896
7
86
136

I'm still stuck with Jetty v6 (due to still being based on Eclipse 3.7), how do I do this there? sslContextFactory.addExcludeProtocols() does not exist... – centic Oct 16 '14 at 13:32
1

Jetty 6 doesn't have that support. Sorry. You'll have to make your own SslSocketConnector. See Karl's answer on a different question for some example codebase - http://stackoverflow.com/a/19937704/775715 - incidentally, Jetty 6 was EOL back in 2010, it has NO VULNERABILITY FIXES since then. Poodle is just 1 of hundreds of vulnerabilities it is missing fixes for (if using Jetty on Windows multiply that by 3). It is highly advised to upgrade, or don't run Jetty 6 on the public internet. – Joakim Erdfelt Oct 16 '14 at 13:43
@centic Here's the Eclipse side bug tracking the upgrade of Eclipse itself to Jetty 9 - https://bugs.eclipse.org/401784 – Joakim Erdfelt Oct 16 '14 at 14:26
Yeah, I know it is outdated, unfortunately upgrading Eclipse is a major piece of work and is not an option for software that is already delivered to a number of Customers. We found a workaround by registering a LivecycleListener on the SslSocketConnector and accessing and adjusting the newly created ServerSocket there. – centic Oct 17 '14 at 05:57

score 0 · Answer 3 · answered Mar 13 '15 at 11:56

I have configurated Jetty 8.1 whitout ssl3. You can see the complete structure of jetty-ssl.xml.


    <Configure id="Server" class="org.eclipse.jetty.server.Server">
        <Call name="addConnector">
         <Arg>
           <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
             <Arg>
               <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                 <Set name="keyStore">... </Set>    
                 <Set name="keyStorePassword">... </Set>
                 <Set name="keyManagerPassword">... </Set>
                 <Set name="trustStore">... </Set>
                 <Set name="trustStorePassword>... </Set
                 <Set name="ExcludeProtocols">
                  <Array type="java.lang.String">
                     <Item>SSLv3 </Item>
                  </Array>
                </Set>
               </New>
             </Arg>
             <Set name="port">... </Set>
             <Set name="maxIdleTime">... </Set>
           </New>
         </Arg>
       </Call>
    </Configure>

How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack

3 Answers3

Linked