3

I have a Jetty server (9.2.4) and scanned it using SSL Labs tool to evaluate vulnerabilities. One that came up was "Downgrade attack prevention: No, TLS_FALLBACK_SCSV not supported". Is there some settings I can use to turn this on?

Jetty server is embedded.

Philippe Bertrand
  • 196
  • 11

1 Answers1

1

I have the same question, and I posted on ServerFault:

https://serverfault.com/questions/700601/jetty-9-support-for-tls-fallback-scsv

There's only 1 answer as of right now (7/5/2015), and the answer is that Java just doesn't support it yet. There's an open ticket for this:

JDK-8061798 - Add support for TLS_FALLBACK_SCSV

Community
  • 1
  • 1
Hristo
  • 45,559
  • 65
  • 163
  • 230
  • Thanks for the answer. It's incredibly slow to get views let alone answers for complicated Jetty questions on here. – Philippe Bertrand Jul 07 '15 at 12:55
  • agreed, though I'm not sure whether or not ServerFault is the better place for these types of questions. either way, I'm having much better luck actually just posting on their "Bugzilla", https://bugs.eclipse.org/bugs/; they're pretty quick to respond. – Hristo Jul 07 '15 at 14:33
  • I can't even get enough up votes to put bounties. I feel my other questions in the past have been more "how do I ..." so I din't think posting on a "bugzilla" would be appropriate. I'll keep it in mind for next time. Thanks again. – Philippe Bertrand Jul 08 '15 at 15:00