This answer to the Java version of this question – How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack – covers how to do this, but what's the equivalent minimal code to do the same for a Clojure web application using Ring and the Ring Jetty adapter, which uses embedded Jetty version 7?
Asked
Active
Viewed 397 times
1 Answers
2
Here's what I added to the namespace file containing my project's -main function:
(defn is-jetty-ssl-connector?
[^org.eclipse.jetty.server.Connector c]
(= (.getName (type c)) "org.eclipse.jetty.server.ssl.SslSelectChannelConnector"))
(defn jetty-configurator
[jetty-server]
(doseq [c (filter is-jetty-ssl-connector? (.getConnectors jetty-server))]
(.addExcludeProtocols (.getSslContextFactory c) (into-array String ["SSLv3"]))))
Added to the options map of the jetty/run-jetty function call in my -main function:
:configurator jetty-configurator
I confirmed that this seems to work using a cURL command like the following:
curl -v3 -X HEAD https://localhost:443
Kenny Evitt
- 9,291
- 5
- 65
- 93
-
1Or just run Jetty 9.2.7 and get that exclusion as default behavior / configuration. – Joakim Erdfelt Jan 27 '15 at 15:42
-
@JoakimErdfelt [I don't think the Ring Jetty adapter will be using Jetty 9 for a while](https://github.com/ring-clojure/ring/issues/177). – Kenny Evitt Jan 27 '15 at 16:34
-
2Jetty 7 and Jetty 8 were EOL (End of Life) back in 2014. - filed a bug with ring about this - https://github.com/ring-clojure/ring/issues/183 – Joakim Erdfelt Jan 27 '15 at 18:12
-
@JoakimErdfelt fair enough! – Kenny Evitt Jan 27 '15 at 18:24