0

This problem only exists in Chrome and I can get to my URL on https://localhost:8443 without a problem in Safari, Firefox and IE:

I tried to fix an "obsolete cipher" suite warning in Chrome and therefore removed all cipher suites with SHA1 and MD5 in my Jetty configuration. These are all cipher suits available which I can see in the DEBUG logging for Jetty.

However, with chrome I cannot get to the URL because it does not know any of these cipher suites?! Why and how can that be fixed?

This is my Jetty (version 8.1.16.v20140903) SSL connector config:

  <Call name="addConnector">
     <Arg>
       <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
         <Arg>
           <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
             <Set name="keyStore"><SystemProperty name="jetty.home" default=".." />/web/etc/keystore</Set>
             <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
             <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
             <Set name="trustStore"><SystemProperty name="jetty.home" default=".." />/web/etc/keystore</Set>
             <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
             <Set name="protocol">TLSv1.2</Set>
           </New>
         </Arg>
         <Set name="port">8443</Set>
         <Set name="maxIdleTime">30000</Set>
         <Set name="IncludeCipherSuites">
           <Array type="java.lang.String">
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
            <Item>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</Item>
            <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item>
            <Item>TLS_RSA_WITH_NULL_SHA256</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
             <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
           </Array>
         </Set>
     <Set name="ExcludeCipherSuites">
       <Array type="java.lang.String">
        <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
        <Item>TLS_KRB5_WITH_3DES_EDE_CBC_MD5</Item>
        <Item>TLS_KRB5_WITH_DES_CBC_MD5</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>
        <Item>SSL_RSA_WITH_NULL_MD5</Item>
        <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
        <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
         <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
         <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
         <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</Item>
        <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item>
        <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item>
        <Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item>
        <Item>SSL_RSA_WITH_NULL_SHA</Item>
        <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item>
        <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item>
        <Item>TLS_ECDH_anon_WITH_NULL_SHA</Item>
        <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
        <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
        <Item>TLS_KRB5_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
        <Item>LS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
         <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
       </Array>
       </Set>
       </New>
     </Arg>
   </Call>
Jonas
  • 854
  • 13
  • 33

1 Answers1

1

You removed lots of secure cipher suites in an attempt to get rid of the "obsolete cipher" message but you did not include any of the modern cipher suites, maybe because your server does not support them. At the end you removed too much ciphers so that some clients will not work any more.

And for an overview which ciphers are supported by the various browsers see SSLLabs client test.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks... I am using Jetty as the server. Do the supported cipher suites depend on the version of Jetty or the JDK. I.e. would an upgrade to Jetty 9 work then because the suites listed above seem to be all the server supports, (Sorry for ignorant questions but I am quite new to this) – Jonas Aug 13 '15 at 04:37
  • @Jonas: if the JDK does not support the ciphers a new version of Jetty will not help. – Steffen Ullrich Aug 13 '15 at 05:36
  • Ok, simply using Java 1.8 solves it because it contains the GCM cipher suites which are considered "modern" by Google. Thanks, Steffen, your answer pointed me in the right direction and made me understand the whole topic a lot better. – Jonas Aug 13 '15 at 06:59