0

To be PCI compliance, I use nmap to scan for SSL vulnerability:

nmap -p 8443 --script ssl-enum-ciphers myJettyServer.com

> 8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) - B
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
|_ least strength: C

I discover that an SWEET32 exists on my embedded Jetty 9.1.5 server. To resolve this, I add these lines to jetty.xml:

  <Set name="ExcludeProtocols">
     <Array type="java.lang.String">
        <Item>SSLv3</Item>
     </Array>
  </Set>
  <Set name="ExcludeCipherSuites">
     <Array type="java.lang.String">
        <!-- default -->
        <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_RC4_128_SHA</Item>
        <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA</Item>
        <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>

        <!--3DES-->
        <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>         
        <Item>TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>            
        <Item>TLS_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
        <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>

        <!-- RC4 -->
        <Item>PCT_SSL_CIPHER_TYPE_1ST_HALF</Item>
        <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
        <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
        <Item>SSL2_RC4_128_EXPORT40_WITH_MD5</Item>
        <Item>SSL2_RC4_128_WITH_MD5</Item>
        <Item>SSL2_RC4_64_WITH_MD5</Item>
        <Item>TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_DH_Anon_WITH_RC4_128_MD5</Item>
        <Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA</Item>
        <Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256</Item>
        <Item>TLS_DHE_DSS_WITH_RC4_128_SHA</Item>
        <Item>TLS_DHE_DSS_WITH_RC4_128_SHA256</Item>
        <Item>TLS_DHE_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_DHE_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDH_Anon_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDH_Anon_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA256</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
        <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA256</Item>
        <Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
        <Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
        <Item>TLS_KRB5_WITH_RC4_128_SHA256</Item>
        <Item>TLS_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>TLS_RSA_EXPORT1024_WITH_RC4_56_MD5</Item>
        <Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA</Item>
        <Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256</Item>
        <Item>TLS_RSA_PSK_WITH_RC4_128_SHA</Item>
        <Item>TLS_RSA_PSK_WITH_RC4_128_SHA256</Item>
        <Item>TLS_RSA_WITH_RC4_128_MD5</Item>
        <Item>TLS_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_RSA_WITH_RC4_128_SHA256</Item>
     </Array>
  </Set>

All other 3DES ciphers gone, except this one TLS_RSA_WITH_3DES_EDE_CBC_SHA. It's so weird!

How can I get rid of this cipher? Thanks in advance.

Khoa Bui
  • 733
  • 1
  • 7
  • 15
  • I solve the issue by change exclude pattern. Use regular expression to cover all ciphers instead of listing individual: .*DES.* – Khoa Bui Feb 21 '17 at 07:46

1 Answers1

1

Using a recent stable version of Jetty, you can ask for a server dump and see the list of enabled / disabled ciphers, along with (most importantly!) where they are disabled.

Example:

 $ cd /path/to/my/jettybase
 $ java -jar /path/to/jetty-dist/start.jar jetty.server.dumpAfterStart=true

 |   += SslConnectionFactory@cc285f4{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@77659b30(file:///path/to/my/jettybase/etc/keystore,file:///path/to/my/jettybase/etc/keystore) trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

You'll quickly see that the ciphers you specifically are calling out are already disabled by default in the Jetty configuration, with others being disabled by the running JRE.

As for configuring the list of Ciphers, you would configure the SslContextFactory to have the excludes you need. There are many ways to configure it, it would be best if you choose a technique that best fits your needs from the official documentation at ...

https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
  • I use embedded jetty, configured via jetty.xml. After change the option to true: true. I got the dump log. But there are only 2 line involve SSL, there is no details: | += SslConnectionFactory@35a7a1ab{SSL-http/1.1} - STARTED | | += SslContextFactory@1066fd12(webapps/conf/iDS.keystore,webapps/conf/iDS.keystore) - STARTED – Khoa Bui Feb 21 '17 at 06:56
  • @KhoaBui that output is from stable Jetty 9.4.1 – Joakim Erdfelt Feb 21 '17 at 14:04
  • Thanks for the hint. Mine is Jetty 9.1.5, I used to upgrade but failed with some configuration. Will find time to try again. Btw, I solved the issue by using wildcard in exclusion rule. – Khoa Bui Feb 22 '17 at 15:40
  • I upgraded Jetty to 9.4.1 and got ciphers details on server dump. This is a great hint, thanks. – Khoa Bui Feb 25 '17 at 21:58
  • I got a websocket not found error (404) when upgrade to Jetty 9.4.1. It would be greatly appreciated if you can help on this issue. Then I can utilize jetty 9.4.1 officially. Thanks so much. Here is the question i just posted about the issue: http://stackoverflow.com/questions/42524174/websocket-jsr-356-fail-with-jetty-9-4-1. – Khoa Bui Mar 01 '17 at 05:51
  • 404 means there is no WebSocket endpoint (or general Web Resource) at the requested URI. – Joakim Erdfelt Mar 01 '17 at 12:11