0

Referencing this doc, https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites toward the top there is a note:

Once TLS v1.3 is released, there will be no workaround available for TLS v1.0 or v1.1. Plans for TLS v1.3 include banning ciphers with known vulnerabilities from being present at any level. It is recommended to upgrade any clients using these ciphers as soon as possible or face being locked into a outdated version of Jetty, Java or even OS.

The change log for Jetty 9.4.12, includes the following:

2711 TLS 1.3 compliance

Is it confirmed that as of Jetty 9.4.12 and newer, it is no longer possible to override the default ciphers and re-enable support for TLS 1.0 and 1.1?

Leon Shaner
  • 71
  • 8
  • At least in https://github.com/eclipse/jetty.project/blob/jetty-9.4.29.v20200521/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java you have only: `private static final String[] DEFAULT_EXCLUDED_PROTOCOLS = {"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};` – Patrick Mevzek Jun 11 '20 at 18:22
  • Hi, @PatrickMevzek. Thank you. I see those are excluded by default, but does that really mean that attempts to re-enable TLS 1.0 and TLS 1.2 via ${jetty.base}/etc/tweak-ssl.xml will no longer work in 9.4.29? – Leon Shaner Jun 11 '20 at 18:35
  • I honestly do not know, and just gave the link I found in case it helps someone to dig deeper. If there is only what I have found then no TLS versions should be disabled, but maybe there is other configuration somewhere impacting things, and your Java version could come into play too. Hence, maybe the simplest path, is just try? At least following a link from your quoted documentation leads to https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L272 and it uses DEFAULT_EXCLUDED_PROTOCOLS... – Patrick Mevzek Jun 11 '20 at 19:27
  • (so in a very cursory look - I know almost nothing in Java land - it seems to me that the documentation and the code disagree, which is why testing is probably the safer path...) Also, this may give information too: https://github.com/eclipse/jetty.project/issues/2807 – Patrick Mevzek Jun 11 '20 at 19:27
  • @PatrickMevzek thank you so much! =D I was trying to save some trouble, but I will in fact try to reproduce the larger use-case and see what I can find. Thanks again! – Leon Shaner Jun 12 '20 at 14:23

1 Answers1

0

There is bug that Issue with default cipher excludes all about TLS1.0 : https://github.com/eclipse/jetty.project/issues/3773

private SslContextFactory(boolean trustAll, String keyStorePath)
{
setTrustAll(trustAll);
addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
if (keyStorePath != null)
    setKeyStorePath(keyStorePath);
}

The names of TLS v1.0 cipher suites are matched with above "^.*_(MD5|SHA|SHA1)$", from https://www.openssl.org/docs/man1.1.0/man1/ciphers.html

Yong Yang
  • 1