Login/Register
How do I disallow particular SSL protocols in Jetty?
Asked Answered
ssljettyjavasslv3
M

2

3

I have a web application running on Jetty 6 + Open JDK 7 on Debian 6.0.7. I have a security requirement to accept a TLS handshake but not an SSLv3.0 handshake when a client initiates an HTTPS connection.

In my jetty.xml I set the protocol to TLS:

<New class="org.mortbay.jetty.security.SslSocketConnector">
    <Set name="protocol">TLS</Set>
    ...

With this configuration, the web server still appears to accept an SSLv3.0 handshake. This has been verified with the 'sslscan' tool and running 'curl -sslv3 -kv {host}'.

Is it possible to configure Jetty to only accept a TLS handshake? I would be willing to upgrade my Jetty version if needed.

Minardi answered 11/11, 2013 at 18:36 Comment(1)
I found two solutions. 1) Upgrade to Jetty 9, which supports the SslContextFactory entry: <Set name="excludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> 2) In Jetty 6, create a Java class extending SslSocketConnector, overriding the method:Minardi
M
5

I found two solutions:

Upgrade to Jetty 9, which supports the jetty.xml entry:

<Arg name="sslContextFactory">
    ...
    <Set name="excludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv3</Item>
      </Array>
     </Set>

Or, with Jetty 6 create delegate classes for SslSocketConnector and SSLServerSocketFactory:

jetty.xml:
  ...
  <New class="com.src.TlsSocketConnector">
    ...
  </New>

public class TlsSocketConnector extends SslSocketConnector  {
  @Override
  protected SSLServerSocketFactory createFactory() throws Exception {
    return new TlsServerSocketFactory( super.createFactory() );
  }
}

public class TlsServerSocketFactory extends SSLServerSocketFactory {

  private SSLServerSocketFactory delegate;

  public TlsServerSocketFactory( SSLServerSocketFactory delegate ) {
    this.delegate = delegate;
  }

  //Repeat this pattern for all createServerSocket() methods
  public ServerSocket createServerSocket() throws IOException {
    SSLServerSocket socket = (SSLServerSocket) delegate.createServerSocket();
    socket.setEnabledProtocols( new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
    return socket;
  }

  // Directly delegated methods from SSLServerSocketFactory
  public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); }
  public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); }
}
Minardi answered 12/11, 2013 at 19:1 Comment(0)
G
1

For Jetty 6, you could also create an overridden SslSelectChannelConnector that removes SSLv3, like this:

package com.mycompany;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;

import javax.net.ssl.SSLEngine;

import org.mortbay.jetty.security.SslSelectChannelConnector;

public class SslSelectChannelConnectorNoSsl3 extends SslSelectChannelConnector {

  @Override
  protected SSLEngine createSSLEngine() throws IOException {
    SSLEngine engine = super.createSSLEngine();
    Set<String> protocols = new HashSet<String>(Arrays.asList(engine.getEnabledProtocols()));
    protocols.removeAll(Arrays.asList("SSLv2Hello","SSLv3"));
    engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
    return engine;
  }

}

And then specify that connector in jetty.xml, like this:

<Call name="addConnector">
 <Arg>
   <New class="com.mycompany.SslSelectChannelConnectorNoSsl3">
   ...
   </New>
 </Arg>
</Call>
Garlaand answered 14/11, 2014 at 22:17 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.