I'm running a server that requires a blacklist of weak cipher suites.
So which of the following are weak? http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
13
votes
3 Answers
10
votes
Why do you need to exclude the bad ones? Why not only include the good ones?
For starters, I'd follow the NSA Suite B guidelines, specifically RFC 5430
4
votes
Versions after 7.0.2 of Jetty now include a whitelist feature for cipher suites. Just add a section to your etc/jetty-ssl.xml like the following:
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg><Ref id="sslContextFactory" /></Arg>
<Set name="Port">8443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
<!--you can enable cipher suites in the following section. -->
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
Doing so will automatically blacklist any cipher suites that aren't listed in this section.
0
votes
Pretty sure Jetty is blacklist.
- http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites
- http://jira.codehaus.org/browse/JETTY-1164 <-- I'm using slightly older version lol
Anyways my issue is solved. Thanks
