To be PCI compliance, I use nmap to scan for SSL vulnerability:
nmap -p 8443 --script ssl-enum-ciphers myJettyServer.com
> 8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 768) - B
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (dh 768) of lower strength than certificate key
| Key exchange (secp160k1) of lower strength than certificate key
|_ least strength: C
I discover that an SWEET32 exists on my embedded Jetty 9.1.5 server. To resolve this, I add these lines to jetty.xml:
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<!-- default -->
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_RC4_128_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<!--3DES-->
<Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<!-- RC4 -->
<Item>PCT_SSL_CIPHER_TYPE_1ST_HALF</Item>
<Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL2_RC4_128_EXPORT40_WITH_MD5</Item>
<Item>SSL2_RC4_128_WITH_MD5</Item>
<Item>SSL2_RC4_64_WITH_MD5</Item>
<Item>TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_DH_Anon_WITH_RC4_128_MD5</Item>
<Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA</Item>
<Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_RC4_128_SHA</Item>
<Item>TLS_DHE_DSS_WITH_RC4_128_SHA256</Item>
<Item>TLS_DHE_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_DHE_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDH_Anon_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_Anon_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA256</Item>
<Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
<Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
<Item>TLS_KRB5_WITH_RC4_128_SHA256</Item>
<Item>TLS_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_MD5</Item>
<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA</Item>
<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256</Item>
<Item>TLS_RSA_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_RSA_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_RSA_WITH_RC4_128_MD5</Item>
<Item>TLS_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_RSA_WITH_RC4_128_SHA256</Item>
</Array>
</Set>
All other 3DES ciphers gone, except this one TLS_RSA_WITH_3DES_EDE_CBC_SHA. It's so weird!
How can I get rid of this cipher? Thanks in advance.