Hi guys,
I’m using jetty in an embedded application.
Jetty 9.2.10 has SSLv3 disabled by default.
I create an sslContextFactory and set the appropriate properties:
sslContextFactory.setIncludeProtocols("SSLv3", "TLSv1", "TLSv1.2", "TLSv1.1");
I then use the sslContextFactory in the connectionFactory:
SslContextFactory sslContextFactory = createSslContextFactory();//set all sslContextFactory props here
HttpConfiguration https_config = new HttpConfiguration();
https_config.addCustomizer(new SecureRequestCustomizer());
SslConnectionFactory sslConnFact = new SslConnectionFactory(sslContextFactory, "http/1.1");
ServerConnector https = new ServerConnector(jetty, sslConnFact, new HttpConnectionFactory(https_config));
jetty.addConnector(https);
jetty.start();
Unfortunately, when I test the jetty server with TestSSLServer.jar (which I found online), the output does NOT list SSLv3!
D:\temp> java -jar TestSSLServer.jar localhost 7906
Supported versions: TLSv1.0 TLSv1.1 TLSv1.2
If I only “include” SSLv3, the JettyServer will refuse to negotiate any connections:
sslContextFactory.setIncludeProtocols("SSLv3");
If I only “include” TLSv1, the TestSSLServer.jar shows: (Supported versions: TLSv1.0)
sslContextFactory.setIncludeProtocols("TLSv1");
NOTE: before upgrading to 9.2.10, I used 9.2.3 (which had SSLv3 enabled).
Using the same code above, I was able to enable or disable SSLv3 by also setting:
sslContextFactory.setExcludeProtocols(“SSLv3”);
So, my question is: How do I re-enable SSLv3?
Thanks
Michael Grimm
grimm@xxxxxx
Mobile: 970-669-5467 (Primary phone)
