[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[jetty-users] Website works but SSL Labs is reporting vulnerabilities
|
Jetty 9.3.3.v20150827
I have two problems the Qualys SSL Test is reporting with one of my
Jetty-hosted websites and I'm not sure how to fix them.
Both are preventing this website from getting an "A" rating. I'm at a
"B" now.
First: "This server supports weak Diffie-Hellman (DH) key exchange
parameters."
There were a half-dozen weak ciphers I was able to disable. Only one is
still being reported active:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
But I am doing this:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- ============================================================= -->
<!-- SSL ContextFactory configuration -->
<!-- ============================================================= -->
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="."
/>/path/to/keystore.jks</Set>
<Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="."
/>/path/to/keystore.jks</Set>
<Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
<Set name="NeedClientAuth">false</Set>
<Set name="WantClientAuth">false</Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
</Array>
</Set>
<Set name="useCipherSuitesOrder"><Property
name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>
I specifically exclude the cipher SSL Labs is complaining about.
The other problem: The SSL Labs test says that my certificate chain is
incomplete. But I have the Comodo certificate for the website in the
server's keystore, and I have all three intermediate certificates in the
truststore.
Any ideas?
Thanks.
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx