Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities

Yes. It doesn't work with Qualys, and openssl s_client is reporting error 21, unable to verify the first certiicate.

Also, I grabbed the list of supported certificate from the logs, and I put them into my SSLContextFactory config and added the two missing ones, and it doesn't matter - TLS 1.0 is still not available.

Tried putting all of the CA certs in the keystore with the website certs, too. No love.


On 4/21/2016 11:23 PM, Peter Ondruška wrote:
As for the broken certificate chain, are you sure you included all the certificates in chain (including root, all intermediaries)?

On 21 April 2016 at 23:47, Steve Sobol - Lobos Studios <steve@xxxxxxxxxxxxxxxx> wrote:

Ok. This is not cool. After the upgrade to 9.3.8 and a modification of my SSLContextFactory

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/keystores/www6-production-keystore.jks</Set>
  <Set name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/keystores/truststore.jks</Set>
  <Set name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
  <Set name="NeedClientAuth">false</Set>
  <Set name="WantClientAuth">false</Set>
  <Call name="addExcludeCipherSuites">
    <Arg>
      <Array type="String">
        <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item>
        <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
      </Array>
    </Arg>
  </Call>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>

the weak cipher warnings are all gone, but the server only speaks TLS 1.2 now, and a the test's simulated IE 10 connection is failing. I'm OK not supporting Android browsers prior to 4.4; they're old. I'm fine not supporting IE 6, 7, 8 and Safari browsers that are three versions older than the current version (those tests all failed). But I need to support IE 9, 10 and 11.

https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com

Also, does ANYONE know how to fix the allegedly broken certificate chain?

Thanks


On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote:

So in the future, if I need to update the list and am not able to immediately upgrade Jetty for whatever reason, I'm thinking I should use

addExcludeCipherSuites()

instead, yes?


On 4/21/2016 12:57 PM, Joakim Erdfelt wrote:
When you used <Set name="ExcludeCipherSuites">

You undid the existing exclusions in Jetty 9.3.3


    public SslContextFactory(boolean trustAll)
    {
        setTrustAll(trustAll);
        addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
        setExcludeCipherSuites(
                "SSL_RSA_WITH_DES_CBC_SHA",
                "SSL_DHE_RSA_WITH_DES_CBC_SHA",
                "SSL_DHE_DSS_WITH_DES_CBC_SHA",
                "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
                "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
                "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
   }

If you use Jetty 9.3.8, you'll find the exclusion list is more strict ...


    public SslContextFactory(boolean trustAll)
    {
        setTrustAll(trustAll);
        addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
        setExcludeCipherSuites(
                "^.*_RSA_.*_(MD5|SHA|SHA1)$",
                "SSL_DHE_DSS_WITH_DES_CBC_SHA",
                "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
    }


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios <steve@xxxxxxxxxxxxxxxx> wrote:
Jetty 9.3.3.v20150827

I have two problems the Qualys SSL Test is reporting with one of my Jetty-hosted websites and I'm not sure how to fix them.

Both are preventing this website from getting an "A" rating. I'm at a "B" now.

First: "This server supports weak Diffie-Hellman (DH) key exchange parameters."
There were a half-dozen weak ciphers I was able to disable. Only one is still being reported active:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

But I am doing this:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/path/to/keystore.jks</Set>
  <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/path/to/keystore.jks</Set>
  <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
  <Set name="NeedClientAuth">false</Set>
  <Set name="WantClientAuth">false</Set>
  <Set name="ExcludeCipherSuites">
  <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
  </Array>
  </Set>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>

I specifically exclude the cipher SSL Labs is complaining about.

The other problem: The SSL Labs test says that my certificate chain is incomplete. But I have the Comodo certificate for the website in the server's keystore, and I have all three intermediate certificates in the truststore.

Any ideas?

Thanks.




--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

-- 
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

-- 
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


kaibo, s.r.o., ID 28435036, registered with the commercial register administered by the Municipal Court in Prague, section C, insert 141269.
Registered office and postal address: kaibo, s.r.o., Kališnická 379/10, Prague 3, 130 00, Czech Republic.
https://www.kaibo.eu


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

-- 
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

Back to the top