Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities

According to Qualsys you are missing certificates listed in Certification Paths, are you really sure you have them? Your server only provides the server certificate and hence the error/warning.

On 22 April 2016 at 15:51, Steve Sobol - Lobos Studios <steve@xxxxxxxxxxxxxxxx> wrote:

Yes. It doesn't work with Qualys, and openssl s_client is reporting error 21, unable to verify the first certiicate.

Also, I grabbed the list of supported certificate from the logs, and I put them into my SSLContextFactory config and added the two missing ones, and it doesn't matter - TLS 1.0 is still not available.

Tried putting all of the CA certs in the keystore with the website certs, too. No love.


On 4/21/2016 11:23 PM, Peter Ondruška wrote:
As for the broken certificate chain, are you sure you included all the certificates in chain (including root, all intermediaries)?

On 21 April 2016 at 23:47, Steve Sobol - Lobos Studios <steve@xxxxxxxxxxxxxxxx> wrote:

Ok. This is not cool. After the upgrade to 9.3.8 and a modification of my SSLContextFactory

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/keystores/www6-production-keystore.jks</Set>
  <Set name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/keystores/truststore.jks</Set>
  <Set name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
  <Set name="NeedClientAuth">false</Set>
  <Set name="WantClientAuth">false</Set>
  <Call name="addExcludeCipherSuites">
    <Arg>
      <Array type="String">
        <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item>
        <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
      </Array>
    </Arg>
  </Call>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>

the weak cipher warnings are all gone, but the server only speaks TLS 1.2 now, and a the test's simulated IE 10 connection is failing. I'm OK not supporting Android browsers prior to 4.4; they're old. I'm fine not supporting IE 6, 7, 8 and Safari browsers that are three versions older than the current version (those tests all failed). But I need to support IE 9, 10 and 11.

https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com

Also, does ANYONE know how to fix the allegedly broken certificate chain?

Thanks


On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote:

So in the future, if I need to update the list and am not able to immediately upgrade Jetty for whatever reason, I'm thinking I should use

addExcludeCipherSuites()

instead, yes?


On 4/21/2016 12:57 PM, Joakim Erdfelt wrote:
When you used <Set name="ExcludeCipherSuites">

You undid the existing exclusions in Jetty 9.3.3


    public SslContextFactory(boolean trustAll)
    {
        setTrustAll(trustAll);
        addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
        setExcludeCipherSuites(
                "SSL_RSA_WITH_DES_CBC_SHA",
                "SSL_DHE_RSA_WITH_DES_CBC_SHA",
                "SSL_DHE_DSS_WITH_DES_CBC_SHA",
                "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
                "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
                "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
   }

If you use Jetty 9.3.8, you'll find the exclusion list is more strict ...


    public SslContextFactory(boolean trustAll)
    {
        setTrustAll(trustAll);
        addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
        setExcludeCipherSuites(
                "^.*_RSA_.*_(MD5|SHA|SHA1)$",
                "SSL_DHE_DSS_WITH_DES_CBC_SHA",
                "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
    }


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios <steve@xxxxxxxxxxxxxxxx> wrote:
Jetty 9.3.3.v20150827

I have two problems the Qualys SSL Test is reporting with one of my Jetty-hosted websites and I'm not sure how to fix them.

Both are preventing this website from getting an "A" rating. I'm at a "B" now.

First: "This server supports weak Diffie-Hellman (DH) key exchange parameters."
There were a half-dozen weak ciphers I was able to disable. Only one is still being reported active:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

But I am doing this:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/path/to/keystore.jks</Set>
  <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/path/to/keystore.jks</Set>
  <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
  <Set name="NeedClientAuth">false</Set>
  <Set name="WantClientAuth">false</Set>
  <Set name="ExcludeCipherSuites">
  <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
  </Array>
  </Set>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>

I specifically exclude the cipher SSL Labs is complaining about.

The other problem: The SSL Labs test says that my certificate chain is incomplete. But I have the Comodo certificate for the website in the server's keystore, and I have all three intermediate certificates in the truststore.

Any ideas?

Thanks.




--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

-- 
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

-- 
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


kaibo, s.r.o., ID 28435036, registered with the commercial register administered by the Municipal Court in Prague, section C, insert 141269.
Registered office and postal address: kaibo, s.r.o., Kališnická 379/10, Prague 3, 130 00, Czech Republic.
https://www.kaibo.eu


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

-- 
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


kaibo, s.r.o., ID 28435036, registered with the commercial register administered by the Municipal Court in Prague, section C, insert 141269.
Registered office and postal address: kaibo, s.r.o., Kališnická 379/10, Prague 3, 130 00, Czech Republic.
https://www.kaibo.eu

Back to the top