Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] how to properly deployDiffie-Hellman on my server

When it comes to running a server with TLS/SSL on the public internet, there is one fundamental truth.

You have to stay up to date.

Your use of Java 1.7 means you practically have no solution left for you.

You are doing the right thing by excluding the vulnerable protocols: SSL, SSLv2, SSLv3, TLSv1, and TLSv1.1
That assumes that you'll use TLSv1.2, but TLSv1.2 support in Java 1.7 was reserved for clients, not servers.

Can you enable TLSv1.2 on Java 1.7 for servers?  
In some versions of Java 1.7 you can, but that support is very preliminary and has many known issues.

If you absolutely must stick with Java 1.7 and Jetty 9.2.x, then consider putting a more up to date SSL offloader in front of your application.
Some product like haproxy, nginx, etc...  and keep that product up to date!

Or, upgrade to Java 1.8 at a minimum, as that has the proper TLSv1.2 support you are needing.

If you need TLSv1.3 you'll need to upgrade to Java 11 (11.0.4+ to have most of the TLSv1.3 support issues fixed)

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, Sep 23, 2019 at 5:52 AM RJC 2009 <rjc2009@xxxxxxxxx> wrote:


Please guide on how to properly deploy Diffie-Hellman on my server. I am using Jetty 9.2.9 with jdk1.7.


This is my current configuration in jetty-ssl.xml but SSL scan report shows that “This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)”


<Set name="ExcludeCipherSuites">

    <Array type="String">








 <!-- Enable Forward Secrecy Ciphers.       Note: this replaces the default Include Cipher list -->

  <Set name="IncludeCipherSuites">

    <Array type="String">





<!-- Eliminate Insecure Protocols -->

  <Call name="addExcludeProtocols">


     <Array type="java.lang.String">













jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top