Re: [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?

From: John Jiang <john.sha.jiang@xxxxxxxxx>
Date: Thu, 6 Feb 2020 15:46:02 +0800
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

I just added file <JETTY_BASE>/etc/tweak-ssl.xml to enable all the TLS versions, like the below,

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<Set name="IncludeProtocols">
<Array type="String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
<Item>TLSv1.3</Item>
</Array>
</Set>
</Configure>

And also took <JETTY_BASE>/start.ini to have the below lines,
# ---------------------------------------
# Module: https
# Adds HTTPS protocol support to the TLS(SSL) Connector
# ---------------------------------------
--module=https
etc/tweak-ssl.xml

But my OpenSSL s_client still received fatal alert protocol_version.

After turned on the JSSE debug with JDK system property -Djavax.net.debug=all, I saw the below exception,

javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 is not enabled or supported in server context

I suppose JDK (using 11.0.5) doesn't disable TLSv1.1.

Could any other Jetty configuration affect this point?

On Thu, Feb 6, 2020 at 1:47 PM John Jiang <john.sha.jiang@xxxxxxxxx> wrote:

Hi,
I'm using Jetty 10.0.0 alpha1.

With my testing, it looks TLSv1 and TLSv1.1 are disabled in this version.
I used OpenSSL s_client to connect the Jetty server via TLS.
If specified TLSv1.2 or TLSv1.3, the handshaking finished successfully.
However, when TLSv1 or TLSv1.1 were specified, the handshaking failed.

But with the server dump, it looked the older TLS versions are enabled, as shown as the below,
| += SslConnectionFactory@4e50c791{SSL->alpn} - STARTED
| | += Server@2826f61[provider=null,keyStore=file:///path/to/etc/keystore,trustStore=file:///path/to/etc/keystore] - STARTED
| | +> trustAll=false
| | +> Protocol Selections
| | | +> Enabled size=4
| | | | +> TLSv1
| | | | +> TLSv1.1
| | | | +> TLSv1.2
| | | | +> TLSv1.3
| | | +> Disabled size=2
| | | +> SSLv2Hello - ConfigExcluded:'SSLv2Hello' JVM:disabled
| | | +> SSLv3 - ConfigExcluded:'SSLv3' JVM:disabled

What's something I missed?
I didn't meet this problem with Jetty 9.4.

Thanks!

Follow-Ups:
- Re: [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?
  - From: John Jiang

References:
- [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?
  - From: John Jiang

Prev by Date: Re: [jetty-users] HttpServletRequest Returns NULL Principal After Logging In
Next by Date: Re: [jetty-users] HttpServletRequest Returns NULL Principal After Logging In
Previous by thread: [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?
Next by thread: Re: [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?
Index(es):
- Date
- Thread

Breadcrumbs