How do I disallow particular SSL protocols in Jetty?
I have a web application running on Jetty 6 + Open JDK 7 on Debian 6.0.7. I have a security requirement to accept a TLS handshake but not an SSLv3.0 handshake when a client initiates an HTTPS connection.
In my jetty.xml I set the protocol to TLS:
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="protocol">TLS</Set>
...
With this configuration, the web server still appears to accept an SSLv3.0 handshake. This has been verified with the 'sslscan' tool and running 'curl -sslv3 -kv {host}'.
Is it possible to configure Jetty to only accept a TLS handshake? I would be willing to upgrade my Jetty version if needed.
Answer
I found two solutions:
Upgrade to Jetty 9, which supports the jetty.xml entry:
<Arg name="sslContextFactory">
...
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
Or, with Jetty 6 create delegate classes for SslSocketConnector and SSLServerSocketFactory:
jetty.xml:
...
<New class="com.src.TlsSocketConnector">
...
</New>
public class TlsSocketConnector extends SslSocketConnector {
@Override
protected SSLServerSocketFactory createFactory() throws Exception {
return new TlsServerSocketFactory( super.createFactory() );
}
}
public class TlsServerSocketFactory extends SSLServerSocketFactory {
private SSLServerSocketFactory delegate;
public TlsServerSocketFactory( SSLServerSocketFactory delegate ) {
this.delegate = delegate;
}
//Repeat this pattern for all createServerSocket() methods
public ServerSocket createServerSocket() throws IOException {
SSLServerSocket socket = (SSLServerSocket) delegate.createServerSocket();
socket.setEnabledProtocols( new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
return socket;
}
// Directly delegated methods from SSLServerSocketFactory
public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); }
public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); }
}