Jetty Server only provides .*DSS.* TLS Cipher Suites

Issue #708 resolved
Felix Schäfer
created an issue

Since the last browser update both Firefox and Chrome refused to connect to our scm-manager in their current version. I discovered that the jetty (7.6.16) of our scm-server (1.45) only provides the following cipher suites:

Supported versions: TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.0
     DHE_DSS_WITH_3DES_EDE_CBC_SHA
     DHE_DSS_WITH_AES_128_CBC_SHA
     DHE_DSS_WITH_AES_256_CBC_SHA
  (TLSv1.1: idem)
[ERR: server wants to use cipher suite 0x0040 which client did not announce]
  TLSv1.2
     DHE_DSS_WITH_3DES_EDE_CBC_SHA
     DHE_DSS_WITH_AES_128_CBC_SHA
     DHE_DSS_WITH_AES_256_CBC_SHA
     DHE_DSS_WITH_AES_128_CBC_SHA256
     DHE_DSS_WITH_AES_256_CBC_SHA256

I use the following configuration to add the ssl connector (/opt/scm-server/conf/server-config.xml):

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Arg>
          <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
            <Set name="keyStore"><SystemProperty name="basedir" default="." />/conf/scm.jks</Set>
            <Set name="keyStorePassword">PWD</Set>
            <Set name="keyManagerPassword">PWD</Set>
            <Set name="trustStore"><SystemProperty name="basedir" default="." />/conf/scm.jks</Set>
            <Set name="trustStorePassword">PWD</Set>
            <!--
            Exclude SSLv3 to avoid POODLE vulnerability.
            See https://groups.google.com/d/msg/scmmanager/sX_Ydy-wAPA/-Dvs5i7RHtQJ
            -->
            <Set name="excludeProtocols">
              <Array type="java.lang.String">
                <Item>SSLv2Hello</Item>
                <Item>SSLv3</Item>
              </Array>
            </Set>
          </New>
        </Arg>
        <Set name="Port">8181</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="requestHeaderSize">16384</Set>
      </New>
    </Arg>
  </Call>

As shown in the jetty documentation I tried to include additional cipher suites and exclude the .DSS. cipher suites.

            <Set name="ExcludeCipherSuites">
              <Array type="String">
                <Item>.*DSS.*</Item>
              </Array>
            </Set>
            <Set name="includeCipherSuites">
              <Array type="String">
                <Item>TLS_ECDHE.*</Item>
              </Array>
            </Set>

That leads to the result that NO TLS is provided any more. I don't see any errors in the logfile that I can associate to the configuration.

We tried both java-7-openjdk-amd64 and java-7-oracle as java jdk. I doesn't make any difference. The system is hosted on a Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-53-generic x86_64) server.

Comments (5)

  1. Sebastian Sebastian repo owner
    • changed status to open

    I've never seen this wildcard notation. Could you post a link to the jetty documentation which you have used? I can't reproduce this this, my firefox and my chrome can easily connect to my scm-manager with default ssl settings. However i've looked at the jetty distribution ssl settings:

    https://github.com/eclipse/jetty.project/blob/master/jetty-server/src/main/config/etc/jetty-ssl.xml

    And they exclude a list of ciphers:

    <Set name="ExcludeCipherSuites">
      <Array type="String">
        <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
      </Array>
    </Set>
    
  2. Felix Schäfer reporter

    I found our problem. It was the certificate that we used. The used certificate was signed with DSA and thus there only were DSS ciphers available.

    But anyway the exclude of unwanted ciphers does not work for us. But the security status is now way better than before.

  3. Log in to comment