Update default config for Jetty to exclude unsafe ciphers

Issue #762 new
Kamil Zadora created an issue

First of all, thank you all for this project.

Please consider updating default SCM Manager Jetty config (we installed from RPM). It makes latest versions of Firefox unhappy due to latest issues with logjam, poodle etc. We fixed it by adding following exclusion to supported ciphers and protocols.

<Set name="ExcludeCipherSuites">
  <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <!-- Disable cipher suites with Diffie-Hellman key exchange to prevent Logjam attack.
          and avoid the ssl_error_weak_server_ephemeral_dh_key error in recent browsers -->
      <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
      <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
      <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
      <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
    </Array>
    </Set>
     <Set name="excludeProtocols">
              <Array type="java.lang.String">
                <Item>SSLv2Hello</Item>
                <Item>SSLv3</Item>
              </Array>
</Set>

Comments (0)

  1. Log in to comment