Introduce properties for cipher suites #12120
Comments
|
We used to document how to do this with XML using "tweak" XML files. To do this, first create a new <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"https://jetty.org/configure_9_3.dtd">
<!-- Tweak SsslContextFactory Includes / Excludes -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<!-- Mitigate SLOTH Attack -->
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>.*_RSA_.*SHA1$</Item>
<Item>.*_RSA_.*SHA$</Item>
<Item>.*_RSA_.*MD5$</Item>
</Array>
</Arg>
</Call>
</Configure> |
|
We will need different configurations for SET vs ADD vs REMOVE. |
|
@joakime but in particular with cipher suite names, a comma should not be present, so regex should not be a problem, no? We can document the old solution, but perhaps most of the time a simpler config with a property should be enough. |
Unless you are using a JVM that isn't based on OpenJDK or follows the OpenJDK conventions for cipher suite names. |
|
@joakime sure, but none of them have a comma in the name! |
|
Yes, some do. |
Added documentation for advanced TLS configuration. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Jetty version(s)
12
Description
jetty-ssl-context.xmlhas some configuration forSslContextFactory, but it is notably lacking configuration for e.g. cipher suites.We should use
StringUtil.csvSplit()like we do in other Jetty module XML files (see for examplejetty-cross-origin.xml).In this way, people would be able to configure cipher suites directly from properties in
$JETTY_BASE/start.d/jetty-ssl-context.iniThe text was updated successfully, but these errors were encountered: