How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack
Solution 1
I had to disable SSLv3 in an application where we integrate Jetty source code. Based on what I changed in code, I would guess you add the following:
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
Give it a shot and let me know if it works for you.
Solution 2
To expand on @Lars answer ..
For Jetty 7, Jetty 8, and Jetty 9 you have to exclude the protocol SSLv3
(not the cipher) on any SslContextFactory
you are using to configure for an SSL based Connector.
For a Jetty Distribution
Edit the ${jetty.home}/etc/jetty-ssl.xml
and add the following XML snippet.
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
Inside of any element that manages a org.eclipse.jetty.http.ssl.SslContextFactory
For Jetty Embedded
Any SslContextFactory you create/manage for your SSL based Connectors you just need to set the excluded protocols.
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.addExcludeProtocols("SSLv3");
sslContextFactory.setKeyStorePath(...);
...
![Atul Soman](https://i.stack.imgur.com/SzlNE.jpg?s=256&g=1)
Comments
-
Atul Soman about 2 years
Is there any specific exclusion list available which disables only SSLv3 ciphers are not TLSv1/2.
I have jetty 8, and upgrading to 9 is not an option now. My current jetty-ssl.xml looks as follows
<Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Arg> <New class="org.eclipse.jetty.http.ssl.SslContextFactory"> ......... </New> </Arg> <Set name="ExcludeCipherSuites"> <Array type="java.lang.String"> <Item>SSL_RSA_WITH_NULL_MD5</Item> <Item>SSL_RSA_WITH_NULL_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_WITH_RC4_128_MD5</Item> <Item>SSL_RSA_WITH_RC4_128_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item> <Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item> <Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item> <Item>SSL_FORTEZZA_KEA_WITH_RC4_128_SHA</Item> <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item> </Array> </Set> </New> </Arg> </Call>
still when i run "sslscan --no-failed --ssl3 localhost:443" i get
Supported Server Cipher(s): Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Prefered Server Cipher(s): SSLv3 128 bits DHE-RSA-AES128-SHA
-
Joakim Erdfelt over 9 yearsplease update your answer to state that this configuration is for the SslContextFactory, and works for Jetty 7/8/9 (just tested all 3, and it works)
-
centic over 9 yearsI'm still stuck with Jetty v6 (due to still being based on Eclipse 3.7), how do I do this there? sslContextFactory.addExcludeProtocols() does not exist...
-
Joakim Erdfelt over 9 yearsJetty 6 doesn't have that support. Sorry. You'll have to make your own SslSocketConnector. See Karl's answer on a different question for some example codebase - stackoverflow.com/a/19937704/775715 - incidentally, Jetty 6 was EOL back in 2010, it has NO VULNERABILITY FIXES since then. Poodle is just 1 of hundreds of vulnerabilities it is missing fixes for (if using Jetty on Windows multiply that by 3). It is highly advised to upgrade, or don't run Jetty 6 on the public internet.
-
Joakim Erdfelt over 9 years@centic Here's the Eclipse side bug tracking the upgrade of Eclipse itself to Jetty 9 - bugs.eclipse.org/401784
-
centic over 9 yearsYeah, I know it is outdated, unfortunately upgrading Eclipse is a major piece of work and is not an option for software that is already delivered to a number of Customers. We found a workaround by registering a LivecycleListener on the SslSocketConnector and accessing and adjusting the newly created ServerSocket there.