This is the documentation for FishEye 3.5. View the latest version of

Unknown macro: {spacejump}

or visit the latest FishEye documentation home page.

You may wish to set the cipher suites that are used for a specific SSL connector when Jetty starts up:

  • To include a cipher suite that you require that is not enabled by default.
  • To exclude a cipher suite that is considered too weak to use, or for which a vulnerability has been discovered.

The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See JSSE Provider documentation for more information on the available cipher suites.

Enabling cipher suites

You can specify the cipher suites that the Jetty webserver (bundled with FishEye) will use:

  1. Create a file named jetty-web.xml in FISHEYE_HOME/content/WEB-INF/.
  2. Add the following content to the file. Modify parameters as needed:

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd" >
    <Configure class="org.eclipse.jetty.webapp.WebAppContext">
        <Get name="server">
          <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                  <Set name="Port">8443</Set>
                  <Set name="maxIdleTime">30000</Set>
                  <Set name="keyPassword">XXX</Set>
                  <Set name="trustPassword">XXX</Set>
                  <Set name="IncludeCipherSuites">
                    <Array type="java.lang.String">
                      <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
                    </Array>
                  </Set>
                </New>
                </Arg>
          </Call>
        </Get>
    </Configure>
  3. Remove any SSL configuration from config.xml.
  4. Verify that there is a regular HTTP connector configured in config.xml.
    • FishEye require at least 1 connector in config.xml to start.
  5. Restart FishEye.

Disabling cipher suites

You can exclude a cipher suite from those that the Jetty webserver (bundled with FishEye) will use. You may want to do this for a suite that is considered too weak to use, or for which a vulnerability has been discovered. Note that Jetty performs the exclude operation after the include operation. Therefore, If a cipher suite is both included and then excluded as part of the same configuration, it is disabled.

  1. If necessary, create a jetty-web.xml file in FISHEYE_HOME/content/WEB-INF/.
  2. Add an exclude section to the file after the IncludeCipherSuites section to specify the cipher suites to be excluded:

    ...
    <Set name="ExcludeCipherSuites">
        <Array type="java.lang.String">
            <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        </Array>
    </Set>
    ...
  3. Restart FishEye.
  • No labels