Doc downloads (PDF, HTML & XML)
[FishEye Knowledge Base]
You may wish to set the cipher suites and protocols that are used for a specific SSL connector when Jetty starts up:
The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See the JSSE Provider documentation for more information about the available cipher suites.
Note that for FishEye 3.6, and later, cipher suites and protocols are now defined in the config.xml
file. For FishEye 3.5, and earlier versions, cipher suites were defined in the jetty-web.xml
file – see Configuring SSL cipher suites for Jetty.
You can specify the cipher suites or protocols that the Jetty webserver (bundled with FishEye) will use:
config.xml
file in your FishEye instance directory (the data directory that the FISHEYE_INST
system environment variable points to).Find the <ssl>
element under the <web-server>
element in the file, and add <includeCipherSuites>
and <includeProtocols>
as needed. For example:
<config version="1.0"> <web-server context="/foo"> <ssl bind=":443" keystore="/etc/dev/keystore" keystore-password="" truststore="/etc/dev/keystore" truststore-password=""> <includeProtocols> <protocol>TLSv1</protocol> <protocol>TLSv1.1</protocol> <protocol>TLSv1.2</protocol> </includeProtocols> <includeCipherSuites> <cipherSuite>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</cipherSuite> </includeCipherSuites> </ssl> </web-server>
Restart FishEye.
This will cause the Jetty SSL connector to only use the cipher suites and protocols specified in the xml.
You can exclude a cipher suite or protocol from those that the Jetty webserver (bundled with FishEye) will use. You may want to do this for a suite or protocol that is considered too weak to use, or for which a vulnerability has been discovered. Note that Jetty performs the exclude operation after the include operation. Therefore, if a cipher suite is both included and then excluded as part of the same configuration, it is disabled.
config.xml
file in your FishEye instance directory (the data directory that the FISHEYE_INST
system environment variable points to).Find the <ssl>
element under the <web-server>
element in the file, and add <excludeCipherSuites>
and
as needed. For example:<excludeProtocols>
<config version="1.0"> <web-server context="/foo"> <ssl bind=":443" keystore="/etc/dev/keystore" keystore-password="" truststore="/etc/dev/keystore" truststore-password=""> <excludeProtocols> <protocol>SSLv3</protocol> </excludeProtocols> <excludeCipherSuites> <cipherSuite>SSL_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite> <cipherSuite>SSL_DHE_RSA_WITH_DES_CBC_SHA</cipherSuite> <cipherSuite>SSL_DHE_DSS_WITH_DES_CBC_SHA</cipherSuite> </excludeCipherSuites> </ssl> </web-server>
This will cause the Jetty SSL connector to use all the cipher suites and protocols provided by the JVM, except the ones specified in the xml.