Configuring SSL cipher suites for Jetty
You may wish to set the cipher suites and protocols that are used for a specific SSL connector when Jetty starts up:
- To include a cipher suite or protocol you require that is not enabled by default.
- To exclude a cipher suite or protocol that is considered too weak to use, or for which a vulnerability has been discovered.
The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See the JSSE Provider documentation for more information about the available cipher suites.
Note that for Fisheye 3.6, and later, cipher suites and protocols are now defined in the config.xml
file. For Fisheye 3.5, and earlier versions, cipher suites were defined in the jetty-web.xml
file – see Configuring SSL cipher suites for Jetty.
Enabling cipher suites or protocols
You can specify the cipher suites or protocols that the Jetty webserver (bundled with Fisheye) will use:
- Shut down Fisheye.
- Open the
config.xml
file in your Fisheye instance directory (the data directory that theFISHEYE_INST
system environment variable points to). Find the
<ssl>
element under the<web-server>
element in the file, and add<includeCipherSuites>
and<includeProtocols>
as needed. For example:config.xml<config version="1.0"> <web-server context="/foo"> <ssl bind=":443" keystore="/etc/dev/keystore" keystore-password="" truststore="/etc/dev/keystore" truststore-password=""> <includeProtocols> <protocol>TLSv1.2</protocol> </includeProtocols> <includeCipherSuites> <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</cipherSuite> </includeCipherSuites> </ssl> </web-server>
Restart Fisheye.
This will cause the Jetty SSL connector to only use the cipher suites and protocols specified in the xml.
Note that if you are using a client that doesn't support TLS protocol versions higher than 1.0, you can add the following line to the <includeProtocols>
element, in addition to any other protocols already there:
<protocol>TLSv1.0</protocol>
Similarly, if you need support for TLSv1.1, add this line:
<protocol>TLSv1.1</protocol>
Disabling cipher suites or protocols
You can exclude a cipher suite or protocol from those that the Jetty webserver (bundled with Fisheye) will use. You may want to do this for a suite or protocol that is considered too weak to use, or for which a vulnerability has been discovered. Note that Jetty performs the exclude operation after the include operation. Therefore, if a cipher suite is both included and then excluded as part of the same configuration, it is disabled.
- Shut down Fisheye.
- Open the
config.xml
file in your Fisheye instance directory (the data directory that theFISHEYE_INST
system environment variable points to). Find the
<ssl>
element under the<web-server>
element in the file, and add<excludeCipherSuites>
and<excludeProtocols>
config.xml<config version="1.0"> <web-server context="/foo"> <ssl bind=":443" keystore="/etc/dev/keystore" keystore-password="" truststore="/etc/dev/keystore" truststore-password=""> <excludeProtocols> <protocol>SSLv3</protocol> </excludeProtocols> <excludeCipherSuites> <cipherSuite>SSL_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite> <cipherSuite>SSL_DHE_RSA_WITH_DES_CBC_SHA</cipherSuite> <cipherSuite>SSL_DHE_DSS_WITH_DES_CBC_SHA</cipherSuite> </excludeCipherSuites> </ssl> </web-server>
- Restart Fisheye.
This will cause the Jetty SSL connector to use all the cipher suites and protocols provided by the JVM, except the ones specified in the xml.