-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce properties for cipher suites #12120
Comments
We used to document how to do this with XML using "tweak" XML files. To do this, first create a new <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"https://jetty.org/configure_9_3.dtd">
<!-- Tweak SsslContextFactory Includes / Excludes -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<!-- Mitigate SLOTH Attack -->
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>.*_RSA_.*SHA1$</Item>
<Item>.*_RSA_.*SHA$</Item>
<Item>.*_RSA_.*MD5$</Item>
</Array>
</Arg>
</Call>
</Configure> |
We will need different configurations for SET vs ADD vs REMOVE. |
@joakime but in particular with cipher suite names, a comma should not be present, so regex should not be a problem, no? We can document the old solution, but perhaps most of the time a simpler config with a property should be enough. |
Unless you are using a JVM that isn't based on OpenJDK or follows the OpenJDK conventions for cipher suite names. |
@joakime sure, but none of them have a comma in the name! |
Yes, some do. |
Added documentation for advanced TLS configuration. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Jetty version(s)
12
Description
jetty-ssl-context.xml
has some configuration forSslContextFactory
, but it is notably lacking configuration for e.g. cipher suites.We should use
StringUtil.csvSplit()
like we do in other Jetty module XML files (see for examplejetty-cross-origin.xml
).In this way, people would be able to configure cipher suites directly from properties in
$JETTY_BASE/start.d/jetty-ssl-context.ini
The text was updated successfully, but these errors were encountered: