B4J Question Configuring TLS/SSL ciphers for Jetty web server

Discussion in 'B4J Questions' started by avalle, Feb 28, 2018.

  1. avalle

    avalle Member Licensed User

    I'm running a web server written in B4J using the Jetty service.
    I have configured it for HTTPS access, so I've run https://www.ssllabs.com test to check the quality of the TLS protocol.

    The TLS certificate looks good, but the server rates as "B" quality due to a couple of things:
    • This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
    • This server does not support Forward Secrecy with the reference browsers. Grade will be capped to B from March 2018.
    I would like to know if it's possibile and how to configure Jetty to remove / mitigate these weaknesses, in particular the first, by removing the DH-based TLS ciphers.

    Thanks
    Andrea
     
  2. Erel

    Erel Administrator Staff Member Licensed User

    Try this:
    Code:
    Dim jo As JavaObject = ssl
       jo.RunMethod(
    "setIncludeCipherSuites"Array(Regex.Split("\n", s)))
       
    Dim s As String = $"SSL_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA"$

       jo.RunMethod(
    "setExcludeCipherSuites"Array(Regex.Split("\n", s)))
    You should add it in the ConfigureSSL sub. I haven't tested it.

    Make sure not to add any extra white space.

    Source: https://stackoverflow.com/questions...etty-ssl-to-avoid-weak-phermeral-dh-key-error
     
    lemonisdead, magi6162 and alwaysbusy like this.
  3. avalle

    avalle Member Licensed User

    I tried this and it works, although for some reasons some ciphers do not seem to go away...
    Anyways I've been able to tweak the list and obtain an "A level" set, also excluding TLS 1.0 and 1.1 by calling setIncludeCipherSuites rather than setExcludeCipherSuites.

    Thanks Erel!
     
  4. magi6162

    magi6162 Well-Known Member Licensed User

    in ConfigureSSL I added this code:
    but the rating remains B.

    GlobalSign issues this report:

    This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
    This server does not support Forward Secrecy with the reference browsers. Grade capped to B.
    This server's certificate chain is incomplete. Grade capped to B.
     
  5. avalle

    avalle Member Licensed User

    You're right and this occurred to me as well. I tried a different approach. This is my code:
    Code:
    'SSL configuration
    Dim ssl As SslConfiguration
    ssl.Initialize
    Dim jo As JavaObject = ssl
    Dim inc As String = $"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"$

    jo.RunMethod(
    "setIncludeCipherSuites"Array(Regex.Split("\n", inc)))
    Note that setIncludeCipherSuites only enables TLS 1.2. TLS 1.0 and 1.1 are automatically disabled unless you make a call to setExcludeCipherSuites. This was also one of my requirement. You may not want this if you need to support old browsers like IE 8/9/10.
    With this setup I get a very limited set of ciphers, but they have full compatibility with all sort of clients that support TLS 1.2 and the final result is an "A" rating.

    When using setExcludeCipherSuites I had a strange experience with ciphers that I excluded but were still available according to SSLlabs test.
    As you noticed the B rating is due to Diffie-Hellman (DH) key exchange, not necessarily the cipher algorithm.

    I still don't understand how to control the key exchange algorithm so to exclude DH key exchange rather than reducing the list of ciphers significantly to prevent using it.

    Andrea
     
  6. magi6162

    magi6162 Well-Known Member Licensed User

    Now it's still B,
    but
    GlobalSign issues only this report:

    This server's certificate chain is incomplete. Grade capped to B.
     
  7. avalle

    avalle Member Licensed User

    But this is not ciphers related, it's a certificate chain problem
     
  8. magi6162

    magi6162 Well-Known Member Licensed User

    Last edited: Mar 3, 2018
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice