B4J Question Configuring TLS/SSL ciphers for Jetty web server

avalle

Active Member
Licensed User
I'm running a web server written in B4J using the Jetty service.
I have configured it for HTTPS access, so I've run https://www.ssllabs.com test to check the quality of the TLS protocol.

The TLS certificate looks good, but the server rates as "B" quality due to a couple of things:
  • This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
  • This server does not support Forward Secrecy with the reference browsers. Grade will be capped to B from March 2018.
I would like to know if it's possibile and how to configure Jetty to remove / mitigate these weaknesses, in particular the first, by removing the DH-based TLS ciphers.

Thanks
Andrea
 

Erel

Administrator
Staff member
Licensed User
Try this:
B4X:
    Dim jo As JavaObject = ssl
   jo.RunMethod("setIncludeCipherSuites", Array(Regex.Split("\n", s)))
   Dim s As String = $"SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA"$
   jo.RunMethod("setExcludeCipherSuites", Array(Regex.Split("\n", s)))
You should add it in the ConfigureSSL sub. I haven't tested it.

Make sure not to add any extra white space.

Source: https://stackoverflow.com/questions/30523324/how-to-config-local-jetty-ssl-to-avoid-weak-phermeral-dh-key-error
 

avalle

Active Member
Licensed User
I tried this and it works, although for some reasons some ciphers do not seem to go away...
Anyways I've been able to tweak the list and obtain an "A level" set, also excluding TLS 1.0 and 1.1 by calling setIncludeCipherSuites rather than setExcludeCipherSuites.

Thanks Erel!
 

magi6162

Well-Known Member
Licensed User
in ConfigureSSL I added this code:
Try this:
B4X:
    Dim jo As JavaObject = ssl
   jo.RunMethod("setIncludeCipherSuites", Array(Regex.Split("\n", s)))
   Dim s As String = $"SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA"$
   jo.RunMethod("setExcludeCipherSuites", Array(Regex.Split("\n", s)))
You should add it in the ConfigureSSL sub. I haven't tested it.

Make sure not to add any extra white space.

Source: https://stackoverflow.com/questions/30523324/how-to-config-local-jetty-ssl-to-avoid-weak-phermeral-dh-key-error
but the rating remains B.

GlobalSign issues this report:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
This server does not support Forward Secrecy with the reference browsers. Grade capped to B.
This server's certificate chain is incomplete. Grade capped to B.
 

avalle

Active Member
Licensed User
You're right and this occurred to me as well. I tried a different approach. This is my code:
B4X:
'SSL configuration
Dim ssl As SslConfiguration
ssl.Initialize
Dim jo As JavaObject = ssl
Dim inc As String = $"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"$
jo.RunMethod("setIncludeCipherSuites", Array(Regex.Split("\n", inc)))
Note that setIncludeCipherSuites only enables TLS 1.2. TLS 1.0 and 1.1 are automatically disabled unless you make a call to setExcludeCipherSuites. This was also one of my requirement. You may not want this if you need to support old browsers like IE 8/9/10.
With this setup I get a very limited set of ciphers, but they have full compatibility with all sort of clients that support TLS 1.2 and the final result is an "A" rating.

When using setExcludeCipherSuites I had a strange experience with ciphers that I excluded but were still available according to SSLlabs test.
As you noticed the B rating is due to Diffie-Hellman (DH) key exchange, not necessarily the cipher algorithm.

I still don't understand how to control the key exchange algorithm so to exclude DH key exchange rather than reducing the list of ciphers significantly to prevent using it.

Andrea
 

magi6162

Well-Known Member
Licensed User
Now it's still B,
but
GlobalSign issues only this report:

This server's certificate chain is incomplete. Grade capped to B.
 
Top