Affects Version/s: 7.4.2
Fix Version/s: None
Component/s: Security and SSL
Environment:Jetty 3.4.2, Java 1.6.0_26 x86_64, SUSE Linux Enterprise Server 11 SP1 x86_64, kernel version 18.104.22.168-0.5
Number of attachments :
Using Jetty in a project at my place of work we excluded weak ciphers with a section like the following:
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->
<Set name="Port"><SystemProperty name="webserver.port.https" default="8443"/></Set>
<Set name="Keystore"><SystemProperty name="mysecurity.config.home" />/config/.webserverkeystore.jks</Set>
<Set name="truststore"><SystemProperty name="mysecurity.config.home" />/config/.webserverkeystore.jks</Set>
<!-- Only enable strong ciphers. -->
In running some tests against the service, though, it appears that all kinds of ciphers are available that are not only medium or low strength, but even the null ciphers are showing up as options (they are also excluded in the snipped out section). I am told by one of the developers that we are using async (NIO) and I see the comment at the top of the XML configuration, but this should be available. Still, switching the fifth line to use org.eclipse.jetty.server.ssl.SslSocketConnector appears to work correctly in that the weak/low/null ciphers are no longer allowed.
I have searched the changelog for Jetty, as well as open issues, and see nothing for this. The note above makes me think this could be a configuration error, but the developer involved is thorough so I am inclined to trust him. If there are any words of advice to help me narrow this down, or if there are specific tests I can do to verify this one way or another, I'm open to running others' code for that purpose (sadly, I am not a great programmer). The tests of available cipher suites originally came from Nessus but have been verified with tests done using openssl. One result of this issue is that products which should be secure can be tricked to do things insecurely on the wire, including using null ciphers.
Reproducible: All of our systems implementing Jetty the same way exhibit the symptom of allowing what we believe are excluded cipher suites when using NIO.
Expected Results: Excluded cipher suites should be excluded.
Actual Results: Excluded cipher suites list appears to make no difference to the running service's available/used cipher suites.