how to properly deployDiffie-Hellman on my server

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

how to properly deployDiffie-Hellman on my server

RJC 2009

Hi,

Please guide on how to properly deploy Diffie-Hellman on my server. I am using Jetty 9.2.9 with jdk1.7.

 

This is my current configuration in jetty-ssl.xml but SSL scan report shows that “This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)”

 

<Set name="ExcludeCipherSuites">

    <Array type="String">

      <Item>.*NULL.*</Item>

      <Item>.*RC4.*</Item>

      <Item>.*MD5.*</Item>

      <Item>.*DES.*</Item>

      <Item>.*DSS.*</Item>

    </Array>

  </Set>

 <!-- Enable Forward Secrecy Ciphers.       Note: this replaces the default Include Cipher list -->

  <Set name="IncludeCipherSuites">

    <Array type="String">

      <Item>TLS_DHE_RSA.*</Item>

      <Item>TLS_ECDHE.*</Item>

    </Array>

  </Set>

<!-- Eliminate Insecure Protocols -->

  <Call name="addExcludeProtocols">

    <Arg>

     <Array type="java.lang.String">

       <Item>SSL</Item>

       <Item>SSLv2</Item>

       <Item>SSLv2Hello</Item>

       <Item>SSLv3</Item>

       <Item>TLSv1</Item>

       <Item>TLSv1.1</Item>

     </Array>

    </Arg>

  </Call>

 

Regards

Rjc


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: how to properly deployDiffie-Hellman on my server

Joakim Erdfelt-8
When it comes to running a server with TLS/SSL on the public internet, there is one fundamental truth.

You have to stay up to date.

Your use of Java 1.7 means you practically have no solution left for you.

Why?
You are doing the right thing by excluding the vulnerable protocols: SSL, SSLv2, SSLv3, TLSv1, and TLSv1.1
That assumes that you'll use TLSv1.2, but TLSv1.2 support in Java 1.7 was reserved for clients, not servers.

Can you enable TLSv1.2 on Java 1.7 for servers?  
In some versions of Java 1.7 you can, but that support is very preliminary and has many known issues.

If you absolutely must stick with Java 1.7 and Jetty 9.2.x, then consider putting a more up to date SSL offloader in front of your application.
Some product like haproxy, nginx, etc...  and keep that product up to date!

Or, upgrade to Java 1.8 at a minimum, as that has the proper TLSv1.2 support you are needing.

If you need TLSv1.3 you'll need to upgrade to Java 11 (11.0.4+ to have most of the TLSv1.3 support issues fixed)

Joakim Erdfelt / [hidden email]


On Mon, Sep 23, 2019 at 5:52 AM RJC 2009 <[hidden email]> wrote:

Hi,

Please guide on how to properly deploy Diffie-Hellman on my server. I am using Jetty 9.2.9 with jdk1.7.

 

This is my current configuration in jetty-ssl.xml but SSL scan report shows that “This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)”

 

<Set name="ExcludeCipherSuites">

    <Array type="String">

      <Item>.*NULL.*</Item>

      <Item>.*RC4.*</Item>

      <Item>.*MD5.*</Item>

      <Item>.*DES.*</Item>

      <Item>.*DSS.*</Item>

    </Array>

  </Set>

 <!-- Enable Forward Secrecy Ciphers.       Note: this replaces the default Include Cipher list -->

  <Set name="IncludeCipherSuites">

    <Array type="String">

      <Item>TLS_DHE_RSA.*</Item>

      <Item>TLS_ECDHE.*</Item>

    </Array>

  </Set>

<!-- Eliminate Insecure Protocols -->

  <Call name="addExcludeProtocols">

    <Arg>

     <Array type="java.lang.String">

       <Item>SSL</Item>

       <Item>SSLv2</Item>

       <Item>SSLv2Hello</Item>

       <Item>SSLv3</Item>

       <Item>TLSv1</Item>

       <Item>TLSv1.1</Item>

     </Array>

    </Arg>

  </Call>

 

Regards

Rjc

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: how to properly deployDiffie-Hellman on my server

Meggyesi, Zalán
Hi,

To piggyback onto what Joakim says, I would really recommend using a separate TLS termination point. It's much easier to maintain and patch as various vulnerabilities in the protocol are made public and fixed.

And as he says, stay updated. Both the server OS and any packages/programs listening on public-facing ports.

Best,

Zalan Meggyesi
Chief Support Engineer
Skawa Innovation Kft.

Phone: <a href="tel:0036704627005" target="_blank">0036704627005
Mobile: <a href="tel:+36205146666" target="_blank">+36205146666


On Mon, Sep 23, 2019 at 2:28 PM Joakim Erdfelt <[hidden email]> wrote:
When it comes to running a server with TLS/SSL on the public internet, there is one fundamental truth.

You have to stay up to date.

Your use of Java 1.7 means you practically have no solution left for you.

Why?
You are doing the right thing by excluding the vulnerable protocols: SSL, SSLv2, SSLv3, TLSv1, and TLSv1.1
That assumes that you'll use TLSv1.2, but TLSv1.2 support in Java 1.7 was reserved for clients, not servers.

Can you enable TLSv1.2 on Java 1.7 for servers?  
In some versions of Java 1.7 you can, but that support is very preliminary and has many known issues.

If you absolutely must stick with Java 1.7 and Jetty 9.2.x, then consider putting a more up to date SSL offloader in front of your application.
Some product like haproxy, nginx, etc...  and keep that product up to date!

Or, upgrade to Java 1.8 at a minimum, as that has the proper TLSv1.2 support you are needing.

If you need TLSv1.3 you'll need to upgrade to Java 11 (11.0.4+ to have most of the TLSv1.3 support issues fixed)

Joakim Erdfelt / [hidden email]


On Mon, Sep 23, 2019 at 5:52 AM RJC 2009 <[hidden email]> wrote:

Hi,

Please guide on how to properly deploy Diffie-Hellman on my server. I am using Jetty 9.2.9 with jdk1.7.

 

This is my current configuration in jetty-ssl.xml but SSL scan report shows that “This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)”

 

<Set name="ExcludeCipherSuites">

    <Array type="String">

      <Item>.*NULL.*</Item>

      <Item>.*RC4.*</Item>

      <Item>.*MD5.*</Item>

      <Item>.*DES.*</Item>

      <Item>.*DSS.*</Item>

    </Array>

  </Set>

 <!-- Enable Forward Secrecy Ciphers.       Note: this replaces the default Include Cipher list -->

  <Set name="IncludeCipherSuites">

    <Array type="String">

      <Item>TLS_DHE_RSA.*</Item>

      <Item>TLS_ECDHE.*</Item>

    </Array>

  </Set>

<!-- Eliminate Insecure Protocols -->

  <Call name="addExcludeProtocols">

    <Arg>

     <Array type="java.lang.String">

       <Item>SSL</Item>

       <Item>SSLv2</Item>

       <Item>SSLv2Hello</Item>

       <Item>SSLv3</Item>

       <Item>TLSv1</Item>

       <Item>TLSv1.1</Item>

     </Array>

    </Arg>

  </Call>

 

Regards

Rjc

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users