Enable / disable allowed cipher suites in Apache Karaf with Pax (including Jetty)

Question

I am using Apache Karaf to host my web service. I enabled SSL connections through the Karaf client with the commands shown below post start up since I have multiple servers running the same code but with different certificates and configurations.

When I connect to my service over SSL, I get a warning about using obsolete crypto, and found this post explaining how I need to change my server to only use modern crypto algorithms.

1. Am I able to set required algorithms with Karaf/Pax like setting the SSL configuration below? (preferred)
2. Or do I need to do custom trust management as described here with Jetty and information from this page to enable/disable cipher suites?

Here is the sample code I am using to setup the HTTPS port currently.

config:edit org.ops4j.pax.web;
config:property-set org.osgi.service.http.enabled false; 
config:property-set org.osgi.service.http.secure.enabled true;
config:property-set org.osgi.service.http.port.secure 9443; 
config:property-set org.ops4j.pax.web.ssl.keystore.type JKS; 
config:property-set org.ops4j.pax.web.ssl.keystore /etc/pki/tls/ks.jks;
config:property-set org.ops4j.pax.web.ssl.password ************;
config:property-set org.ops4j.pax.web.ssl.keypassword *********;
config:property-set org.ops4j.pax.web.ssl.clientauthwanted false;
config:property-set org.ops4j.pax.web.ssl.clientauthneeded false;
config:update;

Thanks!

Answer 1

With your correct way of configuring the ssl connector you'll end up with a default SSL connector available from Jetty. Now you want to switch to TLS which is great. You don't need a custom trust management, right now the cipher suite can't be configured with a configuration parameter. Please open a new feature request at ops4j for this.