Search code examples
javasslhttpsembedded-jetty

How to setup HTTPS with jetty embedded 8.1.16.v20140903

I am using one of the example jetty embedded projects from here

I added a SelectChannelConnect, SslSelectChannelConnect and SslSocketConnector as shown in the link above. Here is a snippet from my code:

// Create the server
Server server = new Server();

SelectChannelConnector connector = new SelectChannelConnector();
connector.setPort(80);
connector.setMaxIdleTime(30000);
connector.setConfidentialPort(8443);
connector.setStatsOn(false);
connector.setAcceptors(4);

server.setConnectors(new Connector[]
                       { connector });

SslSelectChannelConnector ssl_connector = new SslSelectChannelConnector();
ssl_connector.setPort(443);
SslContextFactory cf = ssl_connector.getSslContextFactory();
cf.setKeyStorePath("/path/to/keystore");
cf.setKeyStorePassword("password");
cf.setKeyManagerPassword("password");
cf.setTrustStore("/path/to/keystore");
cf.setTrustStorePassword("password");
cf.setExcludeCipherSuites(
  "SSL_RSA_WITH_DES_CBC_SHA",
  "SSL_DHE_RSA_WITH_DES_CBC_SHA",
  "SSL_DHE_DSS_WITH_DES_CBC_SHA",
  "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
  "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
  "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
  "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
ssl_connector.setStatsOn(false);
server.addConnector(ssl_connector);
ssl_connector.open();

SslSocketConnector ssl2_connector = new SslSocketConnector(cf);
ssl2_connector.setPort(443);
ssl2_connector.setStatsOn(false);
server.addConnector(ssl2_connector);
ssl2_connector.open();

server.start()

HTTP works fine but I am not able to get it to work on HTTPS. It gives me an initial warning in the browser about untrusted certificate blah blah. I added an exception but then it displays this message: "This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner." on IE. My settings on IE are alright with TLS 1.0, 1.1 and 1.2 checked and SSL 3.0 unchecked.

Am I missing something? I believe I followed everything from the example project.

Also I generated the keystore and built the project from jdk SE 6u45. I do not think there are any issues the keystore file as it works perfectly in another application.

Solution

  • Most browser no longer support SSLv3, TLS/1.0 and TLS/1.1.

    Chrome Announcement
    https://developers.google.com/web/updates/2020/05/chrome-84-deps-rems

    Firefox Announcement
    https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

    Apple Safari Announcement
    https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/

    Microsoft Announcement
    https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/#OkGpBsuyj6XwhUEQ.97

    You should be using TLS/1.2 or better (eg: TLS/1.3)

    Java 6u45 does not support TLS/1.2, you have to upgrade your JVM at a minimum.
    You need to be on Java 7u95 or newer for decent TLS/1.2 support.
    For TLS/1.3 support you need to be on Java 8u262 or newer.

    Pay attention to JVM expiration dates.
    This is important for long term success with SSL/TLS, as the expiration exist because of various databases and configurations within the JVM need to be kept up to date for SSL/TLS to function reliably with the general internet.

    Finally, get rid of the entire setExcludeCipherSuites you have, as every one of those cipher suites are excluded by the JVM itself now (see security.properties on a modern JVM)