问题:

Is there any specific exclusion list available which disables only SSLv3 ciphers are not TLSv1/2.

I have jetty 8, and upgrading to 9 is not an option now. My current jetty-ssl.xml looks as follows

                     .........                 SSL_RSA_WITH_NULL_MD5SSL_RSA_WITH_NULL_SHASSL_RSA_EXPORT_WITH_RC4_40_MD5SSL_RSA_WITH_RC4_128_MD5SSL_RSA_WITH_RC4_128_SHASSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5SSL_RSA_WITH_IDEA_CBC_SHASSL_RSA_EXPORT_WITH_DES40_CBC_SHASSL_RSA_WITH_DES_CBC_SHASSL_RSA_WITH_3DES_EDE_CBC_SHASSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHASSL_DH_DSS_WITH_DES_CBC_SHASSL_DH_DSS_WITH_3DES_EDE_CBC_SHASSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DH_RSA_WITH_DES_CBC_SHASSL_DH_RSA_WITH_3DES_EDE_CBC_SHASSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHASSL_DHE_DSS_WITH_DES_CBC_SHASSL_DHE_DSS_WITH_3DES_EDE_CBC_SHASSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DHE_RSA_WITH_DES_CBC_SHASSL_DHE_RSA_WITH_3DES_EDE_CBC_SHASSL_DH_anon_EXPORT_WITH_RC4_40_MD5SSL_DH_anon_WITH_RC4_128_MD5SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHASSL_DH_anon_WITH_DES_CBC_SHASSL_DH_anon_WITH_3DES_EDE_CBC_SHASSL_FORTEZZA_KEA_WITH_NULL_SHASSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHASSL_FORTEZZA_KEA_WITH_RC4_128_SHASSL_DHE_RSA_WITH_AES_128_CBC_SHASSL_RSA_WITH_AES_128_CBC_SHA

still when i run "sslscan --no-failed --ssl3 localhost:443" i get

    Supported Server Cipher(s):   Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA   Accepted  SSLv3  128 bits  AES128-SHA  Prefered Server Cipher(s):   SSLv3  128 bits  DHE-RSA-AES128-SHA

回答1:

I had to disable SSLv3 in an application where we integrate Jetty source code. Based on what I changed in code, I would guess you add the following:

SSLv3

Give it a shot and let me know if it works for you.

回答2:

To expand on @Lars answer ..

For Jetty 7, Jetty 8, and Jetty 9 you have to exclude the protocol SSLv3 (not the cipher) on any SslContextFactory you are using to configure for an SSL based Connector.

For a Jetty Distribution

Edit the ${jetty.home}/etc/jetty-ssl.xml and add the following XML snippet.

SSLv3

Inside of any element that manages a org.eclipse.jetty.http.ssl.SslContextFactory

For Jetty Embedded

Any SslContextFactory you create/manage for your SSL based Connectors you just need to set the excluded protocols.

    SslContextFactory sslContextFactory = new SslContextFactory();     sslContextFactory.addExcludeProtocols("SSLv3");     sslContextFactory.setKeyStorePath(...);     ...

回答3:

I have configurated Jetty 8.1 whitout ssl3. You can see the complete structure of jetty-ssl.xml.

     ... ... ... ... SSLv3 ... ...

转载请标明出处:How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack

文章来源: How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack

标签

ssl

cbc