Forgot your password?
typodupeerror
Java

Journal: Restricting HTTPS to 128 bit encryption and up on old jetty

Journal by PylonHead
We maintain an old JBoss/jetty E-commerce application.  Because of new PCI (credit card company) requirements, you must not allow https connections to your site to use less than 128 bit encryption.

This seems to be a bit of a pain in the ass.  Here is my solution:

In the jetty-[version#].sar/META-INF/jboss-service.xml has a section that creates the https connection:

       <Call name="addListener">
         <Arg>
           <New class="org.mortbay.http.SunJsseListener">
            <Set name="Port">443</Set>
            <Set name="MinThreads">5</Set>
            <Set name="MaxThreads">200</Set>
            <Set name="MaxIdleTimeMs">30000</Set>
            <Set name="LowResourcePersistTimeMs">2000</Set>
            <Set name="Keystore">...</Set>
            <Set name="Password">...</Set>
            <Set name="KeyPassword">...</Set>
           </New>
         </Arg>
       </Call>

I subclassed org.mortbay.http.SunJsseListener to limit the encryption options.  Here is the code for "jetty-[version#].sar/com/mycompany/MyRestrictedSSLListener.java":

package com.mycompany;

import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLServerSocket;
import java.net.ServerSocket;
import java.io.IOException;
import java.net.InetAddress;
import org.mortbay.http.SunJsseListener;

public class MyRestrictedSSLListener extends SunJsseListener
{
    protected SSLServerSocketFactory createFactory()
        throws Exception
    {
       SSLServerSocketFactory ssf =  super.createFactory();
       return new MySSLServerSocketFactory(ssf);
    }
}

class MySSLServerSocketFactory extends SSLServerSocketFactory
{
    protected SSLServerSocketFactory ssf;

    // This is the whole point.. we are limiting our cipher list
    // to at least 128 bit encryption
    static final String [] CIPHER_LIST =
    {
        "SSL_RSA_WITH_RC4_128_MD5",
        "SSL_RSA_WITH_RC4_128_SHA",
        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
        "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
    };

/*
OPTIONS FROM LIVE SITE:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*/

    MySSLServerSocketFactory( SSLServerSocketFactory ssf )
    {
        this.ssf = ssf;
    }

    protected ServerSocket setCiphers( ServerSocket ss )
    {
        // used to dump the default list so we could construct our own
        String [] working_ones = ssf.getDefaultCipherSuites();
        for (int i=0; i< working_ones.length; i++)
        {
            System.err.println( working_ones[i]);
        }

        ((SSLServerSocket) ss).setEnabledCipherSuites( CIPHER_LIST );
        return ss;
    }

    public String[] getDefaultCipherSuites()
    {
        return CIPHER_LIST;
    }

    public String[] getSupportedCipherSuites()
    {
        return ssf.getSupportedCipherSuites();
    }

    public ServerSocket createServerSocket()
          throws IOException
    {
        return setCiphers( ssf.createServerSocket() );
    }

    public ServerSocket createServerSocket(int port)
          throws IOException
    {
        return setCiphers( ssf.createServerSocket( port ) );
    }

    public ServerSocket createServerSocket(int port, int backlog)
          throws IOException
    {
        return setCiphers( ssf.createServerSocket( port, backlog ) );
    }

    public ServerSocket createServerSocket(int port, int backlog, InetAddress ifAddress)
          throws IOException
    {
        return setCiphers( ssf.createServerSocket( port, backlog, ifAddress ) );
    }
}

I compiled this from the jetty-[version#].sar directory with a command like:

javac -classpath "../../../../client/jsse.jar;org.mortbay.jetty.jar;." com/mycompany/MyRestrictedSSLListener.java

Then in the jetty-[version#].sar/META-INF/jboss-service.xml file I change:

           <New class="org.mortbay.http.SunJsseListener">

To:

           <New class="com.mycompany.MyRestrictedSSLListener">

and it works.

You may need to change the list of ciphers to enable, different java versions seem to allow different ones.  Check against the list this listener prints during JBoss startup.

You can use http://www.serversniff.net/content.php?do=ssl to check what ciphers you allow.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...