Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


PylonHead's Journal: Restricting HTTPS to 128 bit encryption and up on old jetty

Journal by PylonHead
We maintain an old JBoss/jetty E-commerce application.  Because of new PCI (credit card company) requirements, you must not allow https connections to your site to use less than 128 bit encryption.

This seems to be a bit of a pain in the ass.  Here is my solution:

In the jetty-[version#].sar/META-INF/jboss-service.xml has a section that creates the https connection:

       <Call name="addListener">
           <New class="org.mortbay.http.SunJsseListener">
            <Set name="Port">443</Set>
            <Set name="MinThreads">5</Set>
            <Set name="MaxThreads">200</Set>
            <Set name="MaxIdleTimeMs">30000</Set>
            <Set name="LowResourcePersistTimeMs">2000</Set>
            <Set name="Keystore">...</Set>
            <Set name="Password">...</Set>
            <Set name="KeyPassword">...</Set>

I subclassed org.mortbay.http.SunJsseListener to limit the encryption options.  Here is the code for "jetty-[version#].sar/com/mycompany/":

package com.mycompany;

import org.mortbay.http.SunJsseListener;

public class MyRestrictedSSLListener extends SunJsseListener
    protected SSLServerSocketFactory createFactory()
        throws Exception
       SSLServerSocketFactory ssf =  super.createFactory();
       return new MySSLServerSocketFactory(ssf);

class MySSLServerSocketFactory extends SSLServerSocketFactory
    protected SSLServerSocketFactory ssf;

    // This is the whole point.. we are limiting our cipher list
    // to at least 128 bit encryption
    static final String [] CIPHER_LIST =


    MySSLServerSocketFactory( SSLServerSocketFactory ssf )
        this.ssf = ssf;

    protected ServerSocket setCiphers( ServerSocket ss )
        // used to dump the default list so we could construct our own
        String [] working_ones = ssf.getDefaultCipherSuites();
        for (int i=0; i< working_ones.length; i++)
            System.err.println( working_ones[i]);

        ((SSLServerSocket) ss).setEnabledCipherSuites( CIPHER_LIST );
        return ss;

    public String[] getDefaultCipherSuites()
        return CIPHER_LIST;

    public String[] getSupportedCipherSuites()
        return ssf.getSupportedCipherSuites();

    public ServerSocket createServerSocket()
          throws IOException
        return setCiphers( ssf.createServerSocket() );

    public ServerSocket createServerSocket(int port)
          throws IOException
        return setCiphers( ssf.createServerSocket( port ) );

    public ServerSocket createServerSocket(int port, int backlog)
          throws IOException
        return setCiphers( ssf.createServerSocket( port, backlog ) );

    public ServerSocket createServerSocket(int port, int backlog, InetAddress ifAddress)
          throws IOException
        return setCiphers( ssf.createServerSocket( port, backlog, ifAddress ) );

I compiled this from the jetty-[version#].sar directory with a command like:

javac -classpath "../../../../client/jsse.jar;org.mortbay.jetty.jar;." com/mycompany/

Then in the jetty-[version#].sar/META-INF/jboss-service.xml file I change:

           <New class="org.mortbay.http.SunJsseListener">


           <New class="com.mycompany.MyRestrictedSSLListener">

and it works.

You may need to change the list of ciphers to enable, different java versions seem to allow different ones.  Check against the list this listener prints during JBoss startup.

You can use to check what ciphers you allow.

This discussion has been archived. No new comments can be posted.

Restricting HTTPS to 128 bit encryption and up on old jetty

Comments Filter:

"I'm not afraid of dying, I just don't want to be there when it happens." -- Woody Allen