Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Journal Journal: Restricting HTTPS to 128 bit encryption and up on old jetty

We maintain an old JBoss/jetty E-commerce application.  Because of new PCI (credit card company) requirements, you must not allow https connections to your site to use less than 128 bit encryption.

This seems to be a bit of a pain in the ass.  Here is my solution:

In the jetty-[version#].sar/META-INF/jboss-service.xml has a section that creates the https connection:

       <Call name="addListener">
           <New class="org.mortbay.http.SunJsseListener">
            <Set name="Port">443</Set>
            <Set name="MinThreads">5</Set>
            <Set name="MaxThreads">200</Set>
            <Set name="MaxIdleTimeMs">30000</Set>
            <Set name="LowResourcePersistTimeMs">2000</Set>
            <Set name="Keystore">...</Set>
            <Set name="Password">...</Set>
            <Set name="KeyPassword">...</Set>

I subclassed org.mortbay.http.SunJsseListener to limit the encryption options.  Here is the code for "jetty-[version#].sar/com/mycompany/MyRestrictedSSLListener.java":

package com.mycompany;

import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLServerSocket;
import java.net.ServerSocket;
import java.io.IOException;
import java.net.InetAddress;
import org.mortbay.http.SunJsseListener;

public class MyRestrictedSSLListener extends SunJsseListener
    protected SSLServerSocketFactory createFactory()
        throws Exception
       SSLServerSocketFactory ssf =  super.createFactory();
       return new MySSLServerSocketFactory(ssf);

class MySSLServerSocketFactory extends SSLServerSocketFactory
    protected SSLServerSocketFactory ssf;

    // This is the whole point.. we are limiting our cipher list
    // to at least 128 bit encryption
    static final String [] CIPHER_LIST =


    MySSLServerSocketFactory( SSLServerSocketFactory ssf )
        this.ssf = ssf;

    protected ServerSocket setCiphers( ServerSocket ss )
        // used to dump the default list so we could construct our own
        String [] working_ones = ssf.getDefaultCipherSuites();
        for (int i=0; i< working_ones.length; i++)
            System.err.println( working_ones[i]);

        ((SSLServerSocket) ss).setEnabledCipherSuites( CIPHER_LIST );
        return ss;

    public String[] getDefaultCipherSuites()
        return CIPHER_LIST;

    public String[] getSupportedCipherSuites()
        return ssf.getSupportedCipherSuites();

    public ServerSocket createServerSocket()
          throws IOException
        return setCiphers( ssf.createServerSocket() );

    public ServerSocket createServerSocket(int port)
          throws IOException
        return setCiphers( ssf.createServerSocket( port ) );

    public ServerSocket createServerSocket(int port, int backlog)
          throws IOException
        return setCiphers( ssf.createServerSocket( port, backlog ) );

    public ServerSocket createServerSocket(int port, int backlog, InetAddress ifAddress)
          throws IOException
        return setCiphers( ssf.createServerSocket( port, backlog, ifAddress ) );

I compiled this from the jetty-[version#].sar directory with a command like:

javac -classpath "../../../../client/jsse.jar;org.mortbay.jetty.jar;." com/mycompany/MyRestrictedSSLListener.java

Then in the jetty-[version#].sar/META-INF/jboss-service.xml file I change:

           <New class="org.mortbay.http.SunJsseListener">


           <New class="com.mycompany.MyRestrictedSSLListener">

and it works.

You may need to change the list of ciphers to enable, different java versions seem to allow different ones.  Check against the list this listener prints during JBoss startup.

You can use http://www.serversniff.net/content.php?do=ssl to check what ciphers you allow.

Slashdot Top Deals

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell