Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Journal PylonHead's Journal: Restricting HTTPS to 128 bit encryption and up on old jetty

We maintain an old JBoss/jetty E-commerce application.  Because of new PCI (credit card company) requirements, you must not allow https connections to your site to use less than 128 bit encryption.

This seems to be a bit of a pain in the ass.  Here is my solution:

In the jetty-[version#].sar/META-INF/jboss-service.xml has a section that creates the https connection:

       <Call name="addListener">
           <New class="org.mortbay.http.SunJsseListener">
            <Set name="Port">443</Set>
            <Set name="MinThreads">5</Set>
            <Set name="MaxThreads">200</Set>
            <Set name="MaxIdleTimeMs">30000</Set>
            <Set name="LowResourcePersistTimeMs">2000</Set>
            <Set name="Keystore">...</Set>
            <Set name="Password">...</Set>
            <Set name="KeyPassword">...</Set>

I subclassed org.mortbay.http.SunJsseListener to limit the encryption options.  Here is the code for "jetty-[version#].sar/com/mycompany/MyRestrictedSSLListener.java":

package com.mycompany;

import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLServerSocket;
import java.net.ServerSocket;
import java.io.IOException;
import java.net.InetAddress;
import org.mortbay.http.SunJsseListener;

public class MyRestrictedSSLListener extends SunJsseListener
    protected SSLServerSocketFactory createFactory()
        throws Exception
       SSLServerSocketFactory ssf =  super.createFactory();
       return new MySSLServerSocketFactory(ssf);

class MySSLServerSocketFactory extends SSLServerSocketFactory
    protected SSLServerSocketFactory ssf;

    // This is the whole point.. we are limiting our cipher list
    // to at least 128 bit encryption
    static final String [] CIPHER_LIST =


    MySSLServerSocketFactory( SSLServerSocketFactory ssf )
        this.ssf = ssf;

    protected ServerSocket setCiphers( ServerSocket ss )
        // used to dump the default list so we could construct our own
        String [] working_ones = ssf.getDefaultCipherSuites();
        for (int i=0; i< working_ones.length; i++)
            System.err.println( working_ones[i]);

        ((SSLServerSocket) ss).setEnabledCipherSuites( CIPHER_LIST );
        return ss;

    public String[] getDefaultCipherSuites()
        return CIPHER_LIST;

    public String[] getSupportedCipherSuites()
        return ssf.getSupportedCipherSuites();

    public ServerSocket createServerSocket()
          throws IOException
        return setCiphers( ssf.createServerSocket() );

    public ServerSocket createServerSocket(int port)
          throws IOException
        return setCiphers( ssf.createServerSocket( port ) );

    public ServerSocket createServerSocket(int port, int backlog)
          throws IOException
        return setCiphers( ssf.createServerSocket( port, backlog ) );

    public ServerSocket createServerSocket(int port, int backlog, InetAddress ifAddress)
          throws IOException
        return setCiphers( ssf.createServerSocket( port, backlog, ifAddress ) );

I compiled this from the jetty-[version#].sar directory with a command like:

javac -classpath "../../../../client/jsse.jar;org.mortbay.jetty.jar;." com/mycompany/MyRestrictedSSLListener.java

Then in the jetty-[version#].sar/META-INF/jboss-service.xml file I change:

           <New class="org.mortbay.http.SunJsseListener">


           <New class="com.mycompany.MyRestrictedSSLListener">

and it works.

You may need to change the list of ciphers to enable, different java versions seem to allow different ones.  Check against the list this listener prints during JBoss startup.

You can use http://www.serversniff.net/content.php?do=ssl to check what ciphers you allow.

This discussion has been archived. No new comments can be posted.

Restricting HTTPS to 128 bit encryption and up on old jetty

Comments Filter:

The power to destroy a planet is insignificant when compared to the power of the Force. - Darth Vader