searchforsolutions

Just another WordPress.com site

Tag Archives: embedded jetty

Fixing the POODLE issue in Java client (HTTPSUrlConnection/Webservices etc.) , securing embedded jetty , fixing a .NET client stack (WCF etc.) and securing IIS7/8


– If your app is going to make HTTPS calls (act like a client) or for all Java apps using HTTPSUrlConnection set the following system property java.lang.System.setProperty(“https.protocols”,
“TLSv1,TLSv1.1,TLSv1.2”); or set the propety before starting the application with “java -Dhttps.protocols=”TLSv1,TLSv1.1,TLSv1.2″ MyAPP”

– To disable SSLv3 in embedded Jetty(v9.x)  setup the SslContextFactory

sslContextFactory.addExcludeProtocols(“SSLv3”);

sslContextFactory.setExcludeCipherSuites(“SSL_RSA_WITH_NULL_MD5”,
“SSL_RSA_WITH_NULL_SHA”, “SSL_RSA_EXPORT_WITH_RC4_40_MD5”,
“SSL_RSA_WITH_RC4_128_MD5”, “SSL_RSA_WITH_RC4_128_SHA”,
“SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5”,
“SSL_RSA_WITH_IDEA_CBC_SHA”,
“SSL_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_RSA_WITH_DES_CBC_SHA”, “SSL_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DH_DSS_WITH_DES_CBC_SHA”,
“SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA”,
“SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DH_RSA_WITH_DES_CBC_SHA”,
“SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DHE_DSS_WITH_DES_CBC_SHA”,
“SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA”,
“SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DHE_RSA_WITH_DES_CBC_SHA”,
“SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DH_anon_EXPORT_WITH_RC4_40_MD5”,
“SSL_DH_anon_WITH_RC4_128_MD5”,
“SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DH_anon_WITH_DES_CBC_SHA”,
“SSL_DH_anon_WITH_3DES_EDE_CBC_SHA”,
“SSL_FORTEZZA_KEA_WITH_NULL_SHA”,
“SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA”,
“SSL_FORTEZZA_KEA_WITH_RC4_128_SHA”,
“SSL_DHE_RSA_WITH_AES_128_CBC_SHA”,
“SSL_RSA_WITH_AES_128_CBC_SHA”);

-For securing Tomcat 7 follow the following steps

http://wiki.apache.org/tomcat/Security/POODLE

-For protecting .NET WCF or client HTTPS invocatons endpoints by forcing them to use TLS always. Set it globally for each AppDomain via the System.Net.ServicePointManager.SecurityProtocol property when the application starts up.

 

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

-Disabling SSLv3 on IIS7/8

http://support.microsoft.com/kb/187498

http://support.microsoft.com/kb/245030