我正在使用keytool生成一个密钥库来配置本地开发码头来运行ssl
keytool.exe -keystore jetty.keystore -alias jetty -genkey -keyalg RSA -sigalg SHA256withRSA
Jetty配置:
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore">jetty/jetty.keystore</Set>
<Set name="keyStorePassword">jetty6</Set>
<Set name="keyManagerPassword">jetty6</Set>
<Set name="trustStore">jetty/jetty.keystore</Set>
<Set name="trustStorePassword">jetty6</Set>
</New>
</Arg>
<Set name="port">8443</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
直到最近在Firefox Aurora和Chrome Canary这样的新浏览器中才能正常工作,它拒绝(在Firefox的情况下):
连接到localhost期间发生错误:8443。已收到SSL 服务器密钥交换握手中的一个弱短暂的Diffie-Hellman密钥 信息。 (错误代码:ssl_error_weak_server_ephemeral_dh_key)
无法手动接受。那么,我应该重新生成一个更强的密钥?或者它是码头的配置?
答案 0 :(得分:9)
接受的答案并没有为我解决(Jetty 9.2,Java 7),但是这样做了:
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<!-- Disable cipher suites with Diffie-Hellman key exchange to prevent Logjam attack
and avoid the ssl_error_weak_server_ephemeral_dh_key error in recent browsers -->
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
<!-- setting required for preventing Poodle attack, see http://stackoverflow.com/questions/26382540/how-to-disable-the-sslv3-protocol-in-jetty-to-prevent-poodle-attack/26388531#26388531 -->
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
答案 1 :(得分:2)
UnSandpiper解决方案的嵌入式Jetty代码:
sslContextFactory.setExcludeCipherSuites(
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
// Disable cipher suites with Diffie-Hellman key exchange to prevent Logjam attack
//and avoid the ssl_error_weak_server_ephemeral_dh_key error in recent browsers
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
// Setting required for preventing Poodle attack,
// see http://stackoverflow.com/questions/26382540/how-to-disable-the-sslv3-protocol-in-jetty-to-prevent-poodle-attack/26388531#26388531
sslContextFactory.setExcludeProtocols("SSLv3");
答案 2 :(得分:1)
对码头不太了解,但似乎你正在咆哮错误的树。
这不是firefox抱怨的服务器密钥,而是用于建立连接的(临时)临时DH密钥。您需要配置码头可能使用的SSL / TLS加密。看看选择不同的密码套件。
答案 3 :(得分:0)
This works with OpenJDK 7 as the code above to call setIncludeCipherSuites () fails to allow any connections
sslContextFactory.setExcludeCipherSuites("TLS_DHE.*", "TLS_EDH.*");
sslContextFactory.setExcludeProtocols("SSLv3");
sslContextFactory.setRenegotiationAllowed(false);