Goal
I want Datameer embedded jetty serve only TLS1.2 requests, reject all weaker TLS algorithms, and disable weak CipherSuites.
Learn
By default jetty's SSL module is configured to serve data via any supported SSL/TLS version except SSLv3, as verified in the Configuring SSL/TLS section of the jetty documentation.
- Below is an example configuration block for jetty-ssl.xml that adds more protocols into the exception list:
<Set name="ExcludeProtocols">
<Array type="String">
<Item>SSL</Item>
<Item>SSLv2</Item>
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
<Item>SSLv3</Item>
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
</Array>
</Set>
- A second option is to change the configuration of the JVM used by Datameer and disable unwanted TLS algorithms. To do so, set the jdk.tls.disabledAlgorithms property within the $JAVA_HOME/jre/lib/security/java.security file and restart Datameer to apply changes.
- For more details, see the following documentation: How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
In order to allow or forbid Jetty to use a certain CipherSuite, edit the appropriate properties within the jetty-ssl.xml configuration file, per the Jetty/Howto/CipherSuites section of Jetty's documentation.
Please note that Datameer restart is required to apply any changes to jetty configuration.
Comments
0 comments
Please sign in to leave a comment.