Thursday, August 31, 2006

Regarding Jetty Cipher Suites

Well it looks like the default in Jetty is going to remain that you must explicitly DENY the ciphers you don't want rather than enable those that you do want. This is against the principle of locking down everything first and then granting access only as needed. I would be worried that someone misspelled something or forgot to add something or new ciphers come along when you're not looking ...

Here is the response from the Jetty team:

The list of cipher suites available is determined by the security provider that is available in Java and by default it is the SunJSSE provider. Its not included in Jetty but in your Java installation itself. It is possible to use a third party provider but its not simple to install it (here are the details:

Thus, if you know the provider, you can just select the low level ciphers from the list of available ciphers provided by that provider. To see the list of available cipher suites in Java 1.5, just go to appendix A in the link above.

In appendix B, you'll see that Java has a list of allowed cipher suites for other providers. Java 5 will only allow third party providers as long as they support only those cipher suites in the list. You can just select the weak encryptions from this list and enumerate them in the excludeCipherSuites list so no one will be able to sneak in a weak encryption cipher.