如何配置本地Jetty ssl以避免弱的phermeral DH密钥错误？ [英] How to config local Jetty ssl to avoid weak phermeral DH key error?

问题描述

我正在使用keytool生成一个密钥库来配置本地开发jetty来运行ssl

I'm using keytool to generate a keystore to config a local development jetty to run ssl

keytool.exe -keystore jetty.keystore -alias jetty -genkey -keyalg RSA -sigalg SHA256withRSA

Jetty config：

Jetty config:

<Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
            <Arg>
                <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                    <Set name="keyStore">jetty/jetty.keystore</Set>
                    <Set name="keyStorePassword">jetty6</Set>
                    <Set name="keyManagerPassword">jetty6</Set>
                    <Set name="trustStore">jetty/jetty.keystore</Set>
                    <Set name="trustStorePassword">jetty6</Set>
                </New>
            </Arg>
            <Set name="port">8443</Set>
            <Set name="maxIdleTime">30000</Set>
        </New>
    </Arg>
</Call>

直到最近才在Firefox Aurora和Chrome Canary这样的新浏览器中工作正常，它拒绝使用（在Firefox中） case）：

It works fine until recently in new browser like Firefox Aurora and Chrome Canary, it rejects with (in Firefox's case):

连接到localhost期间发生错误：8443。 SSL在服务器密钥交换握手
消息中收到
弱短暂的Diffie-Hellman密钥。 （错误代码：ssl_error_weak_server_ephemeral_dh_key）

An error occurred during a connection to localhost:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

无法手动接受它。那么，我应该重新生成一个更强的密钥？或者它是jetty中的配置？

There is no way to accept it manually. So, I should re-generate a stronger key? Or it's a configuration in jetty?

推荐答案

接受的答案并没有为我解决（Jetty 9.2，Java 7），但是这样做了：

The accepted answer didn't fix it for me (Jetty 9.2, Java 7), but this did:

<Set name="ExcludeCipherSuites">
  <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <!-- Disable cipher suites with Diffie-Hellman key exchange to prevent Logjam attack 
    and avoid the ssl_error_weak_server_ephemeral_dh_key error in recent browsers -->
    <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
    <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
    <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
    <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
    <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
  </Array>
</Set>
<!-- setting required for preventing Poodle attack, see http://stackoverflow.com/questions/26382540/how-to-disable-the-sslv3-protocol-in-jetty-to-prevent-poodle-attack/26388531#26388531 -->
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
   <Item>SSLv3</Item>
</Array>
</Set>

这篇关于如何配置本地Jetty ssl以避免弱的phermeral DH密钥错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！