Enabling TLS-1.2 on embedded Jetty

Question

Currently I am using this code which is enabling TLS 1.2:

ServerConnector httpsConnector = new ServerConnector(server, 
       new SslConnectionFactory(sslContextFactory, "http/1.1"),
       new HttpConnectionFactory(https_config));
httpsConnector.setPort(8443);
httpsConnector.setIdleTimeout(50000)

Now I am using TLS 1.1 and want to change it to TLS 1.2.

Answer 1

Java 8 is TLS/1.2 by default.

• https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls

You can diagnose TLS in the JVM using the techniques at:

• https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https

If you want to force TLS/1.2, see the prior answer at:

How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections

Know that the ciphers and protocols you expose in Jetty's SslContextFactory will also have an influence on your TLS support level. (For example: you can exclude the ciphers that TLS/1.0 knows about leaving no ciphers to negotiate against)

Answer 2

Yeah, I resolved this question just now.
We can customize it by org.eclipse.jetty.util.ssl.SslContextFactory just like this:

1. exclude TLSv1、TLSv1.1 protocol etc.

sslContextFactory.addExcludeProtocols("TLSv1", "TLSv1.1");

By the way, my jetty version is 9.4.45, default protocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3") have already excluded by Jetty.

// org.eclipse.jetty.util.ssl.SslContextFactory#DEFAULT_EXCLUDED_PROTOCOLS
private static final String[] DEFAULT_EXCLUDED_PROTOCOLS = {"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};

2. include only TLSv1.2 protocol (some protocols etc.)

    sslContextFactory.setIncludeProtocols("TLSv1.2");

The final protocols selected you can see in the method org.eclipse.jetty.util.ssl.SslContextFactory#selectProtocols , you can debug yourself.