0

For backwards compatibility reasons I need a Geode Jetty server to use TLSv1 and not 1.1 or 1.2

With ssl-enabled-components=web and ssl-protocols=TLSv1.0 set in gemfire.properties then when I start the Geode and check the HTTPS connectivity with SSL Labs then I get a TLS result:

HTTPS SSL check

I am looking for the TLS 1.1 and TLS 1.0 checks to also say Yes not No

The Geode SSL docs say Make sure your Java installation includes the JSSE API and familiarize yourself with its use.

The JSSE is about the java.security config in the JRE/lib/security directory. I set this not to disable any security algorithms and restarted Geode but the results are the same. TLS 1.1 and 1.0 are failing the SSL Labs test above.

Is there a way to force Geode to start with https.protocols=TLSv1 ?

When I try to start a locator with that using --J=-XX:https.protocols=TLSv1 then I get

Error: Could not create the Java Virtual Machine. Error: A fatal exception has occurred. Program will exit. Unrecognized VM option 'https.protocols=TLSv1'

There is no separate Jetty config I can find...

Update --J=-Dhttps.protocols=TLSv1 is the correct setting to assign TLS protocols to the JVM and that works on starting Geode locator and server.

Update When I set java.security setting jdk.tls.disabledAlgorithms=TLSv1.1, TLSv1.2 like the opposite of this then it's not possible to communicate via HTTPS with the Jetty server at all. This makes me think the Geode / Jetty ssl-protocols=TLSv1.0 setting does not apply either?

The Jetty config says TLS v1.0, v1.1 and SSL v3 are no longer supported by default. If your Jetty implementation requires these protocols for legacy support, they can be enabled manually.

Is there a way to configure Jetty with Geode?

rupweb
  • 3,052
  • 1
  • 30
  • 57
  • 1
    For a start, I think you want to use `--J=-Dhttps.protocols=TLSv1`. I recently was looking at this as well and was unsuccessful in using a specific protocol (SSL in my case). I didn't go so far as to modify anything in the JRE's `java.security` file though. AFAIK, the TLS versions are backwards compatible so your server should be fine always supporting the latest version. – Jens D Oct 19 '17 at 13:00
  • @JensD thanks the `--J=-Dhttps.protocols=TLSv1` does now start. The problem is when I test the HTTPS (via Jetty) using [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html) then it is still coming up as using only TLS 1.2 and NOT TLS 1.1 or 1.0 so it's like the [Jetty config](https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html) is there a way to setup Jetty within Geode I can't find a config file... ? – rupweb Oct 19 '17 at 13:11
  • I don't really understand why you would want to downgrade your server TLS version when the server already supports various lower versioned clients. Regardless, please be aware that we're going to update the version of Jetty to 9.4 which completely drops support for TLSv1.1 and below. For the current specifics of setting the protocol in Jetty, we do that here: https://github.com/apache/geode/blob/d16d192b22f2932ac95780f18e92f0aece730240/geode-core/src/main/java/org/apache/geode/management/internal/JettyHelper.java#L86 – Jens D Oct 19 '17 at 19:17
  • @JensD we're using the REST API from a VB6 app running on XP and this tech is not compatible > TLS 1.0 – rupweb Oct 20 '17 at 08:14
  • The problem with the server is if I set `ssl-protocols=TLSv1.0` or `ssl-protocols=TLSv1` or the same with `http-service-ssl-protocols` in `gemfire.properties` the HTTPS REST layer is still using TLSv1.2 and I don't know why... I assume it's a Jetty setting – rupweb Oct 20 '17 at 08:15

1 Answers1

1

I don't believe you can currently achieve this. Mainly because of how Jetty is being configured internally. Jetty maintains a list of excluded ciphers defined by the regex ^.*_(MD5|SHA|SHA1)$. Unfortunately, it seems that this list trumps any ciphers which may be added as 'included'. Here's a very simple Jetty example that I used for testing: https://gist.github.com/jdeppe-pivotal/c0c6e7de4282bc077357749fc91bc44f. Jetty will produce a nice dump of the ciphers and protocols it is using when you run this.

As it stands, you can perform a successful request with the following curl: curl -k -v --tlsv1.2 https://localhost:8081/. Now, if you try that with tlsv1.0 it will fail because the necessary cipher suites are all disabled. However, if you uncomment the line: sslContextFactory.setExcludeCipherSuites() then things should start working. What this does is to remove all the current excluded ciphers (and allow them to be used). Unfortunately if you only try and add ciphers (without also excluding everything) things still don't work. Note that by doing this, Jetty is still configured for TLSv1.2 (and 1.1 and 1.0) but the client can use a lower protocol version.

The bottom line is that Geode does not explicitly exclude any ciphers from Jetty. Thus if you're hoping to add the necessary ciphers, they will most likely not be effective. I've opened a bug for this: https://issues.apache.org/jira/browse/GEODE-3891

Jens D
  • 4,229
  • 3
  • 16
  • 19
  • yes I think you're right, I think the fix is to use 'setExcludeCipherSuites' in Geode code to set the protocol, and build... tbc – rupweb Oct 25 '17 at 04:05