Weak Ciphers for Jetty Security Vulnerability

  • KM00776311
  • 27-Feb-2014
  • 27-Feb-2014

This document is under revision.


This document explain how to disable ciphers that support less than a 128-bit cipher strength in ALM Jetty


How to disable ciphers that support less than 128-bit cipher strength in Application Lifecycle Management (ALM) Jetty


Since Java version is what sets the supported ciphers,  it is not possible to raise the level of cyphers in Jetty, but it is possible to disable the weak ciphers
To disable ciphers that support less than 128-bit cipher strength in ALM Jetty, we can proceed witht the following steps:
1.     Open C:\ProgramData\HP\ALM\server\conf\jetty.xml
2.     Add the highlighted section below as part of SslSocketConnector:
<New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                     <Set name="host"><Property name="jetty.host" /></Set>
                     <Set name="Port">8443</Set>
                     <Set name="maxIdleTime">30000</Set>
                     <Set name="keystore">C:\certs\alm2_certificate.jks</Set>
                     <Set name="password">Y7u8i9o0</Set>
                     <Set name="keyPassword">Y7u8i9o0</Set>
                     <Set name="truststore">C:\certs\alm2_certificate.jks</Set>
                     <Set name="trustPassword">Y7u8i9o0</Set>        
                     <Set name="IncludeCipherSuites">
                                    <Array type="java.lang.String">
3.     Restart ALM
4.     Run the command SSLScan from any client (sslscan.exe –-no-failed <ALM server>:8443)
5.     Observe-> it shows only 128 bits ciphers are supported (SSLv3 and TLSv1); see full results table below.
Note: This procedure disables certain weak ciphers (less than a 128-bit, MD5, etc) but still allows SHA1