Summary
Question
This article provides a best practice for configuring the AGM SSL properly. Proper SSL configuration disables weak protocol(SSLv3) and enables only strong ciphers and thus mitigates your AGM instance against:
1. Poodle SSL vulnerability.
2. Bar Mitzvah vulnerability.
3. LogJam vulnerability.
Answer
To configure the SSL settings correctly, please add the highlighted parts to the definition of the Jetty SSL connector:
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
</New><Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
<Arg><Ref id="sslContextFactory" /></Arg>
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call></Configure>