Also, with the IBM JVM you might have to configure the following on the Jetty side ...
SslContextFactory ... .setProtocol(String protocol) - this defaults to "TLS" (the openjdk official name), yours is likely different (based on my reading of the IBM JVM documentation). .setProvider(String provider) - this defaults to "" (unset) as we use the default provider, but your IBM JVM seems to want to do things "the IBM way", not "the standard way". As a last resort, you might need to create the javax.net.ssl.SSLContext manually, the IBM way, and give it to the jetty side SslContextFactory.setSslContext(SSLContext context) Joakim Erdfelt / [email protected] On Wed, Mar 14, 2018 at 12:04 PM, Joakim Erdfelt <[email protected]> wrote: > Also, read and understand the linked to issue at the IBM side for TLS > (from the prior message) > > https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0. > 0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/ > matchsslcontext_tls.html > > The IBM JVM does not apparently follow the OpenJDK standard naming of > things (which dozens of other alternate JVMs do), that article tells you > how to correct the startup of your IBM JVM to address that as well. > > > > Joakim Erdfelt / [email protected] > > On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman < > [email protected]> wrote: > >> Those are ciphers for the SSL protocol instead of TLS. You do not want to >> use those... >> >> >> >> Sent from my Samsung Galaxy smartphone. >> >> -------- Original message -------- >> From: Lothar Kimmeringer <[email protected]> >> Date: 3/14/18 17:36 (GMT+01:00) >> To: [email protected] >> Subject: Re: [jetty-users] keystore >> >> Hi, >> >> Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt: >> >> > * The IBM JVM is not sane, look into its cipher suites and protocols. >> > >> > A quick comparison shows that it has half the cipher suites that oracle >> jvm or openjdk has. >> >> Not necessarily. At least the JVM for i Series has more or less the same >> ciphers but the textual representation is not starting with TLS_... but >> SSL_... >> so filters based on the textual representation will filter out most >> of them (in my case where I found that out, all ciphers were filtered). >> >> Here as an example -Djavax.net.debug=ssl:handshake output for a >> ClientHello >> sent by an AS/400: >> >> Cipher Suites: [ >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV, >> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, >> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, >> SSL_RSA_WITH_AES_256_CBC_SHA256, >> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, >> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, >> SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, >> SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, >> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, >> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, >> SSL_RSA_WITH_AES_256_CBC_SHA, >> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, >> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, >> SSL_DHE_RSA_WITH_AES_256_CBC_SHA, >> SSL_DHE_DSS_WITH_AES_256_CBC_SHA, >> SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, >> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, >> SSL_RSA_WITH_AES_128_CBC_SHA256, >> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, >> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, >> SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, >> SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, >> SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, >> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, >> SSL_RSA_WITH_AES_128_CBC_SHA, >> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, >> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, >> SSL_DHE_RSA_WITH_AES_128_CBC_SHA, >> SSL_DHE_DSS_WITH_AES_128_CBC_SHA, >> SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, >> SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, >> SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, >> SSL_RSA_WITH_AES_256_GCM_SHA384, >> SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, >> SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, >> SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, >> SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, >> SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >> SSL_RSA_WITH_AES_128_GCM_SHA256, >> SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, >> SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, >> SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, >> SSL_DHE_DSS_WITH_AES_128_GCM_SHA256] >> >> >> Cheers, Lothar >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
