WonderfulWorld WonderfulWorld - 5 months ago 36
Java Question

Disable cipher suites on Jetty server within Spark

I would like to disable cipher suites (list below) deemed weak by SSL Labs to pass their SSL test on a SparkJava server.

Ciphers to disable:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Spark version spark-core 2.5 (includes Jetty 9.3), Java 8.

There are no external configuration files for Spark and no mention in the documentation on how to do this properly without messing things up.

Could someone with the know-how please explain exactly what to do?

Thank you.

Answer

Assuming you are using the Sun JVM without any additional security providers, then Spark is using the JVM's Sun security provider for SSL/TLS - JSSE. You can disable specific algorithms by modifying JSSE's configuration file located at jre/lib/security/java.security.

Specifically you could do something like this:

jdk.tls.disabledAlgorithms=3DES, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

This totally disables Triple DES (3DES) which has been unsafe for quite a while. It also disables the specified ciphers.

EDIT: Note that the previous answer (AES keySize <= 128) was wrong. For some reason this does not eliminate the ciphers using AES_128. Instead the insecure ciphers have to be listed by their full name.

Comments