Is there a way to limit ciphers for the AWI Jetty launcher with something like:
jdk.tls.client.cipherSuites=
or disable some with
jdk.tls.disabledAlgorithms=
in the start command? Is there a config file that can do this?
The weak ciphers can be disabled in the java.security file by adding them to jdk.tls.disabledAlgorithms=
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, \
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, \
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, \
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA , \
TLS_RSA_WITH_AES_256_GCM_SHA384, \
TLS_RSA_WITH_AES_128_GCM_SHA256, \
TLS_RSA_WITH_AES_256_CBC_SHA256, \
TLS_RSA_WITH_AES_128_CBC_SHA256, \
TLS_RSA_WITH_AES_256_CBC_SHA, \
TLS_RSA_WITH_AES_128_CBC_SHA, \
include jdk.disabled.namedCurves
Once this change is done and the AWI is restarted, advanced debug (as described in the additional information section) will show the limited Algorithms/ciphers used:
javax.net.ssl|DEBUG|28|Thread-2|2024-10-22 13:15:34.630 CDT|SSLCipher.java:464|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|28|Thread-2|2024-10-22 13:15:34.630 CDT|SSLCipher.java:464|jdk.tls.keyLimits: entry = ChaCha20-Poly1305 KeyUpdate 2^37. CHACHA20-POLY1305:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|30|qtp1668784787-48|2024-10-22 13:15:34.771 CDT|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
javax.net.ssl|DEBUG|30|qtp1668784787-48|2024-10-22 13:15:34.771 CDT|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
javax.net.ssl|DEBUG|30|qtp1668784787-48|2024-10-22 13:15:34.771 CDT|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2
If the java.security file cannot be modified (permission denied) and the option security.overridePropertiesFile=true is set within this file, then an alternate properties file containing the information can be set, in this example, the file is called overwrite.security in the folder C:\Automic\WebInterface with the following content:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, \
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, \
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, \
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA , \
TLS_RSA_WITH_AES_256_GCM_SHA384, \
TLS_RSA_WITH_AES_128_GCM_SHA256, \
TLS_RSA_WITH_AES_256_CBC_SHA256, \
TLS_RSA_WITH_AES_128_CBC_SHA256, \
TLS_RSA_WITH_AES_256_CBC_SHA, \
TLS_RSA_WITH_AES_128_CBC_SHA, \
include jdk.disabled.namedCurves
The AWI start command then looks like this:
java -Xmx2G -jar -Djava.security.properties=C:\automic\WebInterface\overwrite.security aa-webui-launcher.jar
You can view which ciphers are being sued for ssl handshakes in windows command line by using a start command from the Jetty AWI /bin directory like:
java -Djavax.net.debug=ssl:handshake:verbose -jar aa-webui-launcher.jar
The output will show the ciphers that are used.
The ciphers used by the JCP can be limited using a similar method outlined in the article JCP log file indicates the use of weak ciphers