@@ -57,7 +57,8 @@ public class Server extends Thread {
5757 new java .util .ArrayList <InetSocketAddress >();
5858
5959 private HttpServlet servlet ;
60-
60+ private Double tlsVersion = 1.0 ;
61+
6162
6263 //**************************************************************************
6364 //** Constructor
@@ -105,6 +106,25 @@ public Server(java.util.List<InetSocketAddress> addresses, int numThreads, HttpS
105106 }
106107
107108
109+ //**************************************************************************
110+ //** setMinTLSVersion
111+ //**************************************************************************
112+ /** By default, the server is configured to support TLS 1.0, 1.1, and 1.2.
113+ * You can disable older ciphers by specifying a minimum TLS version (e.g. 1.2),
114+ */
115+ public void setMinTLSVersion (Double tlsVersion ){
116+ if (tlsVersion ==null ) this .tlsVersion = null ;
117+ else {
118+ if (tlsVersion >=1.0 && tlsVersion <=1.2 ){
119+ this .tlsVersion = tlsVersion ;
120+ }
121+ else {
122+ this .tlsVersion = null ;
123+ }
124+ }
125+ }
126+
127+
10
10000
8128 //**************************************************************************
109129 //** Main
110130 //**************************************************************************
@@ -216,15 +236,38 @@ public void run() {
216236 javax .net .ssl .SSLContext sslContext = servlet .getSSLContext ();
217237 if (sslContext !=null ){
218238 SslContextFactory sslContextFactory = new SslContextFactory ();
219- sslContextFactory .setExcludeCipherSuites ( //For TLSv1 and TLSv1.1
220- "SSL_RSA_WITH_DES_CBC_SHA" ,
221- "SSL_DHE_RSA_WITH_DES_CBC_SHA" ,
222- "SSL_DHE_DSS_WITH_DES_CBC_SHA" ,
223- "SSL_RSA_EXPORT_WITH_RC4_40_MD5" ,
224- "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA" ,
225- "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" ,
226- "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
227- );
239+
240+ if (tlsVersion !=null ){
241+ /*
242+ if (tlsVersion==1.2){
243+
244+ sslContextFactory.setIncludeProtocols("TLSv1.2");
245+ sslContextFactory.setIncludeCipherSuites(
246+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
247+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
248+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
249+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
250+ );
251+ }
252+ */
253+ if (tlsVersion <1.2 ){
254+
255+ //sslContextFactory.setIncludeProtocols("TLSv1","TLSv1.1");
256+ sslContextFactory .setExcludeCipherSuites ( //For TLSv1 and TLSv1.1
257+ "SSL_RSA_WITH_DES_CBC_SHA" ,
258+ "SSL_DHE_RSA_WITH_DES_CBC_SHA" ,
259+ "SSL_DHE_DSS_WITH_DES_CBC_SHA" ,
260+ "SSL_RSA_EXPORT_WITH_RC4_40_MD5" ,
261+ "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA" ,
262+ "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" ,
263+ "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
264+ );
265+ }
266+ }
267+ else {
268+ //tlsVersion unspecified, use Jetty defaults...
269+ }
270+
228271 sslContextFactory .setSslContext (sslContext );
229272 _SslConnectionFactory ssl = new _SslConnectionFactory (sslContextFactory , HttpVersion .HTTP_1_1 .asString ());
230273 HttpConfiguration httpsConfig = new HttpConfiguration (httpConfig );
@@ -393,6 +436,15 @@ public _SslConnectionFactory(@Name("sslContextFactory") final SslContextFactory
393436 super .doStart ();
394437 final SSLEngine engine = this ._sslContextFactory .newSSLEngine ();
395438 engine .setUseClientMode (false );
439+
440+
441+ /*
442+ for (String protocol : engine.getEnabledProtocols()) System.out.println("- " + protocol);
443+ for (String protocol : engine.getSupportedProtocols()) System.out.println(protocol);
444+ for (String cipher : engine.getEnabledCipherSuites()) System.out.println(cipher);
445+ String supportedCiphers[] = engine.getSupportedCipherSuites();
446+ */
447+
396448 final SSLSession session = engine .getSession ();
397449 if (session .getPacketBufferSize () > this .getInputBufferSize ()) this .setInputBufferSize (session .getPacketBufferSize ());
398450 }
0 commit comments