Configuring Jetty SSL Ciphers
The SSL Ciphers that Jetty is allowed to use is defined in installation.properties located in the {InstallDir}\jetty\base\etc directory.
By default we restrict the ciphers we use to a modern level. However any cipher from the intermediate group can be added to the perc.ssl.includeCiphers entry in installation.properties for Percussion to use.
Modern Ciphers
If you want the least amount of security vulnerabilities, then Percussion recommends using only the modern ciphers and only using the TLSv1.2 protocol. Please not that TLS and SSL ciphers is a constantly changing environment from a security perspective. Supported ciphers and TLS protocols change between Open JDK updates. We defer to the latest OpenJDK documentation on support ciphers in the JRE.
Modern ciphers |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
These ciphers protect against the following vulnerabilities and attacks:
Vulnerabilities and attacks |
Heartbleed (CVE- 2014 - 0160 ) not vulnerable (OK), no heartbeat extension CCS (CVE- 2014 - 0224 ) not vulnerable (OK) Secure Renegotiation (CVE- 2009 - 3555 ) not vulnerable (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (Note: In order to prevent this you would need to provide a proxy in front of Percussion such as Apache) CRIME, TLS (CVE- 2012 - 4929 ) not vulnerable (OK) BREACH (CVE- 2013 - 3587 ) no HTTP compression (OK) POODLE, SSL (CVE- 2014 - 3566 ) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507 ), No fallback possible, TLS 1.2 is the only protocol (OK) FREAK (CVE- 2015 - 0204 ) not vulnerable (OK) DROWN ( 2016 - 0800 , CVE- 2016 - 0703 ) not vulnerable (OK) LOGJAM (CVE- 2015 - 4000 ), experimental not vulnerable (OK) BEAST (CVE- 2011 - 3389 ) no SSL3 or TLS1 (OK) RC4 (CVE- 2013 - 2566 , CVE- 2015 - 2808 ) no RC4 ciphers detected (OK) |
These ciphers are compatible with the following browsers:
Compatible browsers | |
Android 2.3 . 7 No connection Android 4.0 . 4 No connection Android 4.1 . 1 No connection Android 4.2 . 2 No connection Android 4.3 No connection Android 4.4 . 2 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Android 5.0 . 0 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Baidu Jan 2015 No connection BingPreview Jan 2015 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Chrome 47 / OSX TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 31.3 .0ESR / Win7 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 42 OS X TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 GoogleBot Feb 2015 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 IE 6 XP No connection IE 7 Vista No connection IE 8 XP No connection IE 8 - 10 Win 7 No connection IE 11 Win 7 TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 11 Win 8.1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 10 Win Phone 8.0 No connection IE 11 Win Phone 8.1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 11 Win Phone 8.1 Update TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 11 Win 10 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win 10 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win Phone 10 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Java 6u45 No connection Java 7u25 No connection Java 8u31 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 0.9 .8y No connection OpenSSL 1.0 .1l TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 1.0 .2e TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Safari 5.1 . 9 OS X 10.6 . 8 No connection Safari 6 iOS 6.0 . 1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 6.0 . 4 OS X 10.8 . 4 No connection Safari 7 iOS 7.1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 7 OS X 10.9 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 8 iOS 8.4 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 8 OS X 10.10 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 9 iOS 9 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Safari 9 OS X 10.11 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Apple ATS 9 iOS 9 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 |
Intermediate Ciphers
These ciphers are all available ciphers that can be enabled in Percussion. If you find that the modern ciphers do not cover the browser you wish to support, then you can enable the below ciphers as well as the protocols TLSv1.1 and TLSv1.
Intermediate Ciphers |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA |
These ciphers and protocols risk the following vulnerabilities:
Vulnerabilities and attacks |
Heartbleed (CVE- 2014 - 0160 ) not vulnerable (OK), no heartbeat extension CCS (CVE- 2014 - 0224 ) not vulnerable (OK) Secure Renegotiation (CVE- 2009 - 3555 ) not vulnerable (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat CRIME, TLS (CVE- 2012 - 4929 ) not vulnerable (OK) BREACH (CVE- 2013 - 3587 ) no HTTP compression (OK) POODLE, SSL (CVE- 2014 - 3566 ) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507 ), Downgrade attack prevention NOT supported FREAK (CVE- 2015 - 0204 ) not vulnerable (OK) DROWN ( 2016 - 0800 , CVE- 2016 - 0703 ) not vulnerable (OK) LOGJAM (CVE- 2015 - 4000 ), experimental not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size BEAST (CVE- 2011 - 3389 ) TLS1: AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1. 1 RC4 (CVE- 2013 - 2566 , CVE- 2015 - 2808 ) no RC4 ciphers detected (OK) |
This will allow usage of the following browsers:
Compatible Browsers |
Android 2.3 . 7 TLSv1. 0 DHE-RSA-AES128-SHA Android 4.0 . 4 TLSv1. 0 ECDHE-RSA-AES128-SHA Android 4.1 . 1 TLSv1. 0 ECDHE-RSA-AES128-SHA Android 4.2 . 2 TLSv1. 0 ECDHE-RSA-AES128-SHA Android 4.3 TLSv1. 0 ECDHE-RSA-AES128-SHA Android 4.4 . 2 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Android 5.0 . 0 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Baidu Jan 2015 TLSv1. 0 ECDHE-RSA-AES128-SHA BingPreview Jan 2015 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Chrome 47 / OSX TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 31.3 .0ESR / Win7 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 42 OS X TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 GoogleBot Feb 2015 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 IE 6 XP No connection IE 7 Vista TLSv1. 0 ECDHE-RSA-AES128-SHA IE 8 XP No connection IE 8 - 10 Win 7 TLSv1. 0 ECDHE-RSA-AES128-SHA IE 11 Win 7 TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 11 Win 8.1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 10 Win Phone 8.0 TLSv1. 0 ECDHE-RSA-AES128-SHA IE 11 Win Phone 8.1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 11 Win Phone 8.1 Update TLSv1. 2 ECDHE-RSA-AES128-SHA256 IE 11 Win 10 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win 10 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win Phone 10 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Java 6u45 No connection Java 7u25 TLSv1. 0 ECDHE-RSA-AES128-SHA Java 8u31 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 0.9 .8y TLSv1. 0 DHE-RSA-AES128-SHA OpenSSL 1.0 .1l TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 1.0 .2e TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Safari 5.1 . 9 OS X 10.6 . 8 TLSv1. 0 ECDHE-RSA-AES128-SHA Safari 6 iOS 6.0 . 1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 6.0 . 4 OS X 10.8 . 4 TLSv1. 0 ECDHE-RSA-AES128-SHA Safari 7 iOS 7.1 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 7 OS X 10.9 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 8 iOS 8.4 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 8 OS X 10.10 TLSv1. 2 ECDHE-RSA-AES128-SHA256 Safari 9 iOS 9 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Safari 9 OS X 10.11 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 Apple ATS 9 iOS 9 TLSv1. 2 ECDHE-RSA-AES128-GCM-SHA256 |
All SSL Ciphers
As of Percussion 5.4, the version of Java we ship is Amazon Corretto: OpenJDK Runtime Environment Corretto-8.232.09.1
This allows the following list of ciphers to be used. This list includes insecure ciphers, the intermediate and modern lists are obtained through this list, but are shortened so that the least secure ciphers are not usable by Percussion.
All available Ciphers |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_RSA_WITH_NULL_SHA TLS_ECDH_anon_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 |