[security] Disable insecure SSL/TLS options

adamretter · adamretter · commit f2b7cc97414f · 2021-05-15T23:15:12.000+02:00
diff --git a/exist-jetty-config/src/main/resources/org/exist/jetty/etc/jetty-ssl-context.xml b/exist-jetty-config/src/main/resources/org/exist/jetty/etc/jetty-ssl-context.xml
@@ -30,7 +30,37 @@
   <Set name="RenegotiationAllowed"><Property name="jetty.sslContext.renegotiationAllowed" default="true"/></Set>
   <Set name="RenegotiationLimit"><Property name="jetty.sslContext.renegotiationLimit" default="5"/></Set>
   <Set name="SniRequired"><Property name="jetty.sslContext.sniRequired" default="false"/></Set>
- 
+
+  <!-- Eliminate Old / Insecure / Anonymous Ciphers -->
+  <Call name="addExcludeCipherSuites">
+    <Arg>
+      <Array type="String">
+        <Item>.*NULL.*</Item>
+        <Item>.*RC4.*</Item>
+        <Item>.*MD5.*</Item>
+        <Item>.*DES.*</Item>
+        <Item>.*DSS.*</Item>
+      </Array>
+    </Arg>
+  </Call>
+
+  <!-- Eliminate Insecure Protocols
+  Since 2014 SSLv3 is considered insecure and should be disabled.
+  -->
+  <Call name="addExcludeProtocols">
+    <Arg>
+      <Array type="java.lang.String">
+        <Item>SSL</Item>
+        <Item>SSLv2</Item>
+        <Item>SSLv2Hello</Item>
+        <Item>SSLv3</Item>
+      </Array>
+    </Arg>
+  </Call>
+
+  <!--  TLS renegotiation is disabled too to prevent an attack based on this feature. -->
+  <Set name="renegotiationAllowed">FALSE</Set>
+
   <!-- Example of how to configure a PKIX Certificate Path revocation Checker
   <Call id="pkixPreferCrls" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>PREFER_CRLS</Arg></Call>
   <Call id="pkixSoftFail" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>SOFT_FAIL</Arg></Call>
