Configuting SSL with Jetty

This Jetty doc page provides how to configure SSL for Jetty. But this is not enough, you would want do disallow weaker ciphers in Jetty its not, and this article explains how to do it. But remember the name it expects in "ExcludeCipherSuites" are Java Cipher names and not OpenSSL cipher name.

SSL Testing

Here is a very good OWASP wiki page on testing SSL. I would like to add my 2 cents to it:
- You would need nmap for port scan. But on windows you would need windows packet capture library before installing nmap. To run nmap on windows vista, you need to run it with elevated privileges. You open an elevated command prompt by right-clicking on the command prompt
link and using "run as administrator".
-Download nessus and install SSL plugin for nessus, you would need plugin with IDs (21643 and 10863)

SSL setup using Apache

Download stable version of Apache 2.2 from apache download site
Install Apache with ssl,

• gzip -d httpd-.tar.gz | tar xvf
• cd httpd-
• ./configure -prefix --enable-ssl --enable-setenvif
  
• make
• make install
  

Use keytool or openssl to generate private key and certificate file (you can also obtain a certificate from CA). Create a directory named ssl in $APACHE_HOME/conf
copy the certificate (server.cert) and private key (server.key) files in this directory.
Secure the private key, by changing the permissions:
> cd /conf/ssl
> chmod 400 server.crt server.key

Minimal configuration for SSL in httpd.conf:
# Enable SSL
SSLEngine On
# Path to the server certificate
SSLCertificateFile /conf/ssl/server.crt
# Path to the server private key
SSLCertificateKeyFile /conf/ssl/server.key
#Change the server binding to listen on 443
Listen myserver.mydomain.com:443

Securing SSL setup : httpd.conf changes
# SSL-V2 is flawed, disallow its use
SSLProtocol All -SSLv2
# Disallows the situation where, though the server supports high-grade encryption, the client negotiates a low-grade (e.g., 40-bit) protocol suite, which offers little protection:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
#Enforce strict SSL access policy
SSLOptions +StrictRequire
#Allow access only through SSL
<virtualhost>
RedirectPermanent / https://my.mchek.com/
</virtualhost>

Additional configuration:
SSLMutex file: /logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
<Directory />
SSLRequireSSL
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

For more detailed installation instruction and explanations this is a good article.

javax.net.ssl.SSLHandshakeException

If you see collowing exception, while accessing HTTPS URL from java code.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
Then most likely the URL you are accessing doesn't have certificate signed by a CA, and you need to install this certificate manually. Use keytool to import the certificate to a keystore (lets name this as mykeystore and you put this in /etc/keystoers dir) and then start your java application with following parameter -Djavax.net.ssl.trustStore=/etc/keystores/mykeystore.