Enable / disable allowed cipher suites in Apache Karaf with Pax (including Jetty)

2.3k views Asked by At

I am using Apache Karaf to host my web service. I enabled SSL connections through the Karaf client with the commands shown below post start up since I have multiple servers running the same code but with different certificates and configurations.

Chrome Warning

When I connect to my service over SSL, I get a warning about using obsolete crypto, and found this post explaining how I need to change my server to only use modern crypto algorithms.

  1. Am I able to set required algorithms with Karaf/Pax like setting the SSL configuration below? (preferred)
  2. Or do I need to do custom trust management as described here with Jetty and information from this page to enable/disable cipher suites?

Here is the sample code I am using to setup the HTTPS port currently.

config:edit org.ops4j.pax.web;
config:property-set org.osgi.service.http.enabled false; 
config:property-set org.osgi.service.http.secure.enabled true;
config:property-set org.osgi.service.http.port.secure 9443; 
config:property-set org.ops4j.pax.web.ssl.keystore.type JKS; 
config:property-set org.ops4j.pax.web.ssl.keystore /etc/pki/tls/ks.jks;
config:property-set org.ops4j.pax.web.ssl.password ************;
config:property-set org.ops4j.pax.web.ssl.keypassword *********;
config:property-set org.ops4j.pax.web.ssl.clientauthwanted false;
config:property-set org.ops4j.pax.web.ssl.clientauthneeded false;
config:update;

Thanks!

2

There are 2 answers

8
Achim Nierbeck On BEST ANSWER

With your correct way of configuring the ssl connector you'll end up with a default SSL connector available from Jetty. Now you want to switch to TLS which is great. You don't need a custom trust management, right now the cipher suite can't be configured with a configuration parameter. Please open a new feature request at ops4j for this.

0
Yogesh Chawla On

In the org.ops4j.pax.web.cfg, you can set the following settings for example:

org.ops4j.pax.web.ssl.ciphersuites.included=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
org.ops4j.pax.web.ssl.ciphersuites.excluded=TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

org.ops4j.pax.web.ssl.protocols.included=TLSv1.2

You can also use the technique the OP used in his answer:

config:edit org.ops4j.pax.web;
config:property-set org.ops4j.pax.web.ssl.protocols.included TLSv1.2