SSL Cipher Suites

The cipher suites used by Jetty SSL are provided by the JVM: http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider.

The ciphers are used in preference order. If a vulnerability is discovered in a cipher (or if it is considered too weak to use), it is possible to exclude it without the need to update the JVM in jetty.xml:

<Call name="addConnector">
    <Arg>
      <New class="org.mortbay.jetty.security.SslSocketConnector">
        <Set name="Port">8443</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="keystore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
        <Set name="password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
        <Set name="keyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
        <Set name="truststore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
        <Set name="trustPassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
      <!--you can disable cipher suites in the following section. Only supported cipher suites should be listed in this section. -->
        <Set name="ExcludeCipherSuites">
          <Array type="java.lang.String">
            <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
          </Array>
        </Set>
      </New>
    </Arg>
  </Call>