HTTPS without encryption on FirstSpirit server 4.2
Author: ndegoeij
Publication Date: 12/2/2013 10:19
At our customer we have a FirstSpirit version 4.2 running with the Jetty engine behind a Reverse Proxy. From the client to the reverse proxy the traffic is encrypted over HTTPS. Behind this reverse proxy the traffic is redirected to the FirstSpirit server. Since normal HTTP is not accepted we would like to use HTTPS there as well. However since the data is now within a closed secure environment and the FirstSpirit server already has almost maximum load we do not want to use encryption as this might take too much CPU of the server.
Our question therefore is, is it possible to configure the FirstSpirit server to use the HTTPS traffic channel without encryption?
-
Author: isenberg - 12/4/2013 9:46
You can configure the available ciphers for the https connector and as the Oracle JDK offers some "null" ciphers, using https without encryption on the Jetty should be possible.
Take a look at the table "Default Enabled Cipher Suites", copy each of them, except of those containing "NULL_MD5" or "NULL_SHA" in its name and insert the names into array of the ExcludeCipherSuites entry in firstspirit4/conf/fs-webapp.xml. Jetty 6.1 which is included in FirstSpirit 4.2 does not allow directly setting the used ciphers, only indirectly via the exclusion list. If your proxy does not allow null encryption, use RC4 as that is the least CPU consuming cipher from the list.
FirstSpirit 4.2:
http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites
http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html
Sample entry for firstspirit4/conf/fs-webapp.xml, for no encryption, more ciphers must be added to the array:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSelectChannelConnector">
<Set name="port">8443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">1</Set>
<Set name="statsOn">false</Set>
<Set name="lowResourcesConnections">1000</Set>
<Set name="lowResourcesMaxIdleTime">500</Set>
<Set name="keystore"><SystemProperty name="cmsroot" />/conf/fs-keystore.jks</Set>
<Set name="password">changeit</Set>
<Set name="keyPassword">changeit</Set>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
With FirstSpirit 5.0 and 5.1 the configuration is easy as with the included Jetty 8.1 there, the used ciphers can be directly configured:
http://wiki.eclipse.org/Jetty/Howto/CipherSuites
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
Sample entry for firstspirit5/conf/fs-webapp.xml without encryption:
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg><Ref id="sslContextFactory"/></Arg>
<Set name="Port">8443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>SSL_RSA_WITH_NULL_MD5</Item>
<Item>SSL_RSA_WITH_NULL_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
1 Kommentar