1. ActiveMQ
  2. AMQ-3508

SSL and TLS - Support list of included and excluded protocols


    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.6.0
    • Fix Version/s: 5.6.0
    • Component/s: Connector, Transport
    • Labels:
    • Environment:

      JDK7, RHEL5


      On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
      1.0 (and below) was demonstrated that allows an attacker to decrypt
      communications between 2 parties. The demonstration was against a
      PayPal Authentication cookie, which took 10 minutes to decipher with
      the aid of a packet sniffer and some hostile javascript running in the

      While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
      commonly available in browsers and JVMs. Java 6 currently only
      supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2. It has not
      yet been announced if a TLS 1.1 provider will be made available for
      Java 6. As of recently, the browser support for TLS can be seen at
      Google Chrome has already announced imminent support for 1.2 and it
      is expected that the other browsers will follow shortly (see

      Jetty when used with it's default configuration of SSL will use the
      highest common version of TLS available that is shared by the browsers
      and JVM. Thus if jetty is running on java 7 today, it will
      automatically use TLS 1.1 or 1.2 if it is available in the browser.
      However there is currently no mechanism to disable protocol versions
      within Jetty (unless they are disabled in the JVM).

      Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
      included and excluded protocols in the configuration of the
      SslContextFactory class used to configure SSL clients and server
      connectors. This will allow TLS 1.0 to be excluded once clients that
      support it are widely deployed. A stable release of 7.5.2 will be
      available next week.

      We strongly recommend that you upgrade your systems (browser and
      JVMs) to support TLS 1.1 or later. For Jetty servers, this currently
      means running on java 7. Until TLS 1.1 is widely available in
      browsers, it is recommended that you evaluate the risks of continuing
      to provide your services over SSL and TLS.

      jetty-announce mailing list

      1. AMQ-3508.txt
        30 kB
        Timothy Bish

        Issue Links


          Fengming Lou created issue -
          Gary Tully made changes -
          Field Original Value New Value
          Fix Version/s 5.6.0 [ 12317974 ]
          Timothy Bish made changes -
          Attachment AMQ-3508.txt [ 12498480 ]
          Timothy Bish made changes -
          Link This issue is blocked by AMQ-3504 [ AMQ-3504 ]
          Gary Tully made changes -
          Assignee Gary Tully [ gtully ]
          Timothy Bish made changes -
          Link This issue is related to AMQ-3693 [ AMQ-3693 ]
          Timothy Bish made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]


            • Assignee:
              Gary Tully
              Fengming Lou
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: