Problem
Jetty9 has a list of excluded ciphers which exclude support for SHA1 ciphers, therefore TLS1.1 is not actually supported, even if you configure client-tls-ciphers and client-tls-protocols to use it.
setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
We could make the exclusion list configurable to allow support for TLS1.1, but it's excluded for a reason, so we should just rather update the documentation and code.
Acceptance criteria
TLS1.1 and SHA1 ciphers are removed from ug-sysparams and code
VitaliStupin
commented
6 years ago
Affected components: - xroad-proxy Affected documentation: - ug-sysparams Estimated delivery: - External reference: - https://jira.ria.ee/browse/XTE-411
Problem Jetty9 has a list of excluded ciphers which exclude support for SHA1 ciphers, therefore TLS1.1 is not actually supported, even if you configure client-tls-ciphers and client-tls-protocols to use it.
setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");We could make the exclusion list configurable to allow support for TLS1.1, but it's excluded for a reason, so we should just rather update the documentation and code.
Acceptance criteria