Jetty TLS 1.3 CipherSuites

[jonah-iden]

The generated intermediate Jetty SSL Configuration does not work with TLS1.3 because it specifies IncludeCipherSuites without specifing any TLS1.3 compatible ones as defined in RFC 8446. This of course would lead to a failed SSL Handshake with the Jetty server if only TLS1.3 was supported and leads to a downgrade to TLS1.2 otherwise.

[mkjor]

I ran into the same problem. The two Cipher Suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 should be added for TLSv1.3.

• OpenJDK issue for Java 11 (section 5)
• OpenJDK issue for Java 8 backport (section 5)

[janbrasna]

@jonah-iden @mkjor Thanks for catching this! Could you please try the configs from preview build: https://deploy-preview-24--mozsslconf-dev.netlify.app/#server=jetty that add the three default TLSv1.3 cipher suites to the top of the list for intermediate and old if that's all what is needed? (modern is left out for defaults…)

[jonah-iden]

On a first glance this looks good to me, but i sadly don't have a Jetty setup anymore i could test this with

[janbrasna]

Thanks, I was mostly concerned about including TLS_CHACHA20_POLY1305_SHA256 that gained support later for RFC compatibility JDK-8140466 — but the same would apply for already used TLSv1.2 ciphers so I assume if these were okay, probably just an extra comment mentioning 11.0.3 support would suffice. Thanks again for helping out making the configs right!