Related Links
Configuring Jetty SSL Ciphers
The SSL Ciphers that Jetty is allowed to use is defined in installation.properties located in the {RHYTHMYX_HOME}\jetty\base\etc directory.
By default we restrict the ciphers we use to a modern level. However any cipher from the intermediate group can be added to the perc.ssl.includeCiphers entry in installation.properties for Rhythmyx to use.
Modern Ciphers
If you want the least amount of security vulnerabilities, then Percussion recommends using only the modern ciphers and only using the TLSv1.2 protocol.
Modern ciphers |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
These ciphers protect against the following vulnerabilities and attacks:
Vulnerabilities and attacks |
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (Note: In order to prevent this you will need to provide a proxy in front of Rhythmyx such as Apache) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no HTTP compression (OK) POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507), No fallback possible, TLS 1.2 is the only protocol (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (2016-0800, CVE-2016-0703) not vulnerable (OK) LOGJAM (CVE-2015-4000), experimental not vulnerable (OK) BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) |
These ciphers are compatible with the following browsers:
Compatible browsers | |
Android 2.3.7 No connection Android 4.0.4 No connection Android 4.1.1 No connection Android 4.2.2 No connection Android 4.3 No connection Android 4.4.2 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Baidu Jan 2015 No connection BingPreview Jan 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Chrome 47 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 42 OS X TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 GoogleBot Feb 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 IE 6 XP No connection IE 7 Vista No connection IE 8 XP No connection IE 8-10 Win 7 No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 10 Win Phone 8.0 No connection IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 11 Win Phone 8.1 Update TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win Phone 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Java 6u45 No connection Java 7u25 No connection Java 8u31 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 0.9.8y No connection OpenSSL 1.0.1l TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Safari 5.1.9 OS X 10.6.8 No connection Safari 6 iOS 6.0.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 6.0.4 OS X 10.8.4 No connection Safari 7 iOS 7.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 7 OS X 10.9 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 8 iOS 8.4 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 8 OS X 10.10 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 |
Intermediate Ciphers
These ciphers are all available ciphers that can be enabled in Rhythmyx. If you find that the modern ciphers do not cover the browser you wish to support, then you can enable the below ciphers as well as the protocols TLSv1.1 and TLSv1.
Intermediate Ciphers |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA |
These ciphers and protocols risk the following vulnerabilities:
Vulnerabilities and attacks |
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extensionCCS (CVE-2014-0224) not vulnerable (OK)Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threatCRIME, TLS (CVE-2012-4929) not vulnerable (OK)BREACH (CVE-2013-3587) no HTTP compression (OK)POODLE, SSL (CVE-2014-3566) not vulnerable (OK)TLS_FALLBACK_SCSV (RFC 7507), Downgrade attack prevention NOT supportedFREAK (CVE-2015-0204) not vulnerable (OK)DROWN (2016-0800, CVE-2016-0703) not vulnerable (OK)LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit sizeBEAST (CVE-2011-3389) TLS1: AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) |
This will allow usage of the following browsers:
Compatible Browsers |
Android 2.3.7 TLSv1.0 DHE-RSA-AES128-SHA Android 4.0.4 TLSv1.0 ECDHE-RSA-AES128-SHA Android 4.1.1 TLSv1.0 ECDHE-RSA-AES128-SHA Android 4.2.2 TLSv1.0 ECDHE-RSA-AES128-SHA Android 4.3 TLSv1.0 ECDHE-RSA-AES128-SHA Android 4.4.2 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Baidu Jan 2015 TLSv1.0 ECDHE-RSA-AES128-SHA BingPreview Jan 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Chrome 47 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Firefox 42 OS X TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 GoogleBot Feb 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 IE 6 XP No connection IE 7 Vista TLSv1.0 ECDHE-RSA-AES128-SHA IE 8 XP No connection IE 8-10 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 10 Win Phone 8.0 TLSv1.0 ECDHE-RSA-AES128-SHA IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 11 Win Phone 8.1 Update TLSv1.2 ECDHE-RSA-AES128-SHA256 IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Edge 13 Win Phone 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Java 6u45 No connection Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA Java 8u31 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 0.9.8y TLSv1.0 DHE-RSA-AES128-SHA OpenSSL 1.0.1l TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Safari 5.1.9 OS X 10.6.8 TLSv1.0 ECDHE-RSA-AES128-SHA Safari 6 iOS 6.0.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 6.0.4 OS X 10.8.4 TLSv1.0 ECDHE-RSA-AES128-SHA Safari 7 iOS 7.1 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 7 OS X 10.9 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 8 iOS 8.4 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 8 OS X 10.10 TLSv1.2 ECDHE-RSA-AES128-SHA256 Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 |
All SSL Ciphers
As of Rhythmyx Version 7.3.2, and the version of Java we ship with: 1.8.0_66, allows the following list of ciphers to be used. This list includes insecure ciphers, the intermediate and modern lists are obtained through this list, but are shortened so that the least secure ciphers are not usable by Rhythmyx.
All available Ciphers |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHASSL_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHASSL_DHE_RSA_WITH_3DES_EDE_CBC_SHASSL_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_EMPTY_RENEGOTIATION_INFO_SCSVTLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_ECDH_anon_WITH_AES_128_CBC_SHATLS_DH_anon_WITH_AES_128_CBC_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHASSL_DH_anon_WITH_3DES_EDE_CBC_SHASSL_RSA_WITH_DES_CBC_SHASSL_DHE_RSA_WITH_DES_CBC_SHASSL_DHE_DSS_WITH_DES_CBC_SHASSL_DH_anon_WITH_DES_CBC_SHASSL_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHASSL_DH_anon_EXPORT_WITH_DES40_CBC_SHATLS_RSA_WITH_NULL_SHA256TLS_ECDHE_ECDSA_WITH_NULL_SHATLS_ECDHE_RSA_WITH_NULL_SHASSL_RSA_WITH_NULL_SHATLS_ECDH_ECDSA_WITH_NULL_SHATLS_ECDH_RSA_WITH_NULL_SHATLS_ECDH_anon_WITH_NULL_SHASSL_RSA_WITH_NULL_MD5TLS_KRB5_WITH_3DES_EDE_CBC_SHATLS_KRB5_WITH_3DES_EDE_CBC_MD5TLS_KRB5_WITH_DES_CBC_SHATLS_KRB5_WITH_DES_CBC_MD5TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 |