ndegoeij
I'm new here

HTTPS without encryption on FirstSpirit server 4.2

Jump to solution

At our customer we have a FirstSpirit version 4.2 running with the Jetty engine behind a Reverse Proxy. From the client to the reverse proxy the traffic is encrypted over HTTPS. Behind this reverse proxy the traffic is redirected to the FirstSpirit server. Since normal HTTP is not accepted we would like to use HTTPS there as well. However since the data is now within a closed secure environment and the FirstSpirit server already has almost maximum load we do not want to use encryption as this might take too much CPU of the server.

Our question therefore is, is it possible to configure the FirstSpirit server to use the HTTPS traffic channel without encryption?

0 Kudos
1 Solution

Accepted Solutions
isenberg
I'm new here

You can configure the available ciphers for the https connector and as the Oracle JDK offers some "null" ciphers, using https without encryption on the Jetty should be possible.

Take a look at the table "Default Enabled Cipher Suites", copy each of them, except of those containing "NULL_MD5" or "NULL_SHA" in its name and insert the names into array of the ExcludeCipherSuites entry in firstspirit4/conf/fs-webapp.xml. Jetty 6.1 which is included in FirstSpirit 4.2 does not allow directly setting the used ciphers, only indirectly via the exclusion list. If your proxy does not allow null encryption, use RC4 as that is the least CPU consuming cipher from the list.

FirstSpirit 4.2:

http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites

http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html

Sample entry for firstspirit4/conf/fs-webapp.xml, for no encryption, more ciphers must be added to the array:

<Call name="addConnector">

   <Arg>

      <New class="org.mortbay.jetty.security.SslSelectChannelConnector">

        <Set name="port">8443</Set>

        <Set name="maxIdleTime">30000</Set>

        <Set name="Acceptors">1</Set>

        <Set name="statsOn">false</Set>

        <Set name="lowResourcesConnections">1000</Set>

        <Set name="lowResourcesMaxIdleTime">500</Set>

        <Set name="keystore"><SystemProperty name="cmsroot" />/conf/fs-keystore.jks</Set>

        <Set name="password">changeit</Set>

        <Set name="keyPassword">changeit</Set>

        <Set name="ExcludeCipherSuites">

           <Array type="java.lang.String">

              <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>

              <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>

              <Item>SSL_RSA_WITH_RC4_128_SHA</Item>

              <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>

              <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>

              <Item>SSL_RSA_WITH_RC4_128_MD5</Item>

           </Array>

        </Set>

     </New>

   </Arg>

</Call>

With FirstSpirit 5.0 and 5.1 the configuration is easy as with the included Jetty 8.1 there, the used ciphers can be directly configured:

http://wiki.eclipse.org/Jetty/Howto/CipherSuites

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

Sample entry for firstspirit5/conf/fs-webapp.xml without encryption:

    <Call name="addConnector">

        <Arg>

            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

                <Arg><Ref id="sslContextFactory"/></Arg>

                <Set name="Port">8443</Set>

                <Set name="maxIdleTime">30000</Set>

                <Set name="Acceptors">2</Set>

                <Set name="AcceptQueueSize">100</Set>

                <Set name="IncludeCipherSuites">

                        <Array type="java.lang.String">

                                <Item>SSL_RSA_WITH_NULL_MD5</Item>

                                <Item>SSL_RSA_WITH_NULL_SHA</Item>

                        </Array>

                </Set>

            </New>

        </Arg>

    </Call>

View solution in original post

0 Kudos
3 Replies
ndegoeij
I'm new here

I have been digging into the Administrator manual and found eventually a parameter ALLOWED_ENCRYPTIONS which can be set to 0 (for no encryption). However it is not clear to me, if setting this parameter answers my above question. If not... above question still stands as is.

0 Kudos
isenberg
I'm new here

You can configure the available ciphers for the https connector and as the Oracle JDK offers some "null" ciphers, using https without encryption on the Jetty should be possible.

Take a look at the table "Default Enabled Cipher Suites", copy each of them, except of those containing "NULL_MD5" or "NULL_SHA" in its name and insert the names into array of the ExcludeCipherSuites entry in firstspirit4/conf/fs-webapp.xml. Jetty 6.1 which is included in FirstSpirit 4.2 does not allow directly setting the used ciphers, only indirectly via the exclusion list. If your proxy does not allow null encryption, use RC4 as that is the least CPU consuming cipher from the list.

FirstSpirit 4.2:

http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites

http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html

Sample entry for firstspirit4/conf/fs-webapp.xml, for no encryption, more ciphers must be added to the array:

<Call name="addConnector">

   <Arg>

      <New class="org.mortbay.jetty.security.SslSelectChannelConnector">

        <Set name="port">8443</Set>

        <Set name="maxIdleTime">30000</Set>

        <Set name="Acceptors">1</Set>

        <Set name="statsOn">false</Set>

        <Set name="lowResourcesConnections">1000</Set>

        <Set name="lowResourcesMaxIdleTime">500</Set>

        <Set name="keystore"><SystemProperty name="cmsroot" />/conf/fs-keystore.jks</Set>

        <Set name="password">changeit</Set>

        <Set name="keyPassword">changeit</Set>

        <Set name="ExcludeCipherSuites">

           <Array type="java.lang.String">

              <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>

              <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>

              <Item>SSL_RSA_WITH_RC4_128_SHA</Item>

              <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>

              <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>

              <Item>SSL_RSA_WITH_RC4_128_MD5</Item>

           </Array>

        </Set>

     </New>

   </Arg>

</Call>

With FirstSpirit 5.0 and 5.1 the configuration is easy as with the included Jetty 8.1 there, the used ciphers can be directly configured:

http://wiki.eclipse.org/Jetty/Howto/CipherSuites

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

Sample entry for firstspirit5/conf/fs-webapp.xml without encryption:

    <Call name="addConnector">

        <Arg>

            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

                <Arg><Ref id="sslContextFactory"/></Arg>

                <Set name="Port">8443</Set>

                <Set name="maxIdleTime">30000</Set>

                <Set name="Acceptors">2</Set>

                <Set name="AcceptQueueSize">100</Set>

                <Set name="IncludeCipherSuites">

                        <Array type="java.lang.String">

                                <Item>SSL_RSA_WITH_NULL_MD5</Item>

                                <Item>SSL_RSA_WITH_NULL_SHA</Item>

                        </Array>

                </Set>

            </New>

        </Arg>

    </Call>

0 Kudos

Hello,   

do you need further help or did Holger's reply already help you? If so, it would be great if you marked

his reply as "correct answer" so that other community users find the solution easily. If you have

already found a solution by yourself, it would be very kind of you, if you posted it here.   

Best regards 

Michaela

0 Kudos