Bingo, solved it
@Reference
protected void setHttpClientFactory(HttpClientFactory httpClientFactory) {
try {
// this.httpClient = httpClientFactory.getCommonHttpClient();
SslContextFactory ssl = new SslContextFactory();
// ssl.setIncludeCipherSuites("^TLS_RSA_.*$");
String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(ssl.getExcludeCipherSuites())
.filter(cipher -> !cipher.equals("^TLS_RSA_.*$")).toArray(String[]::new);
ssl.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion);
this.httpClient = new HttpClient(ssl);
this.httpClient.start();
} catch (Exception e) {
logger.warn("Unable to start HttpClient!");
}
}
The outcome looks good for me
+? HttpClientTransportOverHTTP@412440c1{STOPPED} - STOPPED
+? SslContextFactory@42ac309[provider=null,keyStore=null,trustStore=null] - STOPPED
| +> trustAll=false
| +> Protocol Selections
| | +> Enabled size=3
| | | +> TLSv1
| | | +> TLSv1.1
| | | +> TLSv1.2
| | +> Disabled size=2
| | +> SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | +> SSLv3 - ConfigExcluded:'SSLv3' JVM:disabled
| +> Cipher Suite Selections
| +> Enabled size=15
| | +> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | +> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | +> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | +> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | +> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | +> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | +> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | +> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | +> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | +> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | +> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | +> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | +> TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | +> TLS_RSA_WITH_AES_128_CBC_SHA256
| | +> TLS_RSA_WITH_AES_128_GCM_SHA256
| +> Disabled size=42
| +> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$' JVM:disabled
| +> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$'
| +> SSL_DHE_DSS_WITH_DES_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$' JVM:disabled
| +> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$' JVM:disabled
| +> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$'
| +> SSL_DHE_RSA_WITH_DES_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$' JVM:disabled
| +> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$', ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$', ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> SSL_DH_anon_WITH_DES_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$', ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$' JVM:disabled
| +> SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$'
| +> SSL_RSA_WITH_DES_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$' JVM:disabled
| +> SSL_RSA_WITH_NULL_MD5 - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$', ConfigExcluded:'^.*_NULL_.*$' JVM:disabled
| +> SSL_RSA_WITH_NULL_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^SSL_.*$', ConfigExcluded:'^.*_NULL_.*$' JVM:disabled
| +> TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_DH_anon_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> TLS_DH_anon_WITH_AES_128_CBC_SHA256 - ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> TLS_DH_anon_WITH_AES_128_GCM_SHA256 - ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDHE_ECDSA_WITH_NULL_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_NULL_.*$' JVM:disabled
| +> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDHE_RSA_WITH_NULL_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_NULL_.*$' JVM:disabled
| +> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDH_ECDSA_WITH_NULL_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_NULL_.*$' JVM:disabled
| +> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_ECDH_RSA_WITH_NULL_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_NULL_.*$' JVM:disabled
| +> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> TLS_ECDH_anon_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> TLS_ECDH_anon_WITH_NULL_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$', ConfigExcluded:'^.*_NULL_.*$', ConfigExcluded:'^.*_anon_.*$' JVM:disabled
| +> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$' JVM:disabled
| +> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$' JVM:disabled
| +> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$' JVM:disabled
| +> TLS_KRB5_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$' JVM:disabled
| +> TLS_KRB5_WITH_DES_CBC_MD5 - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$' JVM:disabled
| +> TLS_KRB5_WITH_DES_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$' JVM:disabled
| +> TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| +> TLS_RSA_WITH_NULL_SHA256 - ConfigExcluded:'^.*_NULL_.*$' JVM:disabled
+- org.eclipse.jetty.client.ProtocolHandlers@4b4228cf
| +> java.util.LinkedHashMap@0{size=0}
+- org.eclipse.jetty.client.HttpClient$ContentDecoderFactorySet@7d216ee8(size=0)
+> requestListeners size=0
key: +- bean, += managed, +~ unmanaged, +? auto, +: iterable, +] array, +@ map, +> undefined
TLS_RSA_WITH_AES_128_CBC_SHA256 is not perferct, but would do the job.
The preferred solution would be to pass the SslContextFactory to the https session creation, so I could differ on a per-host level if I need go “downgrade” the cyphers or not. The binding will talk to 3 different servers, only one has the problem, interestingly the one, which provides the token for privileged control functions. Is that possible()?