diff --git a/jetty-documentation/src/main/asciidoc/operations-guide/protocols/protocols-ssl.adoc b/jetty-documentation/src/main/asciidoc/operations-guide/protocols/protocols-ssl.adoc index 7f29ed4911b8..ad49ba0762d1 100644 --- a/jetty-documentation/src/main/asciidoc/operations-guide/protocols/protocols-ssl.adoc +++ b/jetty-documentation/src/main/asciidoc/operations-guide/protocols/protocols-ssl.adoc @@ -34,6 +34,7 @@ If you enable _both_ the `https` and the `http2` module, you will have a single TIP: Recall from the xref:og-modules[section about modules], that only modules that are explicitly enabled get their module configuration file (`+*.ini+`) saved in `$JETTY_BASE/start.d/`, and you want `$JETTY_BASE/start.d/ssl.ini` to be present so that you can configure the connector properties, the KeyStore properties and the TLS properties. +[[og-protocols-ssl-customize]] ===== Customizing KeyStore and TLS Configuration Secure protocols have a slightly more complicated configuration since they require to configure a _KeyStore_. @@ -77,6 +78,7 @@ Refer to the link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[SslC CAUTION: Use module properties whenever possible, and only resort to use a Jetty XML file for advanced configuration that you cannot do using module properties. +[[og-protocols-ssl-customize-versions]] ====== Customizing TLS Protocol Versions By default, the SSL protocols (SSL, SSLv2, SSLv3, etc.) are already excluded because they are vulnerable. @@ -102,6 +104,7 @@ To explicitly add the exclusion of TLSv1.0 and TLSv1.1 (that are also vulnerable ---- +[[og-protocols-ssl-customize-ciphers]] ====== Customizing TLS Ciphers You can precisely set the list of excluded ciphers, completely overriding Jetty's default, with this XML: @@ -161,6 +164,7 @@ $ java -jar $JETTY_HOME/start.jar --add-module=ssl-reload For more information about the configuration of the `ssl-reload` Jetty module, see xref:og-module-ssl-reload[this section]. +[[og-protocols-ssl-conscrypt]] ===== Using Conscrypt as TLS Provider By default, the standard TLS provider that comes with the JDK is used. @@ -177,6 +181,7 @@ To use Conscrypt as the TLS provider just enable the `conscrypt` Jetty module: $ java -jar $JETTY_HOME/start.jar --add-module=conscrypt ---- +[[og-protocols-ssl-sni]] ===== Configuring SNI Server Name Indication (SNI) is a TLS extension that clients send to indicate what domain they want to connect to during the initial TLS handshake.