On Sun, 2023-11-05 at 19:18 +0100, Markus Koschany wrote:
> Am Sonntag, dem 05.11.2023 um 16:33 +0000 schrieb Adam D. Barratt:
> > [...]
> > Do you have an idea how simple rebuilding the bullseye package on
> > buster would be? I'm happy to try that in general, but I've not
> > really
> > looked at the Java ecosystem in Debian much.
>
> Sorry, I missed those new or updated dependencies. That complicates
> the matter a little. We also have to deal with clojure here, a LISP
> dialect of the Java language with a different build system
> (leiningen), but if all dependencies were in place a rebuild would be
> pretty simple. As a last resort I could bundle all those dependencies
> together with trapperkeeper-* the Java way TM but I hope we can avoid
> that.
>
> The most ideal solution is a patch for the current version in Buster.
> I have uploaded a new revision to people.debian.org with minimal
> changes here:
>
> https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/
>
> dget -x
> https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.1.dsc
>
>
> should work as expected. I'm attaching the debdiff as well.
>
> My solution is to replace the old SslContextFactory class with the
> new inner SslContextFactory.Server class but I don't know if this
> change has the desired effect because I couldn't test it.
Thanks for the patch.
Unfortunately it didn't work as-is:
Nov 5 18:39:14 handel/handel java[2393]: Exception in thread "main"
java.lang.AssertionError: Assert failed: (keyword? kw)
Nov 5 18:39:14 handel/handel java[2393]: at
puppetlabs.kitchensink.core$without_ns.invokeStatic(core.clj:613)
Nov 5 18:39:14 handel/handel java[2393]: at
puppetlabs.kitchensink.core$without_ns.invoke(core.clj:613)
Nov 5 18:39:14 handel/handel java[2393]: at
puppetlabs.trapperkeeper.core$main.invokeStatic(core.clj:175)
Nov 5 18:39:14 handel/handel java[2393]: at
puppetlabs.trapperkeeper.core$main.doInvoke(core.clj:159)
Nov 5 18:39:14 handel/handel java[2393]: at
clojure.lang.RestFn.applyTo(RestFn.java:137)
Nov 5 18:39:14 handel/handel java[2393]: at
clojure.core$apply.invokeStatic(core.clj:665)
Nov 5 18:39:14 handel/handel java[2393]: at
clojure.core$apply.invoke(core.clj:660)
Nov 5 18:39:14 handel/handel java[2393]: at
puppetlabs.puppetdb.cli.services$provide_services.invokeStatic(services.clj:570)
Nov 5 18:39:14 handel/handel java[2393]: at
puppetlabs.puppetdb.cli.services$provide_services.invoke(services.clj:558)
Nov 5 18:39:14 handel/handel java[2393]: at
puppetlabs.puppetdb.cli.services$cli$fn__41585.invoke(services.clj:578)
...
After a bit of searching, I happened across a discussion of a similar
change in a different product that mentioned the
SslContextFactory$Server syntax, so gave that a try. The resulting
package is now installed on handel.d.o and seems to work - at least,
it's been running for 45 minutes now (whereas the broken versions
lasted less than 5 minutes) and at least one client has successfully
made a "puppet agent" run in the meantime.
I've attached a debdiff of the package we're now running, with the
revised patch.
Regards,
Adam
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog
--- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog 2019-09-13 10:00:50.000000000 +0100
+++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog 2023-11-05 19:28:22.000000000 +0000
@@ -1,3 +1,11 @@
+trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1+dsa1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Replace deprecated class SslContextFactory with SslContextFactory.Server.
+ Largely based on a patch by Markus Koschany. (Hopefully Closes:#1055348)
+
+ -- Adam D. Barratt <a...@adam-barratt.org.uk> Sun, 05 Nov 2023 19:28:22 +0000
+
trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium
[ Manfred Stock ]
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series
--- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series 2019-09-13 09:54:48.000000000 +0100
+++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series 2023-11-05 19:28:22.000000000 +0000
@@ -3,3 +3,4 @@
0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
0005-maint-Disable-EndpointIdentification.patch
+SslContextFactory.Server.patch
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch
--- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch 1970-01-01 01:00:00.000000000 +0100
+++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.Server.patch 2023-11-05 19:28:22.000000000 +0000
@@ -0,0 +1,66 @@
+
+--- trapperkeeper-webserver-jetty9-clojure-1.7.0.orig/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
++++ trapperkeeper-webserver-jetty9-clojure-1.7.0/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+@@ -8,7 +8,7 @@
+ (org.eclipse.jetty.server.handler.gzip GzipHandler)
+ (org.eclipse.jetty.util.resource Resource)
+ (org.eclipse.jetty.util.thread QueuedThreadPool)
+- (org.eclipse.jetty.util.ssl SslContextFactory)
++ (org.eclipse.jetty.util.ssl SslContextFactory$Server)
+ (javax.servlet.http HttpServletResponse)
+ (java.util.concurrent TimeoutException)
+ (org.eclipse.jetty.servlet ServletContextHandler ServletHolder DefaultServlet)
+@@ -137,7 +137,7 @@
+ :overrides-read-by-webserver schema/Bool
+ :overrides (schema/maybe {schema/Keyword schema/Any})
+ :endpoints RegisteredEndpoints
+- :ssl-context-factory (schema/maybe SslContextFactory)})
++ :ssl-context-factory (schema/maybe SslContextFactory$Server)})
+
+ (def ServerContext
+ {:state (schema/atom ServerContextState)
+@@ -181,14 +181,14 @@
+ ;;; SSL Context Functions
+
+ (schema/defn ^:always-validate
+- ssl-context-factory :- SslContextFactory
+- "Creates a new SslContextFactory instance from a map of SSL config options."
++ ssl-context-factory :- SslContextFactory$Server
++ "Creates a new SslContextFactory.Server instance from a map of SSL config options."
+ [{:keys [keystore-config client-auth ssl-crl-path cipher-suites protocols]}
+ :- config/WebserverSslContextFactory]
+ (if (some #(= "sslv3" %) (map str/lower-case protocols))
+ (log/warn (i18n/trs "`ssl-protocols` contains SSLv3, a protocol with known vulnerabilities; we recommend removing it from the `ssl-protocols` list")))
+
+- (let [context (doto (SslContextFactory.)
++ (let [context (doto (SslContextFactory$Server.)
+ (.setKeyStore (:keystore keystore-config))
+ (.setKeyStorePassword (:key-password keystore-config))
+ (.setTrustStore (:truststore keystore-config))
+@@ -218,7 +218,7 @@
+ context))
+
+ (schema/defn ^:always-validate
+- get-proxy-client-context-factory :- SslContextFactory
++ get-proxy-client-context-factory :- SslContextFactory$Server
+ [ssl-config :- ProxySslConfig]
+ (ssl-context-factory {:keystore-config
+ (config/pem-ssl-config->keystore-ssl-config
+@@ -257,7 +257,7 @@
+ [server :- Server
+ config :- (merge config/WebserverConnector
+ {schema/Keyword schema/Any})
+- ssl-ctxt-factory :- (schema/maybe SslContextFactory)]
++ ssl-ctxt-factory :- (schema/maybe SslContextFactory$Server)]
+ (let [request-size (:request-header-max-size config)
+ connector (doto (ServerConnector.
+ server
+@@ -277,7 +277,7 @@
+ ssl-connector :- ServerConnector
+ "Creates a ssl ServerConnector instance."
+ [server :- Server
+- ssl-ctxt-factory :- SslContextFactory
++ ssl-ctxt-factory :- SslContextFactory$Server
+ config :- config/WebserverSslConnector]
+ (connector* server config ssl-ctxt-factory))
+
