[ https://issues.apache.org/jira/browse/CAMEL-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16073965#comment-16073965 ]
Roman Vottner commented on CAMEL-11482: --------------------------------------- Just a quick headsup on this issue. I've started to work on a fix (https://github.com/RovoMe/camel/commit/952175559110babf0ee7224f8045c1270dad5aa7) though I'm not sure if the code has to support Java 7 (or even 6). Also, there are probably a couple other settings that aren't copied to the SslContextFactory which I have not yet included either. What should be the strategy on these? Continue work on that issue and copy over all settings or leave them to those who need them and ask them to provide a fix/PR? Will also check how to setup unit-tests therefore, though as the method is private I guess I have to test it within createConnector(Server, JettyHttpEndpoint) and/or createHttpClient(JettyHttpEndpoint, Integer, SSLContextParameters) which use the updated method. > SSLContextParameters settings are not properly copied to SslContextFactory > -------------------------------------------------------------------------- > > Key: CAMEL-11482 > URL: https://issues.apache.org/jira/browse/CAMEL-11482 > Project: Camel > Issue Type: Bug > Components: camel-jetty > Affects Versions: 2.19.0, 2.19.1 > Environment: Max OS X, Java 8 Update 131 > Ubuntu 14.04 LTS, Java 8 Update 111 > Camel 2.19.0 > Jetty9 9.4.5v20170502 and 9.3.14.v20161028 > Reporter: Roman Vottner > Fix For: 2.19.2, 2.20.0 > > > Jetty 9.3+ excludes unsecure ciphers which end on either MD5, SHA or SHA1 by > default now. This will however remove all ciphers that are used by either > TLSv1 or TLSv1.1 and thus no ciphers remain in order to agree on a cipher for > TLSv1 or TLSv1.1 connection attempts. (Further reading: > https://github.com/eclipse/jetty.project/issues/860) > The Jetty 9 SSL configuration documentation > (https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html) > states that this exclusion cipher suites can be customized by providing an > own exclusion list. On specifying SSLContextParameters like below however > will not correctly propagate this exclution cipher suites to the > SslContextFactory of Jetty and thus use the default setting which prevents > TLSv1 and TLSv1.1 connections. > {code:title=SSLContextParameters Spring Config|borderStyle=solid} > @Bean(name = "sslContextParameters") > public SSLContextParameters sslContextParameters() { > String keyStore = env.getProperty("ssl.keyStore.resource"); > URL keyStoreUrl = this.getClass().getResource(keyStore); > // http://camel.apache.org/jetty.html > KeyStoreParameters ksp = new KeyStoreParameters(); > ksp.setResource(keyStoreUrl.getPath()); > ksp.setPassword(env.getProperty("ssl.keyStore.password")); > KeyManagersParameters kmp = new KeyManagersParameters(); > kmp.setKeyStore(ksp); > kmp.setKeyPassword(env.getProperty("ssl.key.password")); > SSLContextParameters scp = new SSLContextParameters(); > scp.setKeyManagers(kmp); > // Jetty 9.3+ support only TLSv1.2 by default hence clients not > supporting this protocol will fail > List<String> supportedSslProtocols = Arrays.asList("TLSv1", "TLSv1.1", > "TLSv1.2"); > SecureSocketProtocolsParameters protocolsParameters = new > SecureSocketProtocolsParameters(); > protocolsParameters.setSecureSocketProtocol(supportedSslProtocols); > scp.setSecureSocketProtocols(protocolsParameters); > // TLS 1.0 / 1.1 have been disabled by jetty 9.3 > // this is a first attempt to re-enable them > // see > // - > https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html > // - https://github.com/eclipse/jetty.project/issues/860 > // - http://camel.apache.org/camel-configuration-utilities.html > FilterParameters cipherParameters = new FilterParameters(); > cipherParameters.getInclude().add(".*"); > cipherParameters.getExclude().add("^.*_(MD5|SHA1)$"); > scp.setCipherSuitesFilter(cipherParameters); > return scp; > } > {code} > A workaround is to use a custom JettyHttpComponent9 implementation that sets > the excludedCipherSuites manually like depicted below: > {code:title=Workaround|borderStyle=solid} > /** > * A custom jetty http component which explicitly sets the > excludedCipherSuites during creation of > * the jetty connector. > * > * Why? It seems camel does not push included/excluded cipherSuites from > {@link > * SSLContextParameters} to the {@link SslContextFactory} nor does push > explicitly listed cipher > * suites (i.e. like <em>TLS_RSA_WITH_AES_256_CBC_SHA</em>) to the Jetty > SSL context factory. > */ > public static class HackedJettyHttpComponent extends JettyHttpComponent9 { > @Override > protected AbstractConnector createConnectorJettyInternal(Server server, > > JettyHttpEndpoint endpoint, > > SslContextFactory sslcf) { > sslcf.setExcludeCipherSuites("^.*_(MD5|SHA1)$"); > return super.createConnectorJettyInternal(server, endpoint, sslcf); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)