[
https://issues.apache.org/jira/browse/CAMEL-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen resolved CAMEL-11482.
---------------------------------
Resolution: Fixed
Thanks those SSL tests are extreme and they are hard to test as different
platforms and JDKs and whatnot have different ciphers supported etc.
> SSLContextParameters settings are not properly copied to SslContextFactory
> --------------------------------------------------------------------------
>
> Key: CAMEL-11482
> URL: https://issues.apache.org/jira/browse/CAMEL-11482
> Project: Camel
> Issue Type: Bug
> Components: camel-jetty
> Affects Versions: 2.19.0, 2.19.1
> Environment: Max OS X, Java 8 Update 131
> Ubuntu 14.04 LTS, Java 8 Update 111
> Camel 2.19.0
> Jetty9 9.4.5v20170502 and 9.3.14.v20161028
> Reporter: Roman Vottner
> Assignee: Claus Ibsen
> Fix For: 2.19.4, 2.20.0
>
>
> Jetty 9.3+ excludes unsecure ciphers which end on either MD5, SHA or SHA1 by
> default now. This will however remove all ciphers that are used by either
> TLSv1 or TLSv1.1 and thus no ciphers remain in order to agree on a cipher for
> TLSv1 or TLSv1.1 connection attempts. (Further reading:
> https://github.com/eclipse/jetty.project/issues/860)
> The Jetty 9 SSL configuration documentation
> (https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html)
> states that this exclusion cipher suites can be customized by providing an
> own exclusion list. On specifying SSLContextParameters like below however
> will not correctly propagate this exclution cipher suites to the
> SslContextFactory of Jetty and thus use the default setting which prevents
> TLSv1 and TLSv1.1 connections.
> {code:title=SSLContextParameters Spring Config|borderStyle=solid}
> @Bean(name = "sslContextParameters")
> public SSLContextParameters sslContextParameters() {
> String keyStore = env.getProperty("ssl.keyStore.resource");
> URL keyStoreUrl = this.getClass().getResource(keyStore);
> // http://camel.apache.org/jetty.html
> KeyStoreParameters ksp = new KeyStoreParameters();
> ksp.setResource(keyStoreUrl.getPath());
> ksp.setPassword(env.getProperty("ssl.keyStore.password"));
> KeyManagersParameters kmp = new KeyManagersParameters();
> kmp.setKeyStore(ksp);
> kmp.setKeyPassword(env.getProperty("ssl.key.password"));
> SSLContextParameters scp = new SSLContextParameters();
> scp.setKeyManagers(kmp);
> // Jetty 9.3+ support only TLSv1.2 by default hence clients not
> supporting this protocol will fail
> List<String> supportedSslProtocols = Arrays.asList("TLSv1", "TLSv1.1",
> "TLSv1.2");
> SecureSocketProtocolsParameters protocolsParameters = new
> SecureSocketProtocolsParameters();
> protocolsParameters.setSecureSocketProtocol(supportedSslProtocols);
> scp.setSecureSocketProtocols(protocolsParameters);
> // TLS 1.0 / 1.1 have been disabled by jetty 9.3
> // this is a first attempt to re-enable them
> // see
> // -
> https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html
> // - https://github.com/eclipse/jetty.project/issues/860
> // - http://camel.apache.org/camel-configuration-utilities.html
> FilterParameters cipherParameters = new FilterParameters();
> cipherParameters.getInclude().add(".*");
> cipherParameters.getExclude().add("^.*_(MD5|SHA1)$");
> scp.setCipherSuitesFilter(cipherParameters);
> return scp;
> }
> {code}
> A workaround is to use a custom JettyHttpComponent9 implementation that sets
> the excludedCipherSuites manually like depicted below:
> {code:title=Workaround|borderStyle=solid}
> /**
> * A custom jetty http component which explicitly sets the
> excludedCipherSuites during creation of
> * the jetty connector.
> *
> * Why? It seems camel does not push included/excluded cipherSuites from
> {@link
> * SSLContextParameters} to the {@link SslContextFactory} nor does push
> explicitly listed cipher
> * suites (i.e. like <em>TLS_RSA_WITH_AES_256_CBC_SHA</em>) to the Jetty
> SSL context factory.
> */
> public static class HackedJettyHttpComponent extends JettyHttpComponent9 {
> @Override
> protected AbstractConnector createConnectorJettyInternal(Server server,
>
> JettyHttpEndpoint endpoint,
>
> SslContextFactory sslcf) {
> sslcf.setExcludeCipherSuites("^.*_(MD5|SHA1)$");
> return super.createConnectorJettyInternal(server, endpoint, sslcf);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
