Naina created CXF-8069: -------------------------- Summary: CXF does not allow to change default configuration of Jetty Key: CXF-8069 URL: https://issues.apache.org/jira/browse/CXF-8069 Project: CXF Issue Type: Bug Environment: CXF : 3.2.7
Jetty: 9.4.18v20190429 Java : IBM Java 8 Platform : AIX Reporter: Naina Hi Team, We are using Apache CXF 3.2.7 and seeking help to update jetty's default configuration which is being used by Apache CXF. CXF internally calls jetty and jetty has default configuration to exclude cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM Java 8 starts wih SSL_*, we are unable to establish connection with Jetty using IBM Java 8. So the ask is, how can we update the default configuration of Jetty via CXF. We resolved the same issue on one of our server with the help of Jetty team where we were creating Jetty instance in our code and were getting warning "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while creating Jetty's instance, which actually overrides the default cipher suites excluded by Jetty. But in the current case, we just call CXF's JAXRSServerFactoryBean create() method which internally calls Jetty and create its instance with default configuration. Here is the code snippet: {color:#205081}_private JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();_{color} {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color} {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color} {color:#205081} _Server server = sf.create();_{color} {color:#205081} _logger.info("*+Started RESTful Agent at:+* " + server.getEndpoint().getEndpointInfo().getAddress());_{color} {color:#205081} _return (JettyHTTPDestination) server.getDestination();_{color} {color:#205081} _}_{color} These are the logs which got generated during the execution of above code : {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main] com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting RESTful Agent+*_{color} {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main] org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to be https://localhost:9091/SnapCreator/_{color} {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main] org.eclipse.jetty.util.log - Logging initialized @2814ms to org.eclipse.jetty.util.log.Slf4jLog_{color} {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main] org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built: 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color} {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main] *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from* [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_CBC_SHA256, SSL_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA256, SSL_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_NULL_SHA256, SSL_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, SSL_ECDH_ECDSA_WITH_NULL_SHA, SSL_ECDH_RSA_WITH_NULL_SHA, SSL_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_DES_CBC_SHA, SSL_KRB5_WITH_DES_CBC_MD5]_{color} {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@b3893135\{ssl,[ssl, http/1.1]}{0.0.0.0:9091}_{color} {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] org.eclipse.jetty.server.Server - Started @3065ms_{color} {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.h.ContextHandler@76c87ae8\{/SnapCreator,null,AVAILABLE}_{color} {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - +*Started RESTful Agent at*+: https://localhost:9091/SnapCreator/_{color} As you can see in the logs, Jetty shows warning that "No supported ciphers from [ListOfAvailableCiphers]". I tried to exclude ciphers by setting TLSServerParameters and excluding weak cipher suites, but it didnot override the ciphers which are set in jetty's default configuration. Can you please help to identify if there is any way to change the default configuration of Jetty through CXF. Please let me know if you need any more information. Thanks, Naina -- This message was sent by Atlassian JIRA (v7.6.3#76005)