Naina created CXF-8069:
--------------------------
Summary: CXF does not allow to change default configuration of
Jetty
Key: CXF-8069
URL: https://issues.apache.org/jira/browse/CXF-8069
Project: CXF
Issue Type: Bug
Environment: CXF : 3.2.7
Jetty: 9.4.18v20190429
Java : IBM Java 8
Platform : AIX
Reporter: Naina
Hi Team,
We are using Apache CXF 3.2.7 and seeking help to update jetty's default
configuration which is being used by Apache CXF.
CXF internally calls jetty and jetty has default configuration to exclude
cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM Java
8 starts wih SSL_*, we are unable to establish connection with Jetty using IBM
Java 8. So the ask is, how can we update the default configuration of Jetty via
CXF.
We resolved the same issue on one of our server with the help of Jetty team
where we were creating Jetty instance in our code and were getting warning "No
supported ciphers from [ListOfAvailableCiphers]". They suggested to add
*sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while
creating Jetty's instance, which actually overrides the default cipher suites
excluded by Jetty.
But in the current case, we just call CXF's JAXRSServerFactoryBean create()
method which internally calls Jetty and create its instance with default
configuration. Here is the code snippet:
{color:#205081}_private JAXRSServerFactoryBean sf = new
JAXRSServerFactoryBean();_{color}
{color:#205081}_private JettyHTTPDestination startEndpoint() {_{color}
{color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color}
{color:#205081} _Server server = sf.create();_{color}
{color:#205081} _logger.info("*+Started RESTful Agent at:+* " +
server.getEndpoint().getEndpointInfo().getAddress());_{color}
{color:#205081} _return (JettyHTTPDestination) server.getDestination();_{color}
{color:#205081} _}_{color}
These are the logs which got generated during the execution of above code :
{color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main]
com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting
RESTful Agent+*_{color}
{color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main]
org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to be
https://localhost:9091/SnapCreator/_{color}
{color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main]
org.eclipse.jetty.util.log - Logging initialized @2814ms to
org.eclipse.jetty.util.log.Slf4jLog_{color}
{color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main]
org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built:
2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm
8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color}
{color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main]
*org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from*
[TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_GCM_SHA384,
SSL_DH_anon_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_CBC_SHA256,
SSL_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA,
SSL_DH_anon_WITH_AES_128_CBC_SHA256, SSL_ECDH_anon_WITH_AES_128_CBC_SHA,
SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA,
SSL_RSA_WITH_NULL_SHA256, SSL_ECDHE_ECDSA_WITH_NULL_SHA,
SSL_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA,
SSL_ECDH_ECDSA_WITH_NULL_SHA, SSL_ECDH_RSA_WITH_NULL_SHA,
SSL_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_DES_CBC_SHA,
SSL_KRB5_WITH_DES_CBC_MD5]_{color}
{color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main]
org.eclipse.jetty.server.AbstractConnector - Started
ServerConnector@b3893135\{ssl,[ssl, http/1.1]}{0.0.0.0:9091}_{color}
{color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main]
org.eclipse.jetty.server.Server - Started @3065ms_{color}
{color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main]
org.eclipse.jetty.server.handler.ContextHandler - Started
o.e.j.s.h.ContextHandler@76c87ae8\{/SnapCreator,null,AVAILABLE}_{color}
{color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main]
com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - +*Started RESTful
Agent at*+: https://localhost:9091/SnapCreator/_{color}
As you can see in the logs, Jetty shows warning that "No supported ciphers from
[ListOfAvailableCiphers]". I tried to exclude ciphers by setting
TLSServerParameters and excluding weak cipher suites, but it didnot override
the ciphers which are set in jetty's default configuration.
Can you please help to identify if there is any way to change the default
configuration of Jetty through CXF.
Please let me know if you need any more information.
Thanks,
Naina
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
