[jira] [Commented] (CXF-8069) CXF does not allow to change default configuration of Jetty

Tue, 09 Jul 2019 02:38:14 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-8069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16881095#comment-16881095
 ] 

Colm O hEigeartaigh commented on CXF-8069:
------------------------------------------

The SSL CipherSuites you are using above are not standard (e.g. they don't 
apper here: 
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html)
 - they appear to be particular to IBM. So I think this is not a CXF problem - 
you will need to ask the Jetty project if they support these cipher suites, and 
if so how they are configured.

> CXF does not allow to change default configuration of Jetty
> -----------------------------------------------------------
>
>                 Key: CXF-8069
>                 URL: https://issues.apache.org/jira/browse/CXF-8069
>             Project: CXF
>          Issue Type: Bug
>         Environment: CXF : 3.2.7
> Jetty: 9.4.18v20190429
> Java : IBM Java 8
> Platform : AIX
>  
>            Reporter: Naina
>            Priority: Blocker
>         Attachments: Cipher_error.png, Protocol_error.png
>
>
> Hi Team,
> We are using Apache CXF 3.2.7 and seeking help to update jetty's default 
> configuration which is being used by Apache CXF.
> CXF internally calls jetty and jetty has default configuration to exclude 
> cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM 
> Java 8 starts wih SSL_*, we are unable to establish connection with Jetty 
> using IBM Java 8. So the ask is, how can we update the default configuration 
> of Jetty via CXF.
> We resolved the same issue on one of our server with the help of Jetty team 
> where we were creating Jetty instance in our code and were getting warning 
> "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add 
> *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while 
> creating Jetty's instance, which actually overrides the default cipher suites 
> excluded by Jetty.
> But in the current case, we just call CXF's JAXRSServerFactoryBean create() 
> method which internally calls Jetty and create its instance with default 
> configuration. Here is the code snippet:
> {color:#205081}_private JAXRSServerFactoryBean sf = new 
> JAXRSServerFactoryBean();_{color}
> {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color}
> {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color}
> {color:#205081} _Server server = sf.create();_{color}
> {color:#205081} _logger.info("*+Started RESTful Agent at:+* " + 
> server.getEndpoint().getEndpointInfo().getAddress());_{color}
> {color:#205081} _return (JettyHTTPDestination) 
> server.getDestination();_{color}
> {color:#205081} _}_{color}
>  
> These are the logs which got generated during the execution of above code :
> {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main] 
> com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting 
> RESTful Agent+*_{color}
> {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main] 
> org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to 
> be https://localhost:9091/SnapCreator/_{color}
> {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main] 
> org.eclipse.jetty.util.log - Logging initialized @2814ms to 
> org.eclipse.jetty.util.log.Slf4jLog_{color}
> {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main] 
> org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built: 
> 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm 
> 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color}
> {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main] 
> *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from* 
> [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 
> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, 
> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, 
> SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, 
> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
> SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 
> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, 
> SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, 
> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
> SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, 
> SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
> SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, 
> SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
> SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
> SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, 
> SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
> SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, 
> SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, 
> SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
> SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, 
> SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256, 
> SSL_DH_anon_WITH_AES_256_CBC_SHA256, SSL_ECDH_anon_WITH_AES_256_CBC_SHA, 
> SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA256, 
> SSL_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA, 
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, 
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, 
> SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_NULL_SHA256, 
> SSL_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ECDHE_RSA_WITH_NULL_SHA, 
> SSL_RSA_WITH_NULL_SHA, SSL_ECDH_ECDSA_WITH_NULL_SHA, 
> SSL_ECDH_RSA_WITH_NULL_SHA, SSL_ECDH_anon_WITH_NULL_SHA, 
> SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_DES_CBC_SHA, 
> SSL_KRB5_WITH_DES_CBC_MD5]_{color}
> {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] 
> org.eclipse.jetty.server.AbstractConnector - Started 
> ServerConnector@b3893135\{ssl,[ssl, http/1.1]}{0.0.0.0:9091}_{color}
> {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] 
> org.eclipse.jetty.server.Server - Started @3065ms_{color}
> {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] 
> org.eclipse.jetty.server.handler.ContextHandler - Started 
> o.e.j.s.h.ContextHandler@76c87ae8\{/SnapCreator,null,AVAILABLE}_{color}
> {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] 
> com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - +*Started RESTful 
> Agent at*+: https://localhost:9091/SnapCreator/_{color}
> As you can see in the logs, Jetty shows warning that "No supported ciphers 
> from [ListOfAvailableCiphers]". I tried to exclude ciphers by setting 
> TLSServerParameters and excluding weak cipher suites, but it didnot override 
> the ciphers which are set in jetty's default configuration.
> Can you please help to identify if there is any way to change the default 
> configuration of Jetty through CXF.
> Please let me know if you need any more information.
> Thanks,
> Naina



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to