[jira] [Commented] (CXF-8069) CXF does not allow to change default configuration of Jetty
[ https://issues.apache.org/jira/browse/CXF-8069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877910#comment-16877910 ] Freeman Fang commented on CXF-8069: --- Hi [~naina.pati...@infobeans.com], FYI, the http-jetty transport in CXF also call jetty sslContextFactory.setExcludeCipherSuites method to exclude CipherSuites, you can configure the ciphersuite as described [here|https://cxf.apache.org/docs/tls-configuration.html#TLSConfiguration-CipherSuitesFilter] You can configure per the above document and debug the code in org.apache.cxf.transport.http_jetty.JettyHTTPServerEngine.createSSLContext(SslContextFactory scf) to see how the SslContextFactory.setExcludeCipherSuites get invoked there. Freeman > CXF does not allow to change default configuration of Jetty > --- > > Key: CXF-8069 > URL: https://issues.apache.org/jira/browse/CXF-8069 > Project: CXF > Issue Type: Bug > Environment: CXF : 3.2.7 > Jetty: 9.4.18v20190429 > Java : IBM Java 8 > Platform : AIX > >Reporter: Naina >Priority: Blocker > > Hi Team, > We are using Apache CXF 3.2.7 and seeking help to update jetty's default > configuration which is being used by Apache CXF. > CXF internally calls jetty and jetty has default configuration to exclude > cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM > Java 8 starts wih SSL_*, we are unable to establish connection with Jetty > using IBM Java 8. So the ask is, how can we update the default configuration > of Jetty via CXF. > We resolved the same issue on one of our server with the help of Jetty team > where we were creating Jetty instance in our code and were getting warning > "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add > *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while > creating Jetty's instance, which actually overrides the default cipher suites > excluded by Jetty. > But in the current case, we just call CXF's JAXRSServerFactoryBean create() > method which internally calls Jetty and create its instance with default > configuration. Here is the code snippet: > {color:#205081}_private JAXRSServerFactoryBean sf = new > JAXRSServerFactoryBean();_{color} > {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color} > {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color} > {color:#205081} _Server server = sf.create();_{color} > {color:#205081} _logger.info("*+Started RESTful Agent at:+* " + > server.getEndpoint().getEndpointInfo().getAddress());_{color} > {color:#205081} _return (JettyHTTPDestination) > server.getDestination();_{color} > {color:#205081} _}_{color} > > These are the logs which got generated during the execution of above code : > {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main] > com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting > RESTful Agent+*_{color} > {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main] > org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to > be https://localhost:9091/SnapCreator/_{color} > {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main] > org.eclipse.jetty.util.log - Logging initialized @2814ms to > org.eclipse.jetty.util.log.Slf4jLog_{color} > {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main] > org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built: > 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm > 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color} > {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main] > *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from* > [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, > SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, > SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, > SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, > SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, > SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, > SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, > SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, > SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, > SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
[jira] [Created] (CXF-8069) CXF does not allow to change default configuration of Jetty
Naina created CXF-8069: -- Summary: CXF does not allow to change default configuration of Jetty Key: CXF-8069 URL: https://issues.apache.org/jira/browse/CXF-8069 Project: CXF Issue Type: Bug Environment: CXF : 3.2.7 Jetty: 9.4.18v20190429 Java : IBM Java 8 Platform : AIX Reporter: Naina Hi Team, We are using Apache CXF 3.2.7 and seeking help to update jetty's default configuration which is being used by Apache CXF. CXF internally calls jetty and jetty has default configuration to exclude cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM Java 8 starts wih SSL_*, we are unable to establish connection with Jetty using IBM Java 8. So the ask is, how can we update the default configuration of Jetty via CXF. We resolved the same issue on one of our server with the help of Jetty team where we were creating Jetty instance in our code and were getting warning "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while creating Jetty's instance, which actually overrides the default cipher suites excluded by Jetty. But in the current case, we just call CXF's JAXRSServerFactoryBean create() method which internally calls Jetty and create its instance with default configuration. Here is the code snippet: {color:#205081}_private JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();_{color} {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color} {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color} {color:#205081} _Server server = sf.create();_{color} {color:#205081} _logger.info("*+Started RESTful Agent at:+* " + server.getEndpoint().getEndpointInfo().getAddress());_{color} {color:#205081} _return (JettyHTTPDestination) server.getDestination();_{color} {color:#205081} _}_{color} These are the logs which got generated during the execution of above code : {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main] com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting RESTful Agent+*_{color} {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main] org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to be https://localhost:9091/SnapCreator/_{color} {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main] org.eclipse.jetty.util.log - Logging initialized @2814ms to org.eclipse.jetty.util.log.Slf4jLog_{color} {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main] org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built: 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color} {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main] *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from* [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_CBC_SHA256, SSL_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA256, SSL_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA,