[jira] [Commented] (CXF-8069) CXF does not allow to change default configuration of Jetty
[
https://issues.apache.org/jira/browse/CXF-8069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877910#comment-16877910
]
Freeman Fang commented on CXF-8069:
---
Hi [~naina.pati...@infobeans.com],
FYI, the http-jetty transport in CXF also call jetty
sslContextFactory.setExcludeCipherSuites method to exclude CipherSuites, you
can configure the ciphersuite as described
[here|https://cxf.apache.org/docs/tls-configuration.html#TLSConfiguration-CipherSuitesFilter]
You can configure per the above document and debug the code in
org.apache.cxf.transport.http_jetty.JettyHTTPServerEngine.createSSLContext(SslContextFactory
scf) to see how the SslContextFactory.setExcludeCipherSuites get invoked there.
Freeman
> CXF does not allow to change default configuration of Jetty
> ---
>
> Key: CXF-8069
> URL: https://issues.apache.org/jira/browse/CXF-8069
> Project: CXF
> Issue Type: Bug
> Environment: CXF : 3.2.7
> Jetty: 9.4.18v20190429
> Java : IBM Java 8
> Platform : AIX
>
>Reporter: Naina
>Priority: Blocker
>
> Hi Team,
> We are using Apache CXF 3.2.7 and seeking help to update jetty's default
> configuration which is being used by Apache CXF.
> CXF internally calls jetty and jetty has default configuration to exclude
> cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM
> Java 8 starts wih SSL_*, we are unable to establish connection with Jetty
> using IBM Java 8. So the ask is, how can we update the default configuration
> of Jetty via CXF.
> We resolved the same issue on one of our server with the help of Jetty team
> where we were creating Jetty instance in our code and were getting warning
> "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add
> *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while
> creating Jetty's instance, which actually overrides the default cipher suites
> excluded by Jetty.
> But in the current case, we just call CXF's JAXRSServerFactoryBean create()
> method which internally calls Jetty and create its instance with default
> configuration. Here is the code snippet:
> {color:#205081}_private JAXRSServerFactoryBean sf = new
> JAXRSServerFactoryBean();_{color}
> {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color}
> {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color}
> {color:#205081} _Server server = sf.create();_{color}
> {color:#205081} _logger.info("*+Started RESTful Agent at:+* " +
> server.getEndpoint().getEndpointInfo().getAddress());_{color}
> {color:#205081} _return (JettyHTTPDestination)
> server.getDestination();_{color}
> {color:#205081} _}_{color}
>
> These are the logs which got generated during the execution of above code :
> {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main]
> com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting
> RESTful Agent+*_{color}
> {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main]
> org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to
> be https://localhost:9091/SnapCreator/_{color}
> {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main]
> org.eclipse.jetty.util.log - Logging initialized @2814ms to
> org.eclipse.jetty.util.log.Slf4jLog_{color}
> {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main]
> org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built:
> 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm
> 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color}
> {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main]
> *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from*
> [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
> SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
> SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
> SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
> SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
> SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
[jira] [Created] (CXF-8069) CXF does not allow to change default configuration of Jetty
Naina created CXF-8069:
--
Summary: CXF does not allow to change default configuration of
Jetty
Key: CXF-8069
URL: https://issues.apache.org/jira/browse/CXF-8069
Project: CXF
Issue Type: Bug
Environment: CXF : 3.2.7
Jetty: 9.4.18v20190429
Java : IBM Java 8
Platform : AIX
Reporter: Naina
Hi Team,
We are using Apache CXF 3.2.7 and seeking help to update jetty's default
configuration which is being used by Apache CXF.
CXF internally calls jetty and jetty has default configuration to exclude
cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM Java
8 starts wih SSL_*, we are unable to establish connection with Jetty using IBM
Java 8. So the ask is, how can we update the default configuration of Jetty via
CXF.
We resolved the same issue on one of our server with the help of Jetty team
where we were creating Jetty instance in our code and were getting warning "No
supported ciphers from [ListOfAvailableCiphers]". They suggested to add
*sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while
creating Jetty's instance, which actually overrides the default cipher suites
excluded by Jetty.
But in the current case, we just call CXF's JAXRSServerFactoryBean create()
method which internally calls Jetty and create its instance with default
configuration. Here is the code snippet:
{color:#205081}_private JAXRSServerFactoryBean sf = new
JAXRSServerFactoryBean();_{color}
{color:#205081}_private JettyHTTPDestination startEndpoint() {_{color}
{color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color}
{color:#205081} _Server server = sf.create();_{color}
{color:#205081} _logger.info("*+Started RESTful Agent at:+* " +
server.getEndpoint().getEndpointInfo().getAddress());_{color}
{color:#205081} _return (JettyHTTPDestination) server.getDestination();_{color}
{color:#205081} _}_{color}
These are the logs which got generated during the execution of above code :
{color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main]
com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting
RESTful Agent+*_{color}
{color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main]
org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to be
https://localhost:9091/SnapCreator/_{color}
{color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main]
org.eclipse.jetty.util.log - Logging initialized @2814ms to
org.eclipse.jetty.util.log.Slf4jLog_{color}
{color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main]
org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built:
2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm
8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color}
{color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main]
*org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from*
[TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_GCM_SHA384,
SSL_DH_anon_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_CBC_SHA256,
SSL_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA,
SSL_DH_anon_WITH_AES_128_CBC_SHA256, SSL_ECDH_anon_WITH_AES_128_CBC_SHA,
SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA,
