Bug#922981: tagging 922981 (ca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts)

2021-04-08 Thread Julien Cristau 
I've started to look at it, I'm afraid building up context on this
stuff to understand what it's doing is going to take a while...

Cheers,
Julien

On Tue, Apr 06, 2021 at 10:31:51PM +0200, Ivo De Decker wrote:
> Hi Julien,
> 
> Do you have any comment on the merge request Andreas submitted to
> ca-certificates, to allow breaking to dependency cycle in
> ca-certificates-java (see mail quoted below, from #922981)?
> 
> Thanks,
> 
> Ivo
> 
> On Fri, Mar 19, 2021 at 03:04:35AM +0100, Andreas Beckmann wrote:
> > On Thu, 11 Mar 2021 09:11:37 +0100 Paul Gevers  wrote:
> > > Is it possible that we get this uploaded soon? If you have the fix
> > > ready, it would be good to have it sooner rather than later as we're in
> > > the freeze, so it gets a bit of exposure.
> > 
> > I'd like to get some maintainer feedback on
> > 
> > https://salsa.debian.org/java-team/ca-certificates-java/-/merge_requests/5
> > 
> > https://salsa.debian.org/debian/ca-certificates/-/merge_requests/6
> > 
> > I have now run some tests in my piuparts instance by injecting these
> > packages into buster->bullseye upgrades and have not observed any upgrade
> > issues related to ca-certificates-java.
> > 
> > 
> > Andreas
> > 
> 

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#940170: buster-pu: package trapperkeeper-webserver-jetty9-clojure/1.7.0-2+deb10u1

2019-09-13 Thread Julien Cristau 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

A jetty9 update broke trapperkeeper-webserver-jetty9-clojure, and as a
result puppetdb, in buster (bug#924005).  This is a minimal fix on the
trapperkeeper-webserver-jetty9-clojure side to work around the breakage.
This has been confirmed to work in sid/bullseye (1.7.0-3).

For the trapperkeeper-webserver-jetty9-clojure maintainers, I pushed the
change to:
https://salsa.debian.org/jcristau/trapperkeeper-webserver-jetty9-clojure/commits/debian/buster

Cheers,
Julien

diff --git a/debian/changelog b/debian/changelog
index 3bfef40..3d8b882 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium
+
+  [ Manfred Stock ]
+  * Add patch for SSL compatibility with newer Jetty (closes: #930562).
+
+ -- Julien Cristau   Fri, 13 Sep 2019 11:00:50 +0200
+
 trapperkeeper-webserver-jetty9-clojure (1.7.0-2) unstable; urgency=medium
 
   * Fix compatibility with Jetty 9.4
diff --git a/debian/patches/0005-maint-Disable-EndpointIdentification.patch 
b/debian/patches/0005-maint-Disable-EndpointIdentification.patch
new file mode 100644
index 000..39890d7
--- /dev/null
+++ b/debian/patches/0005-maint-Disable-EndpointIdentification.patch
@@ -0,0 +1,46 @@
+From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001
+From: Justin Stoller 
+Date: Fri, 24 May 2019 16:10:44 -0700
+Subject: [PATCH] (maint) Disable EndpointIdentification
+
+Previously, Jetty disabled Endpoint Identification by default as it is a best
+practice for most webservers who often cannot identify clients
+connecting to it. However, in 9.4.15 Jetty changed this default to
+"HTTPS", which is the best practice for _client_ SslContexts. This
+caused serious breakages throughout the Jetty ecosystem and since 9.4.16
+Jetty introduced static inner classes of SslContextFactory, named Server
+and Client, to create the correct contexts for each type of consumer.
+
+Unfortunately, because we subclass SslContextFactory with our own
+InternalSslContextFactory that overrides CRL handling, using these static
+inner class factories is problematic. Consequently, this patch takes the
+approach of simply setting the Endpoint Identification Algorithm to null
+as was previously the default (and necessary in most server
+environments).
+
+This will cause a warning of overriding a deprecated method during
+compilation in newer Java versions and our approach to handling CRLs
+will need to be reworked should we use this codebase as a basis for a
+trapperkeeper-webserver-jetty10 project.
+
+For more info see linked issues to the implementing PR here:
+https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913
+---
+ src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj 
b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+index 3a577bb..02e7c7d 100644
+--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
 b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+@@ -197,6 +197,7 @@
+   (.setKeyStore (:keystore keystore-config))
+   (.setKeyStorePassword (:key-password keystore-config))
+   (.setTrustStore (:truststore keystore-config))
++  (.setEndpointIdentificationAlgorithm nil)
+   ;; Need to clear out the default cipher suite exclude list 
so
+   ;; that Jetty doesn't potentially remove one or more ciphers
+   ;; that we want to be included.
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index cfdab48..1d6304e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ jetty-9.4-compat
 0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch
 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
+0005-maint-Disable-EndpointIdentification.patch

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.