Re: Jetty and the Invalid SNI
I was running into this issue well, while upgrading to Camel 4 when using the Jetty component. I had a bunch of tests using a self-signed certificate with localhost. This is not allowed anymore for SNI. In Jetty12 there are several ways to turn it off. For example, in Spring Boot config (application-dev.yml) server: jetty: ssl: sniRequired: false sniHostCheck: false sslContext: sniRequired: false Or programmatically: HttpConfiguration httpConfiguration = new HttpConfiguration(); SecureRequestCustomizer customizer = new SecureRequestCustomizer(); customizer.setSniHostCheck(false); httpConfiguration.addCustomizer(customizer); HttpConnectionFactory httpConnection = new HttpConnectionFactory(httpConfiguration); This however has no effect on the Jetty component in Camel. This is for example because the HttpConfiguration class is used from Apache Common, and not the Jetty HttpConfiguration class. Would be nice if HTTPConfiguration common would support it or that the Jetty component supports this as query parameter. Easier for local testing. Raymond On Thu, Sep 21, 2023 at 5:38 PM Mattern, Alex wrote: > Fyodor, > > Assuming all testers have the same or a small number of for their > localhost, you can create one keystore for testing and have it packaged > with the tests. > -- > Alex > > Alex Mattern | AVP | Infomediary Architect | Investor Services > > BROWN BROTHERS HARRIMAN > 50 Post Office Square, Boston, MA 02110 > T 617-772-0096 | M 857-283-3724 | alex.matt...@bbh.com > www.bbh.com > > -Original Message- > From: Fyodor Kravchenko > Sent: Thursday, September 21, 2023 10:48 AM > To: users@camel.apache.org > Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI > > Hi, thank you, > > seems no-one will be able to test my app without the hassle of creating > their own keystore, right? > > /fedd > > On 21.09.2023 17:13, Mattern, Alex wrote: > > On converting from Camel 3.x to 4.x: > > > > 1. You should get the canonicalHostName > > > > public static String getHostName() { > > try { > > return > InetAddress.getLocalHost().getCanonicalHostName(); > > } > > } > > > > 2. You should update your keystore to accept the localhost. Change the > CN to *..com. Change the SAN to www..com. If you have multiple > then you will make multiple entries in the keystore. > > -- > > Alex > > > > -Original Message- > > From: Fyodor Kravchenko > > Sent: Thursday, September 21, 2023 9:35 AM > > To: users@camel.apache.org > > Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI > > > > Hello, > > > > I don't really want to use Jetty, but I'm currently migrating my project > that uses Jetty from Camel 2 via 3 to 4. I'll be able to use something > different when it starts working with Jetty so I'm able to fix every other > functionality before switching to a different web server. > > Unfortunately I don't use Spring or Quarkus, but it has to be able to > run standalone for the time being. I'm looking into Undertow because it > offers the websockets like Jetty seemed to offer previously, but first I > have to make Jetty work. > > > > > > On 21.09.2023 11:32, Claus Ibsen wrote: > >> Hi > >> > >> Do you really need to use Jetty? If you use Spring Boot or Quarkus > >> they come with HTTP server which you can configure for TLS/SSL more > >> easier than Jetty. > >> > >> On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko > wrote: > >> > >>> Hello, > >>> > >>> I'm missing how do I set up the new Jetty in Camel 4 to let me > >>> access the localhost via SSL while developing or when needed for > >>> other purposes. I'm getting the > "org.eclipse.jetty.http.BadMessageException: > >>> 400: Invalid SNI" error. > >>> > >>> I'm configuring the SSL as the following: > >>> > >>>JettyHttpComponent jetty = _camel.getComponent(JETTY, > >>> JettyHttpComponent.class); > >>> > >>>// ssl > >>>File keyStoreFile = new > >>> File(_properties.getProperty("keystoreFile", "sborex.jks")); > >>>if (keyStoreFile.exists()) { > >>>String keystorePassword = > >>> _properties.getProperty("keystorePassword", "defaultPassword"); > >>>SSLContextParameters scp = new SSLContextParameters(); >
RE: Jetty and the Invalid SNI
Fyodor, Assuming all testers have the same or a small number of for their localhost, you can create one keystore for testing and have it packaged with the tests. -- Alex Alex Mattern | AVP | Infomediary Architect | Investor Services BROWN BROTHERS HARRIMAN 50 Post Office Square, Boston, MA 02110 T 617-772-0096 | M 857-283-3724 | alex.matt...@bbh.com www.bbh.com -Original Message- From: Fyodor Kravchenko Sent: Thursday, September 21, 2023 10:48 AM To: users@camel.apache.org Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI Hi, thank you, seems no-one will be able to test my app without the hassle of creating their own keystore, right? /fedd On 21.09.2023 17:13, Mattern, Alex wrote: > On converting from Camel 3.x to 4.x: > > 1. You should get the canonicalHostName > > public static String getHostName() { > try { > return > InetAddress.getLocalHost().getCanonicalHostName(); > } > } > > 2. You should update your keystore to accept the localhost. Change the CN to > *..com. Change the SAN to www..com. If you have multiple > then you will make multiple entries in the keystore. > -- > Alex > > -Original Message- > From: Fyodor Kravchenko > Sent: Thursday, September 21, 2023 9:35 AM > To: users@camel.apache.org > Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI > > Hello, > > I don't really want to use Jetty, but I'm currently migrating my project that > uses Jetty from Camel 2 via 3 to 4. I'll be able to use something different > when it starts working with Jetty so I'm able to fix every other > functionality before switching to a different web server. > Unfortunately I don't use Spring or Quarkus, but it has to be able to run > standalone for the time being. I'm looking into Undertow because it offers > the websockets like Jetty seemed to offer previously, but first I have to > make Jetty work. > > > On 21.09.2023 11:32, Claus Ibsen wrote: >> Hi >> >> Do you really need to use Jetty? If you use Spring Boot or Quarkus >> they come with HTTP server which you can configure for TLS/SSL more >> easier than Jetty. >> >> On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko wrote: >> >>> Hello, >>> >>> I'm missing how do I set up the new Jetty in Camel 4 to let me >>> access the localhost via SSL while developing or when needed for >>> other purposes. I'm getting the "org.eclipse.jetty.http.BadMessageException: >>> 400: Invalid SNI" error. >>> >>> I'm configuring the SSL as the following: >>> >>>JettyHttpComponent jetty = _camel.getComponent(JETTY, >>> JettyHttpComponent.class); >>> >>>// ssl >>>File keyStoreFile = new >>> File(_properties.getProperty("keystoreFile", "sborex.jks")); >>>if (keyStoreFile.exists()) { >>>String keystorePassword = >>> _properties.getProperty("keystorePassword", "defaultPassword"); >>>SSLContextParameters scp = new SSLContextParameters(); >>>KeyStoreParameters ksp = new KeyStoreParameters(); >>>try (var stream = >>> Files.newInputStream(Path.of(keyStoreFile.getPath( { >>>KeyStore ks = >>> KeyStore.getInstance(_properties.getProperty("keystoreType", "jks")); >>>ks.load(stream, keystorePassword.toCharArray()); >>>ksp.setKeyStore(ks); >>>}catch(Exception e){ >>>throw new RuntimeException(e); >>>} >>> >>>KeyManagersParameters kmp = new KeyManagersParameters(); >>>kmp.setKeyStore(ksp); >>> kmp.setKeyPassword(_properties.getProperty("keyPassword")); >>>scp.setKeyManagers(kmp); >>>SecureRequestCustomizer src = new >>> SecureRequestCustomizer(false); >>>src.setSniRequired(false); // found this in StackOverflow. >>> Now what? >>>jetty.setSslContextParameters(scp); >>>} >>> >>> I've read somewhere that we have to switch off the SNI check for >>> Jetty through some Secure Request Customizer, but I fail to >>> understand how do I pass it to the Jetty server; or maybe there is a >>> more generic API for doing that through the JSSE? >>> https://urldefense.com/
Re: Jetty and the Invalid SNI
Hi, thank you, seems no-one will be able to test my app without the hassle of creating their own keystore, right? /fedd On 21.09.2023 17:13, Mattern, Alex wrote: On converting from Camel 3.x to 4.x: 1. You should get the canonicalHostName public static String getHostName() { try { return InetAddress.getLocalHost().getCanonicalHostName(); } } 2. You should update your keystore to accept the localhost. Change the CN to *..com. Change the SAN to www..com. If you have multiple then you will make multiple entries in the keystore. -- Alex -Original Message- From: Fyodor Kravchenko Sent: Thursday, September 21, 2023 9:35 AM To: users@camel.apache.org Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI Hello, I don't really want to use Jetty, but I'm currently migrating my project that uses Jetty from Camel 2 via 3 to 4. I'll be able to use something different when it starts working with Jetty so I'm able to fix every other functionality before switching to a different web server. Unfortunately I don't use Spring or Quarkus, but it has to be able to run standalone for the time being. I'm looking into Undertow because it offers the websockets like Jetty seemed to offer previously, but first I have to make Jetty work. On 21.09.2023 11:32, Claus Ibsen wrote: Hi Do you really need to use Jetty? If you use Spring Boot or Quarkus they come with HTTP server which you can configure for TLS/SSL more easier than Jetty. On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko wrote: Hello, I'm missing how do I set up the new Jetty in Camel 4 to let me access the localhost via SSL while developing or when needed for other purposes. I'm getting the "org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI" error. I'm configuring the SSL as the following: JettyHttpComponent jetty = _camel.getComponent(JETTY, JettyHttpComponent.class); // ssl File keyStoreFile = new File(_properties.getProperty("keystoreFile", "sborex.jks")); if (keyStoreFile.exists()) { String keystorePassword = _properties.getProperty("keystorePassword", "defaultPassword"); SSLContextParameters scp = new SSLContextParameters(); KeyStoreParameters ksp = new KeyStoreParameters(); try (var stream = Files.newInputStream(Path.of(keyStoreFile.getPath( { KeyStore ks = KeyStore.getInstance(_properties.getProperty("keystoreType", "jks")); ks.load(stream, keystorePassword.toCharArray()); ksp.setKeyStore(ks); }catch(Exception e){ throw new RuntimeException(e); } KeyManagersParameters kmp = new KeyManagersParameters(); kmp.setKeyStore(ksp); kmp.setKeyPassword(_properties.getProperty("keyPassword")); scp.setKeyManagers(kmp); SecureRequestCustomizer src = new SecureRequestCustomizer(false); src.setSniRequired(false); // found this in StackOverflow. Now what? jetty.setSslContextParameters(scp); } I've read somewhere that we have to switch off the SNI check for Jetty through some Secure Request Customizer, but I fail to understand how do I pass it to the Jetty server; or maybe there is a more generic API for doing that through the JSSE? https://urldefense.com/v3/__https://camel.apache.org/manual/camel-con figuration-utilities.html__;!!KV6Wb-o!8aLqf3hE4j6xQVtSFey5YFtItZV8pSs 8fAZDFZjgMR_60aD7A2h9ftXT4jWpd9OLqb3ksg-nAbTL$ Thanks! *** IMPORTANT NOTE* The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman & Co., its subsidiaries and affiliates ("BBH"). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus. **
RE: Jetty and the Invalid SNI
On converting from Camel 3.x to 4.x: 1. You should get the canonicalHostName public static String getHostName() { try { return InetAddress.getLocalHost().getCanonicalHostName(); } } 2. You should update your keystore to accept the localhost. Change the CN to *..com. Change the SAN to www..com. If you have multiple then you will make multiple entries in the keystore. -- Alex -Original Message- From: Fyodor Kravchenko Sent: Thursday, September 21, 2023 9:35 AM To: users@camel.apache.org Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI Hello, I don't really want to use Jetty, but I'm currently migrating my project that uses Jetty from Camel 2 via 3 to 4. I'll be able to use something different when it starts working with Jetty so I'm able to fix every other functionality before switching to a different web server. Unfortunately I don't use Spring or Quarkus, but it has to be able to run standalone for the time being. I'm looking into Undertow because it offers the websockets like Jetty seemed to offer previously, but first I have to make Jetty work. On 21.09.2023 11:32, Claus Ibsen wrote: > Hi > > Do you really need to use Jetty? If you use Spring Boot or Quarkus > they come with HTTP server which you can configure for TLS/SSL more > easier than Jetty. > > On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko wrote: > >> Hello, >> >> I'm missing how do I set up the new Jetty in Camel 4 to let me access >> the localhost via SSL while developing or when needed for other >> purposes. I'm getting the "org.eclipse.jetty.http.BadMessageException: >> 400: Invalid SNI" error. >> >> I'm configuring the SSL as the following: >> >> JettyHttpComponent jetty = _camel.getComponent(JETTY, >> JettyHttpComponent.class); >> >> // ssl >> File keyStoreFile = new >> File(_properties.getProperty("keystoreFile", "sborex.jks")); >> if (keyStoreFile.exists()) { >> String keystorePassword = >> _properties.getProperty("keystorePassword", "defaultPassword"); >> SSLContextParameters scp = new SSLContextParameters(); >> KeyStoreParameters ksp = new KeyStoreParameters(); >> try (var stream = >> Files.newInputStream(Path.of(keyStoreFile.getPath( { >> KeyStore ks = >> KeyStore.getInstance(_properties.getProperty("keystoreType", "jks")); >> ks.load(stream, keystorePassword.toCharArray()); >> ksp.setKeyStore(ks); >> }catch(Exception e){ >> throw new RuntimeException(e); >> } >> >> KeyManagersParameters kmp = new KeyManagersParameters(); >> kmp.setKeyStore(ksp); >> kmp.setKeyPassword(_properties.getProperty("keyPassword")); >> scp.setKeyManagers(kmp); >> SecureRequestCustomizer src = new >> SecureRequestCustomizer(false); >> src.setSniRequired(false); // found this in StackOverflow. >> Now what? >> jetty.setSslContextParameters(scp); >> } >> >> I've read somewhere that we have to switch off the SNI check for >> Jetty through some Secure Request Customizer, but I fail to >> understand how do I pass it to the Jetty server; or maybe there is a >> more generic API for doing that through the JSSE? >> https://urldefense.com/v3/__https://camel.apache.org/manual/camel-con >> figuration-utilities.html__;!!KV6Wb-o!8aLqf3hE4j6xQVtSFey5YFtItZV8pSs >> 8fAZDFZjgMR_60aD7A2h9ftXT4jWpd9OLqb3ksg-nAbTL$ >> >> >> Thanks! >> >> *** IMPORTANT NOTE* The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman & Co., its subsidiaries and affiliates ("BBH"). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus. **
Re: Jetty and the Invalid SNI
Hello, I don't really want to use Jetty, but I'm currently migrating my project that uses Jetty from Camel 2 via 3 to 4. I'll be able to use something different when it starts working with Jetty so I'm able to fix every other functionality before switching to a different web server. Unfortunately I don't use Spring or Quarkus, but it has to be able to run standalone for the time being. I'm looking into Undertow because it offers the websockets like Jetty seemed to offer previously, but first I have to make Jetty work. On 21.09.2023 11:32, Claus Ibsen wrote: Hi Do you really need to use Jetty? If you use Spring Boot or Quarkus they come with HTTP server which you can configure for TLS/SSL more easier than Jetty. On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko wrote: Hello, I'm missing how do I set up the new Jetty in Camel 4 to let me access the localhost via SSL while developing or when needed for other purposes. I'm getting the "org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI" error. I'm configuring the SSL as the following: JettyHttpComponent jetty = _camel.getComponent(JETTY, JettyHttpComponent.class); // ssl File keyStoreFile = new File(_properties.getProperty("keystoreFile", "sborex.jks")); if (keyStoreFile.exists()) { String keystorePassword = _properties.getProperty("keystorePassword", "defaultPassword"); SSLContextParameters scp = new SSLContextParameters(); KeyStoreParameters ksp = new KeyStoreParameters(); try (var stream = Files.newInputStream(Path.of(keyStoreFile.getPath( { KeyStore ks = KeyStore.getInstance(_properties.getProperty("keystoreType", "jks")); ks.load(stream, keystorePassword.toCharArray()); ksp.setKeyStore(ks); }catch(Exception e){ throw new RuntimeException(e); } KeyManagersParameters kmp = new KeyManagersParameters(); kmp.setKeyStore(ksp); kmp.setKeyPassword(_properties.getProperty("keyPassword")); scp.setKeyManagers(kmp); SecureRequestCustomizer src = new SecureRequestCustomizer(false); src.setSniRequired(false); // found this in StackOverflow. Now what? jetty.setSslContextParameters(scp); } I've read somewhere that we have to switch off the SNI check for Jetty through some Secure Request Customizer, but I fail to understand how do I pass it to the Jetty server; or maybe there is a more generic API for doing that through the JSSE? https://camel.apache.org/manual/camel-configuration-utilities.html Thanks!
Re: Jetty and the Invalid SNI
Hi Do you really need to use Jetty? If you use Spring Boot or Quarkus they come with HTTP server which you can configure for TLS/SSL more easier than Jetty. On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko wrote: > Hello, > > I'm missing how do I set up the new Jetty in Camel 4 to let me access > the localhost via SSL while developing or when needed for other > purposes. I'm getting the "org.eclipse.jetty.http.BadMessageException: > 400: Invalid SNI" error. > > I'm configuring the SSL as the following: > > JettyHttpComponent jetty = _camel.getComponent(JETTY, > JettyHttpComponent.class); > > // ssl > File keyStoreFile = new > File(_properties.getProperty("keystoreFile", "sborex.jks")); > if (keyStoreFile.exists()) { > String keystorePassword = > _properties.getProperty("keystorePassword", "defaultPassword"); > SSLContextParameters scp = new SSLContextParameters(); > KeyStoreParameters ksp = new KeyStoreParameters(); > try (var stream = > Files.newInputStream(Path.of(keyStoreFile.getPath( { > KeyStore ks = > KeyStore.getInstance(_properties.getProperty("keystoreType", "jks")); > ks.load(stream, keystorePassword.toCharArray()); > ksp.setKeyStore(ks); > }catch(Exception e){ > throw new RuntimeException(e); > } > > KeyManagersParameters kmp = new KeyManagersParameters(); > kmp.setKeyStore(ksp); > kmp.setKeyPassword(_properties.getProperty("keyPassword")); > scp.setKeyManagers(kmp); > SecureRequestCustomizer src = new > SecureRequestCustomizer(false); > src.setSniRequired(false); // found this in StackOverflow. > Now what? > jetty.setSslContextParameters(scp); > } > > I've read somewhere that we have to switch off the SNI check for Jetty > through some Secure Request Customizer, but I fail to understand how do > I pass it to the Jetty server; or maybe there is a more generic API for > doing that through the JSSE? > https://camel.apache.org/manual/camel-configuration-utilities.html > > > Thanks! > > -- Claus Ibsen - @davsclaus Camel in Action 2: https://www.manning.com/ibsen2