I am using camel version 2.9.1.
We have routes that receives the request on camel servlet component and
using camel jetty provider option we forward those requests to various REST
providers. And also, we have FIPS TLS requirement to satisfy.
To satisfy the above stated requirement, I set up the client parameters
secure protocols to the following.
I tried both spring config as well as JSSE configuration both seems to be
not working.
Configured spring configuration :
--------------------
<camel:camelContext id="fdx_routes_ctx">
<camel:packageScan>
<camel:package>com.cgi.fdx.route</camel:package>
</camel:packageScan>
<camel:routeBuilder ref="momentumRoutes" />
</camel:camelContext>
<camel:sslContextParameters id="fdxSSLContextParameters">
<camel:clientParameters>
<camel:secureSocketProtocols>
<camel:secureSocketProtocol>SSLv3</camel:secureSocketProtocol>
<camel:secureSocketProtocol>TLSv1</camel:secureSocketProtocol>
</camel:secureSocketProtocols>
</camel:clientParameters>
</camel:sslContextParameters>
<bean id="momentumRoutes" class="com.cgi.fdx.route.FDXRoutes"/>
We use the Java DSL and in FDXRoutes java class we tried referring the
fdxSSLContextParameters option using the sslContextParametersRef option in
the jetty URL.
Following are the samples.
>From URL:
---------------
servlet://Mom/Vendor/?matchOnUriPrefix=true&disableStreamCache=true&traceEnabled=true
To URL:
-------------
jetty:https://MYHOST:6081/FDX/Mom/Vendor/?sslContextParametersRef=fdxSSLContextParameters&bridgeEndpoint=true&throwExceptionOnFailure=false
Option 2:
So I tried setting the clientParameters parameters using the java way .
public void configure() throws Exception {
SSLContextParameters scp = new SSLContextParameters();
SSLContextClientParameters clientParameters=new
SSLContextClientParameters();
SecureSocketProtocolsParameters secureSocketProtocols=new
SecureSocketProtocolsParameters();
secureSocketProtocols.getSecureSocketProtocol().add("TLSv1");
secureSocketProtocols.getSecureSocketProtocol().add("SSLv3");
clientParameters.setSecureSocketProtocols(secureSocketProtocols);
scp.setClientParameters(clientParameters);
JettyHttpComponent jettyComponent =
getContext().getComponent("jetty",
JettyHttpComponent.class);
jettyComponent.setSslContextParameters(scp);
}
and used above stated from and to URL's. Unfortunately, none of the
approaches worked.
Error
-------
SSL handshake is trying send a message on SSLv2Hello which is not supported
in FIPS, that's why I want to have control on the secure protocols.
Does any one know if this option works camel 2.9.1. Any help appreciated.
Thanks,
DVS
Error Log
---------
12:38:15,468 INFO [stdout] (CamelJettyClient(0x674d26c7)-102 Selector0)
Compression Methods: { 0 }
12:38:15,469 INFO [stdout] (CamelJettyClient(0x674d26c7)-102 Selector0)
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2,
secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1,
sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1,
secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1,
secp256k1}
12:38:15,470 INFO [stdout] (CamelJettyClient(0x674d26c7)-102 Selector0)
Extension ec_point_formats, formats: [uncompressed]
12:38:15,471 INFO [stdout] (CamelJettyClient(0x674d26c7)-102 Selector0) ***
12:38:15,471 INFO [stdout] (CamelJettyClient(0x674d26c7)-102 Selector0)
CamelJettyClient(0x674d26c7)-102 Selector0, WRITE: TLSv1 Handshake, length =
177
12:38:15,472 INFO [stdout] (CamelJettyClient(0x674d26c7)-102 Selector0)
CamelJettyClient(0x674d26c7)-102 Selector0, WRITE: SSLv2 client hello
message, length = 173
12:38:15,499 INFO [stdout] (http--0.0.0.0-6081-1) http--0.0.0.0-6081-1,
handling exception: javax.net.ssl.SSLHandshakeException: SSLv2Hello is
disabled
12:38:15,500 INFO [stdout] (http--0.0.0.0-6081-1) http--0.0.0.0-6081-1,
SEND TLSv1 ALERT: fatal, description = handshake_failure
--
View this message in context:
http://camel.465427.n5.nabble.com/Jetty-component-sslContextParametersRef-is-not-working-tp5723840.html
Sent from the Camel - Users mailing list archive at Nabble.com.
