You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Freeman Yue Fang (Jira)" <ji...@apache.org> on 2020/11/04 19:03:00 UTC
[jira] [Resolved] (CXF-8363) Jetty certificate hot reload throws exception due to usage of depreciated SslContextFactory

     [ https://issues.apache.org/jira/browse/CXF-8363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Freeman Yue Fang resolved CXF-8363.
-----------------------------------
    Fix Version/s: 3.3.9
                   3.4.2
       Resolution: Fixed

> Jetty certificate hot reload throws exception due to usage of depreciated SslContextFactory
> -------------------------------------------------------------------------------------------
>
>                 Key: CXF-8363
>                 URL: https://issues.apache.org/jira/browse/CXF-8363
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Fadi Mohsen
>            Assignee: Freeman Yue Fang
>            Priority: Minor
>             Fix For: 3.4.2, 3.3.9
>
>
> When attempting hot reload of certificate using Jetty:s 
> {noformat}
>             JettyHTTPDestination destination = (JettyHTTPDestination) server.getDestination();
>             JettyHTTPServerEngine engine = (JettyHTTPServerEngine) destination.getEngine();
>             Collection<ConnectionFactory> connectionFactories = engine.getServer().getConnectors()[0].getConnectionFactories();
>             SslConnectionFactory connectionFactory = (SslConnectionFactory) connectionFactories.stream().filter(cf -> cf instanceof SslConnectionFactory)
>                     .findFirst()
>                     .get();
>             SslContextFactory sslContextFactory = connectionFactory.getSslContextFactory();
>             sslContextFactory.reload(ssf -> {
>                 ssf.setSslContext(null);
>                 ssf.setKeyStore(certStore.getKeyStore());
>                 ssf.setKeyStorePassword(new String(certStore.getKeyPassword()));
>             });{noformat}
> I got this exception:
> {noformat}
> java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
>    at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1277)
>    at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1259)
>    at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>    at org.eclipse.jetty.util.ssl.SslContextFactory.reload(SslContextFactory.java:1990){noformat}
> After reading on the issue, it turned out that CXF´s JettyHTTPServerEngine is using the deprecated :
> [see createConnector function |https://github.com/apache/cxf/blob/master/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java#L628]
> {noformat}
> createConnector-> sslcf = new SslContextFactory(){noformat}
>  
> whereas it should been using:
> {noformat}
> sslcf = new SslContextFactory.Server(){noformat}
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)