You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@karaf.apache.org by Martin Lichtin via user <us...@karaf.apache.org> on 2022/07/18 13:15:23 UTC

Pax-Web - org.ops4j.pax.web.ssl.ciphersuites.excluded

Has anyone used Pax-Web settings

org.ops4j.pax.web.ssl.ciphersuites.excluded=
org.ops4j.pax.web.ssl.ciphersuites.included=

? I've tried, for example, to exclude all ciphers with

org.ops4j.pax.web.ssl.ciphersuites.excluded=.*

but it doesn't seem to have an effect.

Re: Pax-Web - org.ops4j.pax.web.ssl.ciphersuites.excluded

Posted by Grzegorz Grzybek <gr...@gmail.com>.

Hello Martin

Whatever version of Pax Web you're using, mind that only Jetty runtime
supports the "excluded" property, because there's no Tomcat/Undertow
equivalent of
org.eclipse.jetty.util.ssl.SslContextFactory#setExcludeCipherSuites().
Initially I thought it doesn't support regexps, but I was wrong. So in
theory, it should work...

regards
Grzegorz Grzybek

pon., 18 lip 2022 o 15:15 Martin Lichtin via user <us...@karaf.apache.org>
napisał(a):

> Has anyone used Pax-Web settings
>
> org.ops4j.pax.web.ssl.ciphersuites.excluded=
> org.ops4j.pax.web.ssl.ciphersuites.included=
>
> ? I've tried, for example, to exclude all ciphers with
>
> org.ops4j.pax.web.ssl.ciphersuites.excluded=.*
>
> but it doesn't seem to have an effect.
>
>
>
>
>

RE: Pax-Web - org.ops4j.pax.web.ssl.ciphersuites.excluded

Posted by Maurice Betzel <m....@gaston-schul.com>.

No I have not. But if you are using jetty you can redirect the socket configuration to the Jetty settings xml.

Add to org.ops4j.pax.web.cfg:

org.ops4j.pax.web.config.file = ${karaf.etc}/settings.xml

Within the xml you can declare and setup the Jetty beans:

        <New id="wansslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
            <Set name="KeyStorePath">
                <SystemProperty name="karaf.home"/>/etc/keystore/xyz.jks
            </Set>
            <Set name="KeyStorePassword">xxx</Set>
            <Set name="KeyManagerPassword">xxx</Set>
            <Set name="EndpointIdentificationAlgorithm"></Set>
            <Set name="NeedClientAuth">
                <Property name="jetty.ssl.needClientAuth" default="false"/>
            </Set>
            <Set name="WantClientAuth">
                <Property name="jetty.ssl.wantClientAuth" default="false"/>
            </Set>
            <!-- Disable SSLv3 to protect against POODLE bug -->
            <Set name="ExcludeProtocols">
                <Array type="java.lang.String">
                    <Item>SSLv3</Item>
                </Array>
            </Set>
            <Set name="ExcludeCipherSuites">
                <Array type="String">
                    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
...
                </Array>
            </Set>
        </New>



Has anyone used Pax-Web settings

org.ops4j.pax.web.ssl.ciphersuites.excluded=
org.ops4j.pax.web.ssl.ciphersuites.included=

? I've tried, for example, to exclude all ciphers with

org.ops4j.pax.web.ssl.ciphersuites.excluded=.*

but it doesn't seem to have an effect.




Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.

Re: Pax-Web - org.ops4j.pax.web.ssl.ciphersuites.excluded

Posted by Grzegorz Grzybek <gr...@gmail.com>.

Hello

pon., 25 lip 2022 o 13:53 Richard Hierlmeier <rh...@googlemail.com>
napisał(a):

> Thank you Grzegorz.
>
> that helps.  I think for test test I have to setup an http client that
> accepts only the supported ciphers.
>

Yes - you'd have to call `setCiphers()` somewhere here in the
SSLConnectionSocketFactoryBuilder:
https://github.com/ops4j/org.ops4j.pax.web/blob/web-8.0.6/pax-web-itest/pax-web-itest-utils/src/main/java/org/ops4j/pax/web/itest/utils/client/Hc5TestClient.java#L277

regards
Grzegorz Grzybek


>
> Regards
>
>    Richard
>
>
> Am Mo., 25. Juli 2022 um 11:05 Uhr schrieb Grzegorz Grzybek <
> gr.grzybek@gmail.com>:
>
>> Hello Richard,
>>
>> wt., 19 lip 2022 o 08:08 Richard Hierlmeier <rh...@googlemail.com>
>> napisał(a):
>>
>>> I am using org.ops4j.pax.web.ssl.ciphersuites.included in Karaf 4.3.7
>>> and I think it was working.
>>> I tested it 2 month ago manually with the services of SSL labs.
>>> I plan to implement an integration test that tests the correct SSL
>>> setup.
>>>
>>
>> Feel free to create a test based on
>> https://github.com/ops4j/org.ops4j.pax.web/blob/main/pax-web-itest/pax-web-itest-container/pax-web-itest-container-common/src/main/java/org/ops4j/pax/web/itest/container/httpservice/AbstractWebContainerSecuredIntegrationTest.java
>>
>> regards
>> Grzegorz Grzybek
>>
>>
>>>
>>> Regards
>>>   Richard
>>>
>>>
>>> Am Mo., 18. Juli 2022 um 15:16 Uhr schrieb Martin Lichtin via user <
>>> user@karaf.apache.org>:
>>>
>>>> Has anyone used Pax-Web settings
>>>>
>>>> org.ops4j.pax.web.ssl.ciphersuites.excluded=
>>>> org.ops4j.pax.web.ssl.ciphersuites.included=
>>>>
>>>> ? I've tried, for example, to exclude all ciphers with
>>>>
>>>> org.ops4j.pax.web.ssl.ciphersuites.excluded=.*
>>>>
>>>> but it doesn't seem to have an effect.
>>>>
>>>>
>>>>
>>>>
>>>>

Re: Pax-Web - org.ops4j.pax.web.ssl.ciphersuites.excluded

Posted by Richard Hierlmeier <rh...@googlemail.com>.

Thank you Grzegorz.

that helps.  I think for test test I have to setup an http client that
accepts only the supported ciphers.

Regards

   Richard


Am Mo., 25. Juli 2022 um 11:05 Uhr schrieb Grzegorz Grzybek <
gr.grzybek@gmail.com>:

> Hello Richard,
>
> wt., 19 lip 2022 o 08:08 Richard Hierlmeier <rh...@googlemail.com>
> napisał(a):
>
>> I am using org.ops4j.pax.web.ssl.ciphersuites.included in Karaf 4.3.7 and
>> I think it was working.
>> I tested it 2 month ago manually with the services of SSL labs.
>> I plan to implement an integration test that tests the correct SSL setup.
>>
>
> Feel free to create a test based on
> https://github.com/ops4j/org.ops4j.pax.web/blob/main/pax-web-itest/pax-web-itest-container/pax-web-itest-container-common/src/main/java/org/ops4j/pax/web/itest/container/httpservice/AbstractWebContainerSecuredIntegrationTest.java
>
> regards
> Grzegorz Grzybek
>
>
>>
>> Regards
>>   Richard
>>
>>
>> Am Mo., 18. Juli 2022 um 15:16 Uhr schrieb Martin Lichtin via user <
>> user@karaf.apache.org>:
>>
>>> Has anyone used Pax-Web settings
>>>
>>> org.ops4j.pax.web.ssl.ciphersuites.excluded=
>>> org.ops4j.pax.web.ssl.ciphersuites.included=
>>>
>>> ? I've tried, for example, to exclude all ciphers with
>>>
>>> org.ops4j.pax.web.ssl.ciphersuites.excluded=.*
>>>
>>> but it doesn't seem to have an effect.
>>>
>>>
>>>
>>>
>>>

Re: Pax-Web - org.ops4j.pax.web.ssl.ciphersuites.excluded

Posted by Grzegorz Grzybek <gr...@gmail.com>.

Hello Richard,

wt., 19 lip 2022 o 08:08 Richard Hierlmeier <rh...@googlemail.com>
napisał(a):

> I am using org.ops4j.pax.web.ssl.ciphersuites.included in Karaf 4.3.7 and
> I think it was working.
> I tested it 2 month ago manually with the services of SSL labs.
> I plan to implement an integration test that tests the correct SSL setup.
>

Feel free to create a test based on
https://github.com/ops4j/org.ops4j.pax.web/blob/main/pax-web-itest/pax-web-itest-container/pax-web-itest-container-common/src/main/java/org/ops4j/pax/web/itest/container/httpservice/AbstractWebContainerSecuredIntegrationTest.java

regards
Grzegorz Grzybek


>
> Regards
>   Richard
>
>
> Am Mo., 18. Juli 2022 um 15:16 Uhr schrieb Martin Lichtin via user <
> user@karaf.apache.org>:
>
>> Has anyone used Pax-Web settings
>>
>> org.ops4j.pax.web.ssl.ciphersuites.excluded=
>> org.ops4j.pax.web.ssl.ciphersuites.included=
>>
>> ? I've tried, for example, to exclude all ciphers with
>>
>> org.ops4j.pax.web.ssl.ciphersuites.excluded=.*
>>
>> but it doesn't seem to have an effect.
>>
>>
>>
>>
>>

Re: Pax-Web - org.ops4j.pax.web.ssl.ciphersuites.excluded

Posted by Richard Hierlmeier <rh...@googlemail.com>.

I am using org.ops4j.pax.web.ssl.ciphersuites.included in Karaf 4.3.7 and I
think it was working.
I tested it 2 month ago manually with the services of SSL labs.
I plan to implement an integration test that tests the correct SSL setup.

Regards
  Richard


Am Mo., 18. Juli 2022 um 15:16 Uhr schrieb Martin Lichtin via user <
user@karaf.apache.org>:

> Has anyone used Pax-Web settings
>
> org.ops4j.pax.web.ssl.ciphersuites.excluded=
> org.ops4j.pax.web.ssl.ciphersuites.included=
>
> ? I've tried, for example, to exclude all ciphers with
>
> org.ops4j.pax.web.ssl.ciphersuites.excluded=.*
>
> but it doesn't seem to have an effect.
>
>
>
>
>