You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Claus Ibsen (JIRA)" <ji...@apache.org> on 2017/07/01 07:25:02 UTC

[jira] [Updated] (CAMEL-11482) SSLContextParameters settings are not properly copied to SslContextFactory

     [ https://issues.apache.org/jira/browse/CAMEL-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claus Ibsen updated CAMEL-11482:
--------------------------------
    Fix Version/s: 2.20.0
                   2.19.2

> SSLContextParameters settings are not properly copied to SslContextFactory
> --------------------------------------------------------------------------
>
>                 Key: CAMEL-11482
>                 URL: https://issues.apache.org/jira/browse/CAMEL-11482
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-jetty
>    Affects Versions: 2.19.0, 2.19.1
>         Environment: Max OS X, Java 8 Update 131
> Ubuntu 14.04 LTS, Java 8 Update 111
> Camel 2.19.0
> Jetty9 9.4.5v20170502 and 9.3.14.v20161028
>            Reporter: Roman Vottner
>            Priority: Critical
>             Fix For: 2.19.2, 2.20.0
>
>
> Jetty 9.3+ excludes unsecure ciphers which end on either MD5, SHA or SHA1 by default now. This will however remove all ciphers that are used by either TLSv1 or TLSv1.1 and thus no ciphers remain in order to agree on a cipher for TLSv1 or TLSv1.1 connection attempts. (Further reading: https://github.com/eclipse/jetty.project/issues/860)
> The Jetty 9 SSL configuration documentation (https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html) states that this exclusion cipher suites can be customized by providing an own exclusion list. On specifying SSLContextParameters like below however will not correctly propagate this exclution cipher suites to the SslContextFactory of Jetty and thus use the default setting which prevents TLSv1 and TLSv1.1 connections.
> {code:title=SSLContextParameters Spring Config|borderStyle=solid}
>   @Bean(name = "sslContextParameters")
>   public SSLContextParameters sslContextParameters() {
>     String keyStore = env.getProperty("ssl.keyStore.resource");
>     URL keyStoreUrl = this.getClass().getResource(keyStore);
>     // http://camel.apache.org/jetty.html
>     KeyStoreParameters ksp = new KeyStoreParameters();
>     ksp.setResource(keyStoreUrl.getPath());
>     ksp.setPassword(env.getProperty("ssl.keyStore.password"));
>     KeyManagersParameters kmp = new KeyManagersParameters();
>     kmp.setKeyStore(ksp);
>     kmp.setKeyPassword(env.getProperty("ssl.key.password"));
>     SSLContextParameters scp = new SSLContextParameters();
>     scp.setKeyManagers(kmp);
>     // Jetty 9.3+ support only TLSv1.2 by default hence clients not supporting this protocol will fail
>     List<String> supportedSslProtocols = Arrays.asList("TLSv1", "TLSv1.1", "TLSv1.2");
>     SecureSocketProtocolsParameters protocolsParameters = new SecureSocketProtocolsParameters();
>     protocolsParameters.setSecureSocketProtocol(supportedSslProtocols);
>     scp.setSecureSocketProtocols(protocolsParameters);
>     // TLS 1.0 / 1.1 have been disabled by jetty 9.3
>     // this is a first attempt to re-enable them
>     // see
>     // - https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html
>     // - https://github.com/eclipse/jetty.project/issues/860
>     // - http://camel.apache.org/camel-configuration-utilities.html
>     FilterParameters cipherParameters = new FilterParameters();
>     cipherParameters.getInclude().add(".*");
>     cipherParameters.getExclude().add("^.*_(MD5|SHA1)$");
>     scp.setCipherSuitesFilter(cipherParameters);
>     return scp;
>   }
> {code}
> A workaround is to use a custom JettyHttpComponent9 implementation that sets the excludedCipherSuites manually like depicted below:
> {code:title=Workaround|borderStyle=solid}
>   /**
>    * A custom jetty http component which explicitly sets the excludedCipherSuites during creation of
>    * the jetty connector.
>    *
>    * Why? It seems camel does not push included/excluded cipherSuites from {@link
>    * SSLContextParameters} to the {@link SslContextFactory} nor does push explicitly listed cipher
>    * suites (i.e. like <em>TLS_RSA_WITH_AES_256_CBC_SHA</em>) to the Jetty SSL context factory.
>    */
>   public static class HackedJettyHttpComponent extends JettyHttpComponent9 {
>     @Override
>     protected AbstractConnector createConnectorJettyInternal(Server server,
>                                                              JettyHttpEndpoint endpoint,
>                                                              SslContextFactory sslcf) {
>       sslcf.setExcludeCipherSuites("^.*_(MD5|SHA1)$");
>       return super.createConnectorJettyInternal(server, endpoint, sslcf);
>     }
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)