You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Freeman Fang (JIRA)" <ji...@apache.org> on 2019/07/03 15:07:00 UTC

[jira] [Commented] (CXF-8069) CXF does not allow to change default configuration of Jetty

    [ https://issues.apache.org/jira/browse/CXF-8069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16877910#comment-16877910 ] 

Freeman Fang commented on CXF-8069:
-----------------------------------

Hi [~naina.patidar@infobeans.com],

FYI, the http-jetty transport in CXF also call jetty sslContextFactory.setExcludeCipherSuites method to exclude CipherSuites, you can configure the ciphersuite as described [here|https://cxf.apache.org/docs/tls-configuration.html#TLSConfiguration-CipherSuitesFilter]

You can configure per the above document and debug the code in org.apache.cxf.transport.http_jetty.JettyHTTPServerEngine.createSSLContext(SslContextFactory scf) to see how the SslContextFactory.setExcludeCipherSuites get invoked there.

Freeman

> CXF does not allow to change default configuration of Jetty
> -----------------------------------------------------------
>
>                 Key: CXF-8069
>                 URL: https://issues.apache.org/jira/browse/CXF-8069
>             Project: CXF
>          Issue Type: Bug
>         Environment: CXF : 3.2.7
> Jetty: 9.4.18v20190429
> Java : IBM Java 8
> Platform : AIX
>  
>            Reporter: Naina
>            Priority: Blocker
>
> Hi Team,
> We are using Apache CXF 3.2.7 and seeking help to update jetty's default configuration which is being used by Apache CXF.
> CXF internally calls jetty and jetty has default configuration to exclude cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM Java 8 starts wih SSL_*, we are unable to establish connection with Jetty using IBM Java 8. So the ask is, how can we update the default configuration of Jetty via CXF.
> We resolved the same issue on one of our server with the help of Jetty team where we were creating Jetty instance in our code and were getting warning "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while creating Jetty's instance, which actually overrides the default cipher suites excluded by Jetty.
> But in the current case, we just call CXF's JAXRSServerFactoryBean create() method which internally calls Jetty and create its instance with default configuration. Here is the code snippet:
> {color:#205081}_private JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();_{color}
> {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color}
> {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color}
> {color:#205081} _Server server = sf.create();_{color}
> {color:#205081} _logger.info("*+Started RESTful Agent at:+* " + server.getEndpoint().getEndpointInfo().getAddress());_{color}
> {color:#205081} _return (JettyHTTPDestination) server.getDestination();_{color}
> {color:#205081} _}_{color}
>  
> These are the logs which got generated during the execution of above code :
> {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main] com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting RESTful Agent+*_{color}
> {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main] org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to be https://localhost:9091/SnapCreator/_{color}
> {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main] org.eclipse.jetty.util.log - Logging initialized @2814ms to org.eclipse.jetty.util.log.Slf4jLog_{color}
> {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main] org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built: 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color}
> {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main] *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from* [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_CBC_SHA256, SSL_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA256, SSL_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_NULL_SHA256, SSL_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, SSL_ECDH_ECDSA_WITH_NULL_SHA, SSL_ECDH_RSA_WITH_NULL_SHA, SSL_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_DES_CBC_SHA, SSL_KRB5_WITH_DES_CBC_MD5]_{color}
> {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@b3893135\{ssl,[ssl, http/1.1]}{0.0.0.0:9091}_{color}
> {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] org.eclipse.jetty.server.Server - Started @3065ms_{color}
> {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.h.ContextHandler@76c87ae8\{/SnapCreator,null,AVAILABLE}_{color}
> {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - +*Started RESTful Agent at*+: https://localhost:9091/SnapCreator/_{color}
> As you can see in the logs, Jetty shows warning that "No supported ciphers from [ListOfAvailableCiphers]". I tried to exclude ciphers by setting TLSServerParameters and excluding weak cipher suites, but it didnot override the ciphers which are set in jetty's default configuration.
> Can you please help to identify if there is any way to change the default configuration of Jetty through CXF.
> Please let me know if you need any more information.
> Thanks,
> Naina



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)