Return-Path: <issues-return-38259-archive-asf-public=cust-asf.ponee.io@camel.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 3D49F200BEB
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 28 Dec 2016 16:27:00 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 3BDE1160B19; Wed, 28 Dec 2016 15:27:00 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 5E177160B2E
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 28 Dec 2016 16:26:59 +0100 (CET)
Received: (qmail 38182 invoked by uid 500); 28 Dec 2016 15:26:58 -0000
Mailing-List: contact issues-help@camel.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@camel.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@camel.apache.org>
List-Post: <mailto:issues@camel.apache.org>
List-Id: <issues.camel.apache.org>
Reply-To: dev@camel.apache.org
Delivered-To: mailing list issues@camel.apache.org
Received: (qmail 38165 invoked by uid 99); 28 Dec 2016 15:26:58 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Dec 2016 15:26:58 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 5889D2C1F54
	for <issues@camel.apache.org>; Wed, 28 Dec 2016 15:26:58 +0000 (UTC)
Date: Wed, 28 Dec 2016 15:26:58 +0000 (UTC)
From: "Joe Luo (JIRA)" <jira@apache.org>
To: issues@camel.apache.org
Message-ID: <JIRA.13029547.1482263566000.606906.1482938818360@Atlassian.JIRA>
In-Reply-To: <JIRA.13029547.1482263566000@Atlassian.JIRA>
References: <JIRA.13029547.1482263566000@Atlassian.JIRA> <JIRA.13029547.1482263566326@arcas>
Subject: [jira] [Comment Edited] (CAMEL-10628) camel jetty9 endpoint
 configured with sslContextParametersRef and jetty handlers causes SSL
 handshake failure
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 28 Dec 2016 15:27:00 -0000


    [ https://issues.apache.org/jira/browse/CAMEL-10628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15783100#comment-15783100 ] 

Joe Luo edited comment on CAMEL-10628 at 12/28/16 3:26 PM:
-----------------------------------------------------------

I changed <jetty-version> to "$\{jetty9-version}" in the camel/parent/pom.xml file:
{code}
diff --git a/parent/pom.xml b/parent/pom.xml
index 14bf7bc..0a262d2 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -311,7 +311,7 @@
     <jetty6-version>6.1.26</jetty6-version>
     <jetty8-version>8.1.17.v20150415</jetty8-version>
     <jetty9-version>9.2.19.v20160908</jetty9-version>
-    <jetty-version>${jetty8-version}</jetty-version>
+    <jetty-version>${jetty9-version}</jetty-version>
     <!-- jetty-plugin 8.1.7 does not exists -->
     <jetty-plugin-version>8.1.16.v20140903</jetty-plugin-version>
{code}
It allowed me to compile the component and test. 

Yeah, the solution will break backward compatibility with Jetty 8 as camel 2.17 and 2.18 support both Jetty 8 and Jetty 9. Giving the fact that Jetty 8 has been EOL two years back, should we only support Jetty 9 from now on?


was (Author: joeluo):
I changed <jetty-version> to "${jetty9-version}" in the camel/parent/pom.xml file:
{code}
diff --git a/parent/pom.xml b/parent/pom.xml
index 14bf7bc..0a262d2 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -311,7 +311,7 @@
     <jetty6-version>6.1.26</jetty6-version>
     <jetty8-version>8.1.17.v20150415</jetty8-version>
     <jetty9-version>9.2.19.v20160908</jetty9-version>
-    <jetty-version>${jetty8-version}</jetty-version>
+    <jetty-version>${jetty9-version}</jetty-version>
     <!-- jetty-plugin 8.1.7 does not exists -->
     <jetty-plugin-version>8.1.16.v20140903</jetty-plugin-version>
{code}
It allowed me to compile the component and test. 

Yeah, the solution will break backward compatibility with Jetty 8 as camel 2.17 and 2.18 support both Jetty 8 and Jetty 9. Giving the fact that Jetty 8 has been EOL two years back, should we only support Jetty 9 from now on?

> camel jetty9 endpoint configured with sslContextParametersRef and jetty handlers causes SSL handshake failure
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-10628
>                 URL: https://issues.apache.org/jira/browse/CAMEL-10628
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-jetty
>    Affects Versions: 2.18.0, 2.18.1
>            Reporter: Joe Luo
>            Assignee: Andrea Cosentino
>             Fix For: 2.18.2
>
>         Attachments: patch.txt
>
>
> I have a camel route using Rest DSL with Jetty component:
> {code}
> <camelContext id="camel" trace="true" streamCache="true" xmlns="http://camel.apache.org/schema/blueprint">
>       <restConfiguration component="jetty" bindingMode="off" scheme="https" host="localhost" port="9080" contextPath="/">
>         <endpointProperty key="sslContextParametersRef" value="sslContextParameter"/>
>         <endpointProperty key="handlers" value="#securityHandler"/>
>         <endpointProperty key="matchOnUriPrefix" value="true"/>
>       </restConfiguration>
>       <rest path="/customerservice">
>           <get uri="/customers" >
>               <to uri="direct:processGet"/>
>           </get>
>           <get uri="/customers/{id}" >
>               <to uri="direct:processGet"/>
>           </get>
>           <post uri="/customers" consumes="application/json" produces="application/json">
>               <to uri="direct:processPost"/>
>           </post>
>       </rest>
> {code}
> The underlying camel jetty component is configured with sslContextParametersRef and a Jetty Handler org.eclipse.jetty.security.ConstraintSecurityHandler to enforce SecurityConstraints on the Jetty endpoint. 
> If I remove the Jetty ConstraintSecurityHandler, it works fine, for instance:
> {code}
> <camelContext id="camel" trace="true" streamCache="true" xmlns="http://camel.apache.org/schema/blueprint">
>       <restConfiguration component="jetty" bindingMode="off" scheme="https" host="localhost" port="9080" contextPath="/">
>         <endpointProperty key="sslContextParametersRef" value="sslContextParameter"/>
>         <!--endpointProperty key="handlers" value="#securityHandler"/-->
>         <endpointProperty key="matchOnUriPrefix" value="true"/>
>       </restConfiguration>
> {code}
> But when I add the Jetty ConstraintSecurityHandler back to the camel Rest DSL, I am getting following error:
> {code}
> ***
> %% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
> qtp1424237190-118, fatal error: 40: no cipher suites in common
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> %% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
> qtp1424237190-118, SEND TLSv1 ALERT:  fatal, description = handshake_failure
> qtp1424237190-118, WRITE: TLSv1 Alert, length = 2
> qtp1424237190-118, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
> {code}
> The root cause is that if we want to add a Jetty hander, we need to stop Jetty server. As part of Jetty server stop process, it's SslConnectionFactory also needs to stop, as well as SslContextFactory. Here is doStop() method of SslContextFactory in Jetty 9.2.x code base:
> {code}
> public class SslContextFactory extends AbstractLifeCycle
> ...
>     protected void doStop() throws Exception
>      {
>          _context = null;
>          super.doStop();
>      }
> {code}
> We can see that it resets SSLContext to null. When the jetty server restarts, SslContextFactory creates a new SSLContext object instead, therefore, losing all the SSL properties from the original <camel:sslContextParameters> configuration. 
> We need to preserve the SSLContext before stopping the jetty server so we can reset the SSLContext back after the jetty server is restarted.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)