camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Claus Ibsen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CAMEL-11482) SSLContextParameters settings are not properly copied to SslContextFactory
Date Fri, 08 Sep 2017 12:44:00 GMT

    [ https://issues.apache.org/jira/browse/CAMEL-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16158563#comment-16158563
] 

Claus Ibsen commented on CAMEL-11482:
-------------------------------------

Roman, are you working on this?

> SSLContextParameters settings are not properly copied to SslContextFactory
> --------------------------------------------------------------------------
>
>                 Key: CAMEL-11482
>                 URL: https://issues.apache.org/jira/browse/CAMEL-11482
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-jetty
>    Affects Versions: 2.19.0, 2.19.1
>         Environment: Max OS X, Java 8 Update 131
> Ubuntu 14.04 LTS, Java 8 Update 111
> Camel 2.19.0
> Jetty9 9.4.5v20170502 and 9.3.14.v20161028
>            Reporter: Roman Vottner
>             Fix For: 2.19.4, 2.20.0
>
>
> Jetty 9.3+ excludes unsecure ciphers which end on either MD5, SHA or SHA1 by default
now. This will however remove all ciphers that are used by either TLSv1 or TLSv1.1 and thus
no ciphers remain in order to agree on a cipher for TLSv1 or TLSv1.1 connection attempts.
(Further reading: https://github.com/eclipse/jetty.project/issues/860)
> The Jetty 9 SSL configuration documentation (https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html)
states that this exclusion cipher suites can be customized by providing an own exclusion list.
On specifying SSLContextParameters like below however will not correctly propagate this exclution
cipher suites to the SslContextFactory of Jetty and thus use the default setting which prevents
TLSv1 and TLSv1.1 connections.
> {code:title=SSLContextParameters Spring Config|borderStyle=solid}
>   @Bean(name = "sslContextParameters")
>   public SSLContextParameters sslContextParameters() {
>     String keyStore = env.getProperty("ssl.keyStore.resource");
>     URL keyStoreUrl = this.getClass().getResource(keyStore);
>     // http://camel.apache.org/jetty.html
>     KeyStoreParameters ksp = new KeyStoreParameters();
>     ksp.setResource(keyStoreUrl.getPath());
>     ksp.setPassword(env.getProperty("ssl.keyStore.password"));
>     KeyManagersParameters kmp = new KeyManagersParameters();
>     kmp.setKeyStore(ksp);
>     kmp.setKeyPassword(env.getProperty("ssl.key.password"));
>     SSLContextParameters scp = new SSLContextParameters();
>     scp.setKeyManagers(kmp);
>     // Jetty 9.3+ support only TLSv1.2 by default hence clients not supporting this protocol
will fail
>     List<String> supportedSslProtocols = Arrays.asList("TLSv1", "TLSv1.1", "TLSv1.2");
>     SecureSocketProtocolsParameters protocolsParameters = new SecureSocketProtocolsParameters();
>     protocolsParameters.setSecureSocketProtocol(supportedSslProtocols);
>     scp.setSecureSocketProtocols(protocolsParameters);
>     // TLS 1.0 / 1.1 have been disabled by jetty 9.3
>     // this is a first attempt to re-enable them
>     // see
>     // - https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html
>     // - https://github.com/eclipse/jetty.project/issues/860
>     // - http://camel.apache.org/camel-configuration-utilities.html
>     FilterParameters cipherParameters = new FilterParameters();
>     cipherParameters.getInclude().add(".*");
>     cipherParameters.getExclude().add("^.*_(MD5|SHA1)$");
>     scp.setCipherSuitesFilter(cipherParameters);
>     return scp;
>   }
> {code}
> A workaround is to use a custom JettyHttpComponent9 implementation that sets the excludedCipherSuites
manually like depicted below:
> {code:title=Workaround|borderStyle=solid}
>   /**
>    * A custom jetty http component which explicitly sets the excludedCipherSuites during
creation of
>    * the jetty connector.
>    *
>    * Why? It seems camel does not push included/excluded cipherSuites from {@link
>    * SSLContextParameters} to the {@link SslContextFactory} nor does push explicitly
listed cipher
>    * suites (i.e. like <em>TLS_RSA_WITH_AES_256_CBC_SHA</em>) to the Jetty
SSL context factory.
>    */
>   public static class HackedJettyHttpComponent extends JettyHttpComponent9 {
>     @Override
>     protected AbstractConnector createConnectorJettyInternal(Server server,
>                                                              JettyHttpEndpoint endpoint,
>                                                              SslContextFactory sslcf)
{
>       sslcf.setExcludeCipherSuites("^.*_(MD5|SHA1)$");
>       return super.createConnectorJettyInternal(server, endpoint, sslcf);
>     }
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message