Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id CF90E200CB6 for ; Thu, 29 Jun 2017 12:15:38 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id CE3E7160BED; Thu, 29 Jun 2017 10:15:38 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id EDBCB160BDF for ; Thu, 29 Jun 2017 12:15:37 +0200 (CEST) Received: (qmail 97998 invoked by uid 500); 29 Jun 2017 10:15:37 -0000 Mailing-List: contact users-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@camel.apache.org Delivered-To: mailing list users@camel.apache.org Received: (qmail 97987 invoked by uid 99); 29 Jun 2017 10:15:36 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jun 2017 10:15:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 45D251A04EE for ; Thu, 29 Jun 2017 10:15:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.015 X-Spam-Level: *** X-Spam-Status: No, score=3.015 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_BADIPHTTP=2, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.313, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 3ESTwDMKbNau for ; Thu, 29 Jun 2017 10:15:33 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 8ED305FB62 for ; Thu, 29 Jun 2017 10:15:32 +0000 (UTC) Received: from [192.168.1.126] ([81.223.125.75]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MZ8fw-1d9y661TSO-00L1YJ for ; Thu, 29 Jun 2017 12:15:26 +0200 From: Roman Vottner Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_1DD454E3-77EF-4459-89AF-8397642F2105" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: 2.19.0 Jetty:Https javax.net.ssl.SSLHandshakeException: no cipher suites in common Date: Thu, 29 Jun 2017 12:15:26 +0200 X-Erpel_Message_Id: 1234 References: <1495491248904-5800043.post@n5.nabble.com> To: users@camel.apache.org In-Reply-To: <1495491248904-5800043.post@n5.nabble.com> X-Mailer: Apple Mail (2.3273) X-Provags-ID: V03:K0:6k6zbNeFo8SmNd8XQf7zjqpXZSExRdZGT4q4ykzdeDgFygyx4Zw LBc47Rl7bRZ2lIgiWGfh4JkDRM4V2JKdZdmxjZN0T+qCe6Up5gprCGKBc7g46iunzMW25RZ 4p0oL0XD+hQEPgGix+DkS3wZV9jn5eHk54LMiKfQ0+MmAgEViYavz99kQPTVXiAbTR8VNtA sCHjocPD9ZZXf0K3W1Xxg== X-UI-Out-Filterresults: notjunk:1;V01:K0:1Iq+fX4bohA=:d7si5ESuvNnoriM55eErw5 QLldGeljcjcwuhCcLMJUBHhnCftlDQyzuBjCNyVH47cZEdv2lCaH+N73w6Hr9ia/Nr/KPHO+v vmGgoRz17E9StNKhqm13V14LNawr/xoSGYdLuj581l7RYsawT+8xT+tH52m386yBMATOTZiOn fSkXYEPmLwcHpQCS/ZReUuU7WxVL2j2k8yHVSaotQEFFAk6tv6sO3x9m8SK/anp9ee+s/Cu48 2aYyI7iVGHmEUFqrOT4fzSc0geFlAF1avQ5Zo36usm13UQiYVkLhcYbRnij1YxaZVFVGdFSCT q327K4Xn6vcbaBpfJS7GoDF4DnTMuT7eUn0zJYNFMHhtL2GTKban6It7bJZUzxAA7I+NN6Q4A 8a6Xdr4h9AiK7czQ6MGOLRx/EnxN//CgvtUlC0Mu680ICQVHLCLO9fn0bsO9PYD9OcArGMr8k U1ehZARON/9wVrUxh8zysHUTbmdm3Eg2+uKUdTTE+fnBmuLleBF1waOF52eCnorYwSGAaFoyq s2IWEgCzDZARIVI46oFKSKjmKtYkS5RC0UztfchtvwuUp0LqJHMZzvzaC7gMI0AVty2+Q3u/c OSI8L6qYGU5gHZu9vC/PZ6FkRT0vSgVwtMH9J7txAmKxIWDoV7kaR1rq7wYqElidw0axtQ8/h sTy75zhCjxoKYOsXRgJEOH4xMzqb5/MYOSOv98WuhkMgBS6/9kqQU1UF5f1xwMJAfA0UEVUWI CAnNMtg7f/KIcksMpUqMHjkLpPpOirYkO157WjElzye1lS7CgchTmBKhrCbnEeTDhfuW2aSFA 05+7UF9 archived-at: Thu, 29 Jun 2017 10:15:39 -0000 --Apple-Mail=_1DD454E3-77EF-4459-89AF-8397642F2105 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, Camel 2.19.0 upgraded its Jetty9 version to 9.3.x which only supports = TLSv1.2 out of the box. As all ciphers used for TLSv1 (and TLSv1.1) are = considered unsafe they get blocked by Jetty9 now and hence no ciphers = are available in case of TLSv1 or TLSv1.1. connection attempts. (See = https://github.com/eclipse/jetty.project/issues/860 for more = information). According to the Jetty SSL configuration documentation = (https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html) = this can be prevented on setting a custom excludeCipherSuites policy. = However, Camel seems to not push this settings to the SslContextFactory. = I.e. we specify=20 FilterParameters filter =3D new FilterParameters(); filter.getInclude().add(".*"); List exclusions =3D filter.getExclude(); exclusions.add("^.*_(MD5|SHA1)$"); scp.setCipherSuitesFilter(filter); inside our SSLContextParameters setup, though through debugging we = learned that the SslContextFactory still has the default exclusion = pattern =E2=80=9E^.*_(MD5|SHA|SHA1)$=E2=80=9C which prevents using TLSv1 = or TLSv1.1 compatible ciphers and therefore prevents connections from = these protocols. We currently subclassed JettyHttpComponent and specified the exclusion = cipher suites manually, which solves the TLSv1/1.1 connection issue: /** * A custom jetty http component which explicitly sets the = excludedCipherSuites during creation of the jetty connector. * * Why? It seems camel does not push included/excluded cipherSuites = from {@link SSLContextParameters} to the=20 * {@link SslContextFactory} nor does push explicitly listed cipher = suites (i.e. like TLS_RSA_WITH_AES_256_CBC_SHA) to=20 * the Jetty SSL context factory. * * @see https://github.com/ecosio/issues/issues/1810 */ public static class HackedJettyHttpComponent extends = JettyHttpComponent9 { @Override protected AbstractConnector createConnectorJettyInternal(Server = server, JettyHttpEndpoint endpoint, = SslContextFactory sslcf) { sslcf.setExcludeCipherSuites("^.*_(MD5|SHA1)$"); return super.createConnectorJettyInternal(server, endpoint, = sslcf); } } Once we added this custom JettyHttpComponent we were able to connect via = TLSv1 or TLSv1.1 again. (i.e. curl -v -XGET =E2=80=94tlsv1.0 = https://localhost:443/api/v1/someResource). Also sslscan localhost:443 = listed all available cipher suites. So, basically this seems to be a bug in the JettyHttpComponent not = copying the defined filters or parameters properly to the = SslContextFactory. HTH, Roman > Am 23.05.2017 um 00:14 schrieb Thomas Freihalter = : >=20 > Hello=20 > I am using Camel 2.19.0 (on Karaf 4.1.1 with Jetty9) >=20 > My route is > = uri=3D"jetty:https://0.0.0.0:4711?matchOnUriPrefix=3Dtrue&sslContextPa= rametersRef=3DsslContextParameters"/> > ..... >=20 > When I try to access the URL with my browser I get: > javax.net.ssl.SSLHandshakeException: no cipher suites in common >=20 > I found this Bug-Report: > https://issues.apache.org/jira/browse/CAMEL-10628 >=20 > Is this Bug still not fixed? > Does a workaround for 2.19.0 exists? > (2.17.3 with jetty8 works okay) >=20 > Regards > Thomas >=20 >=20 >=20 > -- > View this message in context: = http://camel.465427.n5.nabble.com/2-19-0-Jetty-Https-javax-net-ssl-SSLHand= shakeException-no-cipher-suites-in-common-tp5800043.html > Sent from the Camel - Users mailing list archive at Nabble.com. --Apple-Mail=_1DD454E3-77EF-4459-89AF-8397642F2105--