[jira] [Commented] (CAMEL-14527) camel-jetty HTTPS consumer still fails with handshake failure

Tue, 11 Feb 2020 10:04:26 -0800 


    [ 
https://issues.apache.org/jira/browse/CAMEL-14527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034671#comment-17034671
 ] 

Gerald Kallas commented on CAMEL-14527:
---------------------------------------

Tx [~jondruse] for validate and re-test. You pointed me out to an important 
detail while removing the truststore from blueprint.

I've confused both, keystore and truststore, in my blueprint file. Often 
checked all but overseen this detail every time. The sample is working now, the 
issue can be closed.

One question so far, can I define the sslContextParameters in a separate 
blueprint file an reference to it in the other ones that have HTTPS jetty 
endpoints? Or, much better, in a config file in etc folder as common parameters 
for camel-jetty?

Many thanks for your effort
- Gerald

 

> camel-jetty HTTPS consumer still fails with handshake failure
> -------------------------------------------------------------
>
>                 Key: CAMEL-14527
>                 URL: https://issues.apache.org/jira/browse/CAMEL-14527
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-jetty
>    Affects Versions: 3.0.1
>            Reporter: Gerald Kallas
>            Assignee: Jiri Ondrusek
>            Priority: Major
>
> After several research I did create the following Blueprint DSL route that 
> still fails with a TLS handshake failure.
> {code:java}
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";<blueprint 
> xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 
> https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd";>
>  <sslContextParameters id="sslContextParameters" 
> xmlns="http://camel.apache.org/schema/blueprint";>
>    <secureSocketProtocolsFilter>
>      <include>TLSv1.2</include>
>      <include>TLSv1.1</include>
>    </secureSocketProtocolsFilter>
>    <cipherSuitesFilter>
>      <include>.*</include>
>      <exclude/>
>    </cipherSuitesFilter>
>    <keyManagers keyPassword="xxxxx">
>      <keyStore resource="etc/truststore.jks" password="xxxxx"/>
>    </keyManagers>
>    <trustManagers>
>      <keyStore resource="etc/keystore.p12" password="xxxxx"/>
>    </trustManagers>
>  </sslContextParameters>
>  <camelContext id="WEBISP001" 
> xmlns="http://camel.apache.org/schema/blueprint";>
>    <route id="WEBISP001">
>      <from 
> uri="jetty:https://0.0.0.0:8444/hello?sslContextParameters=sslContextParameters";
>   />
>      <log message="hello request body: ${in.body}" />
>    </route>
>  </camelContext>
> </blueprint>
> {code}
> This is the deployment log
> {code:java}
> 2020-02-08T20:31:49,784 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/deploy 
> | BlueprintContainerImpl           | 80 - org.apache.aries.blueprint.core - 
> 1.10.2 | Blueprint bundle WEBISP001.xml/0.0.0 has been started
> 2020-02-08T20:31:49,786 | INFO  | Blueprint Event Dispatcher: 1 | 
> BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | 
> Attempting to start CamelContext: WEBISP001
> 2020-02-08T20:31:49,789 | INFO  | Blueprint Event Dispatcher: 1 | 
> BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | 
> Apache Camel 3.0.1 (CamelContext: WEBISP001) is starting
> 2020-02-08T20:31:49,791 | INFO  | Blueprint Event Dispatcher: 1 | 
> JmxManagementStrategy            | 88 - org.apache.camel.camel-api - 3.0.1 | 
> JMX is enabled
> 2020-02-08T20:31:49,877 | INFO  | Blueprint Event Dispatcher: 1 | 
> HttpComponent                    | 88 - org.apache.camel.camel-api - 3.0.1 | 
> Created ClientConnectionManager 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager@12fc7e57
> 2020-02-08T20:31:49,881 | INFO  | Blueprint Event Dispatcher: 1 | 
> BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | 
> StreamCaching is not in use. If using streams then its recommended to enable 
> stream caching. See more details at 
> http://camel.apache.org/stream-caching.html
> 2020-02-08T20:31:49,896 | INFO  | Blueprint Event Dispatcher: 1 | 
> SSLContextParameters             | 88 - org.apache.camel.camel-api - 3.0.1 | 
> Available providers: SUN version 1.8.
> 2020-02-08T20:31:49,906 | INFO  | Blueprint Event Dispatcher: 1 | 
> JettyHttpComponent9              | 112 - org.apache.camel.camel-jetty - 3.0.1 
> | Connector on port: 8444 is using includeCipherSuites: [.*] 
> excludeCipherSuites: [] includeProtocols: [TLSv1.3, TLSv1.2, TLSv1.1] 
> excludeProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3]
> 2020-02-08T20:31:49,907 | INFO  | Blueprint Event Dispatcher: 1 | Server      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | 
> jetty-9.4.20.v20190813; built: 2019-08-13T21:28:18.144Z; git: 
> 84700530e645e812b336747464d6fbbf370c9a20; jvm 1.8.0_242-b08
> 2020-02-08T20:31:49,908 | INFO  | Blueprint Event Dispatcher: 1 | 
> ContextHandler                   | 217 - org.eclipse.jetty.util - 
> 9.4.20.v20190813 | Started 
> o.e.j.s.ServletContextHandler@4d63dc0b{/,null,AVAILABLE}
> 2020-02-08T20:31:49,915 | INFO  | Blueprint Event Dispatcher: 1 | 
> SslContextFactory                | 217 - org.eclipse.jetty.util - 
> 9.4.20.v20190813 | Protocol TLSv1.3 not supported in [SSLv2Hello, SSLv3, 
> TLSv1, TLSv1.1, TLSv1.2]
> 2020-02-08T20:31:49,915 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,916 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,916 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,917 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,917 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,917 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,918 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,918 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,919 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,919 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,921 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,922 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,923 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,924 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,925 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,926 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,927 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,927 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,928 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,929 | WARN  | Blueprint Event Dispatcher: 1 | config      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak 
> cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for 
> SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
> 2020-02-08T20:31:49,930 | INFO  | Blueprint Event Dispatcher: 1 | 
> AbstractConnector                | 217 - org.eclipse.jetty.util - 
> 9.4.20.v20190813 | Started ServerConnector@11e4bb7f{ssl,[ssl, 
> http/1.1]}{0.0.0.0:8444}
> 2020-02-08T20:31:49,931 | INFO  | Blueprint Event Dispatcher: 1 | Server      
>                      | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | 
> Started @1786570ms
> 2020-02-08T20:31:49,932 | INFO  | Blueprint Event Dispatcher: 1 | 
> BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | 
> Route: WEBISP001 started and consuming from: jetty:https://0.0.0.0:8444/hello
> 2020-02-08T20:31:49,933 | INFO  | Blueprint Event Dispatcher: 1 | 
> BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | 
> Total 1 routes, of which 1 are started
> 2020-02-08T20:31:49,933 | INFO  | Blueprint Event Dispatcher: 1 | 
> BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | 
> Apache Camel 3.0.1 (CamelContext: WEBISP001) started in 0.145 seconds
> 2020-02-08T20:31:49,987 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/deploy 
> | fileinstall                      | 10 - org.apache.felix.fileinstall - 
> 3.6.4 | Started bundle: 
> blueprint:file:/opt/apache-karaf-4.2.7/deploy/WEBISP001.xml
> {code}
> The request to the endpoint still fails with
> {code:java}
> curl -vvv --insecure --location --request POST 'https://host:8444/hello'  
> --data-raw 'Hello World!'
> Note: Unnecessary use of -X or --request, POST is already inferred.
> *   Trying 10.0.0.147...
> * TCP_NODELAY set
> * Connected to host (10.0.0.147) port 8444 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS alert, handshake failure (552):
> * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
> * Closing connection 0
> curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake 
> failure{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to