[ https://issues.apache.org/jira/browse/CXF-8069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16877910#comment-16877910 ]
Freeman Fang commented on CXF-8069: ----------------------------------- Hi [~naina.pati...@infobeans.com], FYI, the http-jetty transport in CXF also call jetty sslContextFactory.setExcludeCipherSuites method to exclude CipherSuites, you can configure the ciphersuite as described [here|https://cxf.apache.org/docs/tls-configuration.html#TLSConfiguration-CipherSuitesFilter] You can configure per the above document and debug the code in org.apache.cxf.transport.http_jetty.JettyHTTPServerEngine.createSSLContext(SslContextFactory scf) to see how the SslContextFactory.setExcludeCipherSuites get invoked there. Freeman > CXF does not allow to change default configuration of Jetty > ----------------------------------------------------------- > > Key: CXF-8069 > URL: https://issues.apache.org/jira/browse/CXF-8069 > Project: CXF > Issue Type: Bug > Environment: CXF : 3.2.7 > Jetty: 9.4.18v20190429 > Java : IBM Java 8 > Platform : AIX > > Reporter: Naina > Priority: Blocker > > Hi Team, > We are using Apache CXF 3.2.7 and seeking help to update jetty's default > configuration which is being used by Apache CXF. > CXF internally calls jetty and jetty has default configuration to exclude > cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM > Java 8 starts wih SSL_*, we are unable to establish connection with Jetty > using IBM Java 8. So the ask is, how can we update the default configuration > of Jetty via CXF. > We resolved the same issue on one of our server with the help of Jetty team > where we were creating Jetty instance in our code and were getting warning > "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add > *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while > creating Jetty's instance, which actually overrides the default cipher suites > excluded by Jetty. > But in the current case, we just call CXF's JAXRSServerFactoryBean create() > method which internally calls Jetty and create its instance with default > configuration. Here is the code snippet: > {color:#205081}_private JAXRSServerFactoryBean sf = new > JAXRSServerFactoryBean();_{color} > {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color} > {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color} > {color:#205081} _Server server = sf.create();_{color} > {color:#205081} _logger.info("*+Started RESTful Agent at:+* " + > server.getEndpoint().getEndpointInfo().getAddress());_{color} > {color:#205081} _return (JettyHTTPDestination) > server.getDestination();_{color} > {color:#205081} _}_{color} > > These are the logs which got generated during the execution of above code : > {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main] > com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting > RESTful Agent+*_{color} > {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main] > org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to > be https://localhost:9091/SnapCreator/_{color} > {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main] > org.eclipse.jetty.util.log - Logging initialized @2814ms to > org.eclipse.jetty.util.log.Slf4jLog_{color} > {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main] > org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built: > 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm > 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color} > {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main] > *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from* > [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, > SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, > SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, > SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, > SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, > SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, > SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, > SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, > SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, > SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, > SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, > SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, > SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, > SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, > SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, > SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256, > SSL_DH_anon_WITH_AES_256_CBC_SHA256, SSL_ECDH_anon_WITH_AES_256_CBC_SHA, > SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA256, > SSL_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, > SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, > SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_NULL_SHA256, > SSL_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ECDHE_RSA_WITH_NULL_SHA, > SSL_RSA_WITH_NULL_SHA, SSL_ECDH_ECDSA_WITH_NULL_SHA, > SSL_ECDH_RSA_WITH_NULL_SHA, SSL_ECDH_anon_WITH_NULL_SHA, > SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_DES_CBC_SHA, > SSL_KRB5_WITH_DES_CBC_MD5]_{color} > {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] > org.eclipse.jetty.server.AbstractConnector - Started > ServerConnector@b3893135\{ssl,[ssl, http/1.1]}{0.0.0.0:9091}_{color} > {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main] > org.eclipse.jetty.server.Server - Started @3065ms_{color} > {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] > org.eclipse.jetty.server.handler.ContextHandler - Started > o.e.j.s.h.ContextHandler@76c87ae8\{/SnapCreator,null,AVAILABLE}_{color} > {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main] > com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - +*Started RESTful > Agent at*+: https://localhost:9091/SnapCreator/_{color} > As you can see in the logs, Jetty shows warning that "No supported ciphers > from [ListOfAvailableCiphers]". I tried to exclude ciphers by setting > TLSServerParameters and excluding weak cipher suites, but it didnot override > the ciphers which are set in jetty's default configuration. > Can you please help to identify if there is any way to change the default > configuration of Jetty through CXF. > Please let me know if you need any more information. > Thanks, > Naina -- This message was sent by Atlassian JIRA (v7.6.3#76005)