[
https://issues.apache.org/jira/browse/CXF-8069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879197#comment-16879197
]
Naina commented on CXF-8069:
----------------------------
Thanks Freeman for responding.I have tried to set TLSServerParameters which has
methods to include and exclude cipher suites. After setting this, I didnot get
"No Support CipherSuites" error but now it seems, it is not able to establish
communication over the available protocols. Even I tried to Include TLSv1.2 in
TLSServerParameter, but I still see ERR_SSL_PROTOCOL_ERROR on the browser,
however, when ciphers was not matching I was getting
"ERR_SSL_VERSION_OR_CIPHER_MISMATCH" on browser.
I have attached screenshot of both.
Here is the updated code where I am setting ciphers and protocols :
TLSServerParameters tlsParams = new TLSServerParameters();
List<String> includeProtocolList = new ArrayList<String>();
includeProtocolList.add("TLSv1.2");
tlsParams.setIncludeProtocols(includeProtocolList);
FiltersType filter = new FiltersType();
filter.getExclude().addAll(Arrays.asList(weakCiphers));
filter.getInclude().add("SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384");
filter.getInclude().add("SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
filter.getInclude().add("SSL_RSA_WITH_AES_256_CBC_SHA256");
filter.getInclude().add("SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384");
filter.getInclude().add("SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384");
filter.getInclude().add("SSL_DHE_RSA_WITH_AES_256_CBC_SHA256");
filter.getInclude().add("SSL_DHE_DSS_WITH_AES_256_CBC_SHA256");
tlsParams.setCipherSuitesFilter(filter);
JettyHTTPServerEngineFactory factory = new JettyHTTPServerEngineFactory();
factory.setTLSServerParametersForPort(port, tlsParams);
Also I observed that When I set both IncludeProtocol and ExcludeProtocol, I am
getting below warning in logs :
[2019-07-05T06:21:56,391-0500] INFO [main]
com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - before Starting
RESTful Agent
[2019-07-05T06:21:56,462-0500] INFO [main] org.apache.cxf.endpoint.ServerImpl -
Setting the server's publish address to be https://localhost:9091/SnapCreator/
[2019-07-05T06:21:56,569-0500] INFO [main] org.eclipse.jetty.util.log - Logging
initialized @2754ms to org.eclipse.jetty.util.log.Slf4jLog
[2019-07-05T06:21:56,632-0500] INFO [main] org.eclipse.jetty.server.Server -
jetty-9.4.18.v20190429; built: 2019-04-29T20:42:08.989Z; git:
e1bc35120a6617ee3df052294e433f3a25ce7097; jvm 8.0.5.21 -
pap6480sr5fp21-20180830_01(SR5 FP21)
[2019-07-05T06:21:56,853-0500] WARN [main]
org.eclipse.jetty.util.ssl.SslContextFactory - *No selected protocols from
[TLSv1, TLSv1.1, TLSv1.2]*
*Code:*
List<String> includeProtocolList = new ArrayList<String>();
includeProtocolList.add("TLSv1.2");
tlsParams.setIncludeProtocols(includeProtocolList);
List<String> excludeProtocolList = new ArrayList<String>();
excludeProtocolList.add("SSLv2Hello");
excludeProtocolList.add("SSLv3");
excludeProtocolList.add("TLSv1");
excludeProtocolList.add("TLSv1.1");
tlsParams.setExcludeProtocols(excludeProtocolList);
Kindly help.
Thanks,
Naina
> CXF does not allow to change default configuration of Jetty
> -----------------------------------------------------------
>
> Key: CXF-8069
> URL: https://issues.apache.org/jira/browse/CXF-8069
> Project: CXF
> Issue Type: Bug
> Environment: CXF : 3.2.7
> Jetty: 9.4.18v20190429
> Java : IBM Java 8
> Platform : AIX
>
> Reporter: Naina
> Priority: Blocker
> Attachments: Cipher_error.png, Protocol_error.png
>
>
> Hi Team,
> We are using Apache CXF 3.2.7 and seeking help to update jetty's default
> configuration which is being used by Apache CXF.
> CXF internally calls jetty and jetty has default configuration to exclude
> cipher suites which starts with SSL_*. As all the TLS cipher suites of IBM
> Java 8 starts wih SSL_*, we are unable to establish connection with Jetty
> using IBM Java 8. So the ask is, how can we update the default configuration
> of Jetty via CXF.
> We resolved the same issue on one of our server with the help of Jetty team
> where we were creating Jetty instance in our code and were getting warning
> "No supported ciphers from [ListOfAvailableCiphers]". They suggested to add
> *sslContextFactory.setExcludeCipherSuites(ListOfWeakCiphers)* method while
> creating Jetty's instance, which actually overrides the default cipher suites
> excluded by Jetty.
> But in the current case, we just call CXF's JAXRSServerFactoryBean create()
> method which internally calls Jetty and create its instance with default
> configuration. Here is the code snippet:
> {color:#205081}_private JAXRSServerFactoryBean sf = new
> JAXRSServerFactoryBean();_{color}
> {color:#205081}_private JettyHTTPDestination startEndpoint() {_{color}
> {color:#205081} _logger.info("*+before Starting RESTful Agent+*");_{color}
> {color:#205081} _Server server = sf.create();_{color}
> {color:#205081} _logger.info("*+Started RESTful Agent at:+* " +
> server.getEndpoint().getEndpointInfo().getAddress());_{color}
> {color:#205081} _return (JettyHTTPDestination)
> server.getDestination();_{color}
> {color:#205081} _}_{color}
>
> These are the logs which got generated during the execution of above code :
> {color:#205081}_[2019-07-03T07:37:33,324-0500] INFO [main]
> com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - *+before Starting
> RESTful Agent+*_{color}
> {color:#205081}_[2019-07-03T07:37:33,396-0500] INFO [main]
> org.apache.cxf.endpoint.ServerImpl - Setting the server's publish address to
> be https://localhost:9091/SnapCreator/_{color}
> {color:#205081}_[2019-07-03T07:37:33,503-0500] INFO [main]
> org.eclipse.jetty.util.log - Logging initialized @2814ms to
> org.eclipse.jetty.util.log.Slf4jLog_{color}
> {color:#205081}_[2019-07-03T07:37:33,566-0500] INFO [main]
> org.eclipse.jetty.server.Server - jetty-9.4.18.v20190429; built:
> 2019-04-29T20:42:08.989Z; git: e1bc35120a6617ee3df052294e433f3a25ce7097; jvm
> 8.0.5.21 - pap6480sr5fp21-20180830_01(SR5 FP21)_{color}
> {color:#205081}_[2019-07-03T07:37:33,746-0500] WARN [main]
> *org.eclipse.jetty.util.ssl.SslContextFactory -* *No supported ciphers from*
> [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
> SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
> SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
> SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
> SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
> SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384,
> SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
> SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
> SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256,
> SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
> SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256,
> SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256,
> SSL_DH_anon_WITH_AES_256_CBC_SHA256, SSL_ECDH_anon_WITH_AES_256_CBC_SHA,
> SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA256,
> SSL_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA,
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA,
> SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_NULL_SHA256,
> SSL_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ECDHE_RSA_WITH_NULL_SHA,
> SSL_RSA_WITH_NULL_SHA, SSL_ECDH_ECDSA_WITH_NULL_SHA,
> SSL_ECDH_RSA_WITH_NULL_SHA, SSL_ECDH_anon_WITH_NULL_SHA,
> SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_DES_CBC_SHA,
> SSL_KRB5_WITH_DES_CBC_MD5]_{color}
> {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main]
> org.eclipse.jetty.server.AbstractConnector - Started
> ServerConnector@b3893135\{ssl,[ssl, http/1.1]}{0.0.0.0:9091}_{color}
> {color:#205081}_[2019-07-03T07:37:33,752-0500] INFO [main]
> org.eclipse.jetty.server.Server - Started @3065ms_{color}
> {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main]
> org.eclipse.jetty.server.handler.ContextHandler - Started
> o.e.j.s.h.ContextHandler@76c87ae8\{/SnapCreator,null,AVAILABLE}_{color}
> {color:#205081}_[2019-07-03T07:37:33,772-0500] INFO [main]
> com.netapp.snapcreator.agent.nextgen.RestEndpointHelper - +*Started RESTful
> Agent at*+: https://localhost:9091/SnapCreator/_{color}
> As you can see in the logs, Jetty shows warning that "No supported ciphers
> from [ListOfAvailableCiphers]". I tried to exclude ciphers by setting
> TLSServerParameters and excluding weak cipher suites, but it didnot override
> the ciphers which are set in jetty's default configuration.
> Can you please help to identify if there is any way to change the default
> configuration of Jetty through CXF.
> Please let me know if you need any more information.
> Thanks,
> Naina
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
