[jira] [Created] (CXF-8363) Jetty certificate hot reload throws exception due to usage of depreciated SslContextFactory

Wed, 04 Nov 2020 08:18:58 -0800 

Fadi Mohsen created CXF-8363:
--------------------------------

             Summary: Jetty certificate hot reload throws exception due to 
usage of depreciated SslContextFactory
                 Key: CXF-8363
                 URL: https://issues.apache.org/jira/browse/CXF-8363
             Project: CXF
          Issue Type: Improvement
            Reporter: Fadi Mohsen


When attempting hot reload of certificate using Jetty:s 


{noformat}
            JettyHTTPDestination destination = (JettyHTTPDestination) 
server.getDestination();
            JettyHTTPServerEngine engine = (JettyHTTPServerEngine) 
destination.getEngine();
            Collection<ConnectionFactory> connectionFactories = 
engine.getServer().getConnectors()[0].getConnectionFactories();
            SslConnectionFactory connectionFactory = (SslConnectionFactory) 
connectionFactories.stream().filter(cf -> cf instanceof SslConnectionFactory)
                    .findFirst()
                    .get();
            SslContextFactory sslContextFactory = 
connectionFactory.getSslContextFactory();
            sslContextFactory.reload(ssf -> {
                ssf.setSslContext(null);
                ssf.setKeyStore(certStore.getKeyStore());
                ssf.setKeyStorePassword(new String(certStore.getKeyPassword()));
            });{noformat}

I got this exception:
{noformat}
java.lang.IllegalStateException: KeyStores with multiple certificates are not 
supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use 
org.eclipse.jetty.util.ssl.SslContextFactory$Server or 
org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
   at 
org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1277)
   at 
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1259)
   at 
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
   at 
org.eclipse.jetty.util.ssl.SslContextFactory.reload(SslContextFactory.java:1990){noformat}

After reading on the issue, it turned out that CXF´s JettyHTTPServerEngine is 
using the deprecated :
{noformat}
createConnector-> sslcf = new SslContextFactory(){noformat}

whereas it should been using:
{noformat}
sslcf = new SslContextFactory.Server(){noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to