[
https://issues.apache.org/jira/browse/LOG4J2-3439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17509201#comment-17509201
]
Piotr Karwasz commented on LOG4J2-3439:
---------------------------------------
[~rgoers],
I never checked on old Java versions, but on Java 8 and later the _"may support
other versions"_ is taken literally: e.g. the explicitly numbered protocols
like "TLSv1.2" allows all protocols from SSLv3 to TLSv1.2 (but not TLSv1.3 on
Java 11).
So "TLS" and its [alias
"SSL"|https://github.com/openjdk/jdk8u/blob/59efbfb2da0b1b588679db6375c124e224a0960e/jdk/src/share/classes/sun/security/ssl/SunJSSE.java#L212]
are the only rational choices: these actually use Java's security
configuration (cf. [source
code|https://github.com/openjdk/jdk8u/blob/59efbfb2da0b1b588679db6375c124e224a0960e/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java#L893])
and I expect them to be forward compatible. Last year around JDK 8u291 all
protocols except TLSv1.2 and TLSv1.3 were disabled by default.
I agree with you, we should default to "TLS" because this sounds better and the
"SSL" alias is disabled in FIPS mode. Tomcat does it too. I would go even
further and deprecate the "protocol" property (document it better?), since the
only other rational choice other than "TLS" is "DTLS": users that don't know
JSSE's details could get confused. Tomcat has two properties (cf.
[documentation|https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig]):
"protocols", which is the real one and "sslProtocol", which is the "fake" JSSE
protocol name.
However that's beyond the scope of this issue. For this issue specifically I'll
replace "https" with {{{}null{}}}, add the missing unit tests and dust a little
bit the documentation.
> log4j2 Spring Cloud config integration with MTLS gives NullPointerException
> ---------------------------------------------------------------------------
>
> Key: LOG4J2-3439
> URL: https://issues.apache.org/jira/browse/LOG4J2-3439
> Project: Log4j 2
> Issue Type: Bug
> Reporter: Jayesh Netravali
> Assignee: Piotr Karwasz
> Priority: Major
> Attachments: log4j-core-stacktrace.txt
>
>
> Hello
>
> I am trying to use the log4j2 Spring cloud config integration capabilities
> and have been referring to the sample application on the github project
> [https://github.com/apache/logging-log4j2/tree/release-2.x/log4j-spring-cloud-config/log4j-spring-cloud-config-samples]
> When I try to configure a MTLS HTTPs URL of my cloud config server in the
> bootstrap.yaml of my client application which needs to fetch the log4j2.xml,
> I get a NPE in the
> org.apache.logging.log4j.core.net.ssl.SslConfiguration.createSslContext(
> final boolean loadDefaultKeyManagerFactory, final boolean
> loadDefaultTrustManagerFactory) method when the
> SSLContext.getInstance(this.protocol); is invoked. On debugging I see that
> the protocol being passed from the SslConfigurationFactory to the
> SslConfiguration is "https" which causes SSLContext.getInstance() to throw an
> exception and thus no sslContext is created. I have attached the stacktrace
> for your reference.
> Below is my configuration. Please let me know if I am missing something.
> logging:
> config:
> https://localhost:8888/common/default/${CONFIG_SERVER_LABEL_ESCAPED}/log4j2.xml
> log4j2:
> debug: true
> keyStoreLocation: file:///${HTTP_KEYSTORE_PATH}
> keyStoreType: JKS
> keyStorePassword: ${HTTP_KEYSTORE_PWD}
> trustStoreLocation: file:///${HTTP_TRUSTSTORE_PATH}
> trustStoreKeyStoreType: JKS
> trustStorePassword: ${HTTP_TRUSTSTORE_PWD}
> sslVerifyHostName: false
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
