Package: libtrapperkeeper-webserver-jetty9-clojure Version: 1.7.0-2 Severity: normal Tags: patch
Dear Maintainer, I recently noticed that access to PuppetDB via SSL is not working anymore. It seems that this has already been reported as a bug against jetty9 [1], since an update of Jetty seems to be the cause for this breakage. While looking into this issue, I noticed that running the trapperkeeper-webserver-jetty9 tests against the same version of Jetty that is currently in Buster already fails (not only in the SSL-related tests, but also some others, which are probably not relevant for the issue at hand). Interestingly, a pull request [2] was merged last night which upgrades the Jetty dependency to a newer version. It seems that applying the commit 9db41703 [3] from this PR to the Debian package of libtrapperkeeper-webserver-jetty9-clojure makes PuppetDB accessible again. The attached patch adds the relevant patch to debian/patches, and a package built from this seemed to make PuppetDB work again on my system. Kind regards Manfred [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005 [2] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/pull/201 [3] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages libtrapperkeeper-webserver-jetty9-clojure depends on: ii libclojure-java 1.10.0-1 ii libjanino-java 2.7.0-2 ii libjava-jmx-clojure 0.3.4-1 ii libjetty9-extra-java 9.4.15-1 ii libjetty9-java 9.4.15-1 ii libkitchensink-clojure 2.3.0-2 ii libprismatic-schema-clojure 1.1.6-1 ii libpuppetlabs-i18n-clojure 0.8.0-1 ii libring-codec-clojure 1.0.1-1 ii libring-servlet-clojure 1.6.2-2 ii libservlet-api-java 4.0.1-2 ii libssl-utils-clojure 0.8.3-2 ii libtools-logging-clojure 0.2.3-6 ii libtrapperkeeper-clojure 1.5.2-2 libtrapperkeeper-webserver-jetty9-clojure recommends no packages. libtrapperkeeper-webserver-jetty9-clojure suggests no packages. -- no debconf information
>From b938d1bb2e2c2d88ba07e06f991919ef128f0e87 Mon Sep 17 00:00:00 2001 From: Manfred Stock <[email protected]> Date: Sat, 15 Jun 2019 13:34:24 +0000 Subject: [PATCH] Add patch for SSL compatibility with newer Jetty The upstream commit 9db41703 [1] seems to fix an issue with the jetty9 version that is currently in Debian testing which seems to be the cause for Debian bug [1] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005 --- ...maint-Disable-EndpointIdentification.patch | 46 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 47 insertions(+) create mode 100644 debian/patches/0001-maint-Disable-EndpointIdentification.patch diff --git a/debian/patches/0001-maint-Disable-EndpointIdentification.patch b/debian/patches/0001-maint-Disable-EndpointIdentification.patch new file mode 100644 index 0000000..39890d7 --- /dev/null +++ b/debian/patches/0001-maint-Disable-EndpointIdentification.patch @@ -0,0 +1,46 @@ +From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001 +From: Justin Stoller <[email protected]> +Date: Fri, 24 May 2019 16:10:44 -0700 +Subject: [PATCH] (maint) Disable EndpointIdentification + +Previously, Jetty disabled Endpoint Identification by default as it is a best +practice for most webservers who often cannot identify clients +connecting to it. However, in 9.4.15 Jetty changed this default to +"HTTPS", which is the best practice for _client_ SslContexts. This +caused serious breakages throughout the Jetty ecosystem and since 9.4.16 +Jetty introduced static inner classes of SslContextFactory, named Server +and Client, to create the correct contexts for each type of consumer. + +Unfortunately, because we subclass SslContextFactory with our own +InternalSslContextFactory that overrides CRL handling, using these static +inner class factories is problematic. Consequently, this patch takes the +approach of simply setting the Endpoint Identification Algorithm to null +as was previously the default (and necessary in most server +environments). + +This will cause a warning of overriding a deprecated method during +compilation in newer Java versions and our approach to handling CRLs +will need to be reworked should we use this codebase as a basis for a +trapperkeeper-webserver-jetty10 project. + +For more info see linked issues to the implementing PR here: +https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913 +--- + src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +index 3a577bb..02e7c7d 100644 +--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj ++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +@@ -197,6 +197,7 @@ + (.setKeyStore (:keystore keystore-config)) + (.setKeyStorePassword (:key-password keystore-config)) + (.setTrustStore (:truststore keystore-config)) ++ (.setEndpointIdentificationAlgorithm nil) + ;; Need to clear out the default cipher suite exclude list so + ;; that Jetty doesn't potentially remove one or more ciphers + ;; that we want to be included. +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index cfdab48..8534cb9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ jetty-9.4-compat 0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch +0001-maint-Disable-EndpointIdentification.patch -- 2.20.1
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
