Bug#930562: marked as done (libtrapperkeeper-webserver-jetty9-clojure: Incompatibility with jetty9 (9.4.15) in Buster with PuppetDB/SSL)

[Debian Bug Tracking System]

Your message dated Wed, 17 Jul 2019 03:05:02 +0000
with message-id <e1hnafa-000hcy...@fasolo.debian.org>
and subject line Bug#930562: fixed in trapperkeeper-webserver-jetty9-clojure 
1.7.0-3
has caused the Debian Bug report #930562,
regarding libtrapperkeeper-webserver-jetty9-clojure: Incompatibility with 
jetty9 (9.4.15) in Buster with PuppetDB/SSL
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930562
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libtrapperkeeper-webserver-jetty9-clojure
Version: 1.7.0-2
Severity: normal
Tags: patch

Dear Maintainer,

I recently noticed that access to PuppetDB via SSL is not working anymore. It
seems that this has already been reported as a bug against jetty9 [1], since an
update of Jetty seems to be the cause for this breakage. While looking into
this issue, I noticed that running the trapperkeeper-webserver-jetty9 tests
against the same version of Jetty that is currently in Buster already fails
(not only in the SSL-related tests, but also some others, which are probably
not relevant for the issue at hand). Interestingly, a pull request [2] was
merged last night which upgrades the Jetty dependency to a newer version. It
seems that applying the commit 9db41703 [3] from this PR to the Debian package
of libtrapperkeeper-webserver-jetty9-clojure makes PuppetDB accessible again.

The attached patch adds the relevant patch to debian/patches, and a package
built from this seemed to make PuppetDB work again on my system.

Kind regards
Manfred

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005
[2] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/pull/201
[3] 
https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages libtrapperkeeper-webserver-jetty9-clojure depends on:
ii  libclojure-java              1.10.0-1
ii  libjanino-java               2.7.0-2
ii  libjava-jmx-clojure          0.3.4-1
ii  libjetty9-extra-java         9.4.15-1
ii  libjetty9-java               9.4.15-1
ii  libkitchensink-clojure       2.3.0-2
ii  libprismatic-schema-clojure  1.1.6-1
ii  libpuppetlabs-i18n-clojure   0.8.0-1
ii  libring-codec-clojure        1.0.1-1
ii  libring-servlet-clojure      1.6.2-2
ii  libservlet-api-java          4.0.1-2
ii  libssl-utils-clojure         0.8.3-2
ii  libtools-logging-clojure     0.2.3-6
ii  libtrapperkeeper-clojure     1.5.2-2

libtrapperkeeper-webserver-jetty9-clojure recommends no packages.

libtrapperkeeper-webserver-jetty9-clojure suggests no packages.

-- no debconf information

>From b938d1bb2e2c2d88ba07e06f991919ef128f0e87 Mon Sep 17 00:00:00 2001
From: Manfred Stock <m-deb...@nfred.ch>
Date: Sat, 15 Jun 2019 13:34:24 +0000
Subject: [PATCH] Add patch for SSL compatibility with newer Jetty

The upstream commit 9db41703 [1] seems to fix an issue with the jetty9 version
that is currently in Debian testing which seems to be the cause for Debian bug

[1] 
https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005
---
 ...maint-Disable-EndpointIdentification.patch | 46 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 
debian/patches/0001-maint-Disable-EndpointIdentification.patch

diff --git a/debian/patches/0001-maint-Disable-EndpointIdentification.patch 
b/debian/patches/0001-maint-Disable-EndpointIdentification.patch
new file mode 100644
index 0000000..39890d7
--- /dev/null
+++ b/debian/patches/0001-maint-Disable-EndpointIdentification.patch
@@ -0,0 +1,46 @@
+From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001
+From: Justin Stoller <justin.stol...@gmail.com>
+Date: Fri, 24 May 2019 16:10:44 -0700
+Subject: [PATCH] (maint) Disable EndpointIdentification
+
+Previously, Jetty disabled Endpoint Identification by default as it is a best
+practice for most webservers who often cannot identify clients
+connecting to it. However, in 9.4.15 Jetty changed this default to
+"HTTPS", which is the best practice for _client_ SslContexts. This
+caused serious breakages throughout the Jetty ecosystem and since 9.4.16
+Jetty introduced static inner classes of SslContextFactory, named Server
+and Client, to create the correct contexts for each type of consumer.
+
+Unfortunately, because we subclass SslContextFactory with our own
+InternalSslContextFactory that overrides CRL handling, using these static
+inner class factories is problematic. Consequently, this patch takes the
+approach of simply setting the Endpoint Identification Algorithm to null
+as was previously the default (and necessary in most server
+environments).
+
+This will cause a warning of overriding a deprecated method during
+compilation in newer Java versions and our approach to handling CRLs
+will need to be reworked should we use this codebase as a basis for a
+trapperkeeper-webserver-jetty10 project.
+
+For more info see linked issues to the implementing PR here:
+https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913
+---
+ src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj 
b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+index 3a577bb..02e7c7d 100644
+--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+@@ -197,6 +197,7 @@
+                   (.setKeyStore (:keystore keystore-config))
+                   (.setKeyStorePassword (:key-password keystore-config))
+                   (.setTrustStore (:truststore keystore-config))
++                  (.setEndpointIdentificationAlgorithm nil)
+                   ;; Need to clear out the default cipher suite exclude list 
so
+                   ;; that Jetty doesn't potentially remove one or more ciphers
+                   ;; that we want to be included.
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index cfdab48..8534cb9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ jetty-9.4-compat
 0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch
 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
+0001-maint-Disable-EndpointIdentification.patch
-- 
2.20.1

--- End Message ---

--- Begin Message ---

Source: trapperkeeper-webserver-jetty9-clojure
Source-Version: 1.7.0-3

We believe that the bug you reported is fixed in the latest version of
trapperkeeper-webserver-jetty9-clojure, which is due to be installed in the 
Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoi...@debian.org> (supplier of updated 
trapperkeeper-webserver-jetty9-clojure package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 16 Jul 2019 21:44:14 -0300
Source: trapperkeeper-webserver-jetty9-clojure
Binary: libtrapperkeeper-webserver-jetty9-clojure
Architecture: source all
Version: 1.7.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Apollon Oikonomopoulos <apoi...@debian.org>
Description:
 libtrapperkeeper-webserver-jetty9-clojure - trapperkeeper webserver service
Closes: 930562
Changes:
 trapperkeeper-webserver-jetty9-clojure (1.7.0-3) unstable; urgency=medium
 .
   [ Manfred Stock ]
   * Add patch for SSL compatibility with newer Jetty (closes: #930562)
 .
   [ Apollon Oikonomopoulos ]
   * Bump dh compat level to 12; no changes needed
   * Bump Standards-Version to 4.4.0; no changes needed
Checksums-Sha1:
 7874db20a01b12abb016addc109bbda855c814a0 2700 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3.dsc
 dcd1825f33ed0f8ccac8a2fee07027067e040bb5 11972 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3.debian.tar.xz
 3c347fa7f2857b57a1cdc59cb146096597c8df07 45460 
libtrapperkeeper-webserver-jetty9-clojure_1.7.0-3_all.deb
 a174d53a0886951aeaf4f2b20a48a88a60e724ef 12394 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3_amd64.buildinfo
Checksums-Sha256:
 b50ebed9c4bd656e5a699c5bf8782d95578a4f70ebf273bfaf26d60cf554c2e8 2700 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3.dsc
 ee7d5578ad38385ea9879b7ce2a7f4dc7db5e89fa1afd28b7cae057987cb4a48 11972 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3.debian.tar.xz
 aa4c2bc4a6f76214f035dcb67e757a42c96469b01369fdeadd2b2aa12f9f5e0d 45460 
libtrapperkeeper-webserver-jetty9-clojure_1.7.0-3_all.deb
 fd77ff24e259ea080c8c19b2a8db2ff9ef31f4563983e4c9c9596be92dc05ba7 12394 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3_amd64.buildinfo
Files:
 51b49975b0f385ff8f1e272e0b838f5d 2700 java optional 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3.dsc
 4bbd913f0b013480858021a2a0db3343 11972 java optional 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3.debian.tar.xz
 6f73bc38a7570584ecab021fc19a5451 45460 java optional 
libtrapperkeeper-webserver-jetty9-clojure_1.7.0-3_all.deb
 126423fe26c0dea725ebf6c2c1a548e9 12394 java optional 
trapperkeeper-webserver-jetty9-clojure_1.7.0-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAl0ucEMACgkQ9RsYxyAk
giSDEhAAkmqAN5mo20IeuUVBvKTXAy7PFBLivtRGpqm8UEyfXDLnsgXd0oKQONlK
jkhRbb6ad+N6Knp9golbQGDLW23+cUxWDNRptp5a0XzN4Qv2N4YKAtcD9jKi04vP
wVAAKvxuR5d4V60JR66fC50a6TkdE43fYoyGqzdSWjB6hO1om/a+TnwIgE90F+1z
EqSHo18WNZszk4q7uzSCURW2DZ1Jwwh2Pn1R5rkeDLoFZRhP+sWGMXCSJ/GmROfH
bFPBfO7RTOGR2x4B+RqkjZ1KKREHKS5bSulPFwzHkvy9kzf/40Jta9J5AnizT8sq
gUMvUTHkmnpzf/B28nUYltQo+pFOZ1u50/78eNFYSiyO8V/t3Cy3TMndWTltYLlp
QZMXld5p/NmcjMBTenrhM0ndi1JSVvVJIcKtuSR/LIjvqTkRbWnkXyOoddgyRVAF
d04hOJ3l7t/4dR6Fb+F++Uy1X9OIsrJoKe3zTJvetIuk9JFgeN4JfrRu5HpPTdHq
hMOOi5F+6J4yqb5+i717gt5k6R1xQuJWM2mA8KT5qBIN7AwTT0uDevuzqA8tdaeJ
/4IgOz/0nHhNOggiWyd5aKnBjYKzPIJXQCdwVDjNU2Nurg3q0ysPRo1OSUKSGsMP
OTfrY5b2JbGWXCGSni8+o1HpEty5gbHT2RMLNPynafRfwHbbQhQ=
=TQCm
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.