Your message dated Tue, 17 Sep 2019 11:32:10 +0000
with message-id <[email protected]>
and subject line Bug#930562: fixed in trapperkeeper-webserver-jetty9-clojure
1.7.0-2+deb10u1
has caused the Debian Bug report #930562,
regarding libtrapperkeeper-webserver-jetty9-clojure: Incompatibility with
jetty9 (9.4.15) in Buster with PuppetDB/SSL
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
930562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libtrapperkeeper-webserver-jetty9-clojure
Version: 1.7.0-2
Severity: normal
Tags: patch
Dear Maintainer,
I recently noticed that access to PuppetDB via SSL is not working anymore. It
seems that this has already been reported as a bug against jetty9 [1], since an
update of Jetty seems to be the cause for this breakage. While looking into
this issue, I noticed that running the trapperkeeper-webserver-jetty9 tests
against the same version of Jetty that is currently in Buster already fails
(not only in the SSL-related tests, but also some others, which are probably
not relevant for the issue at hand). Interestingly, a pull request [2] was
merged last night which upgrades the Jetty dependency to a newer version. It
seems that applying the commit 9db41703 [3] from this PR to the Debian package
of libtrapperkeeper-webserver-jetty9-clojure makes PuppetDB accessible again.
The attached patch adds the relevant patch to debian/patches, and a package
built from this seemed to make PuppetDB work again on my system.
Kind regards
Manfred
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005
[2] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/pull/201
[3]
https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages libtrapperkeeper-webserver-jetty9-clojure depends on:
ii libclojure-java 1.10.0-1
ii libjanino-java 2.7.0-2
ii libjava-jmx-clojure 0.3.4-1
ii libjetty9-extra-java 9.4.15-1
ii libjetty9-java 9.4.15-1
ii libkitchensink-clojure 2.3.0-2
ii libprismatic-schema-clojure 1.1.6-1
ii libpuppetlabs-i18n-clojure 0.8.0-1
ii libring-codec-clojure 1.0.1-1
ii libring-servlet-clojure 1.6.2-2
ii libservlet-api-java 4.0.1-2
ii libssl-utils-clojure 0.8.3-2
ii libtools-logging-clojure 0.2.3-6
ii libtrapperkeeper-clojure 1.5.2-2
libtrapperkeeper-webserver-jetty9-clojure recommends no packages.
libtrapperkeeper-webserver-jetty9-clojure suggests no packages.
-- no debconf information
>From b938d1bb2e2c2d88ba07e06f991919ef128f0e87 Mon Sep 17 00:00:00 2001
From: Manfred Stock <[email protected]>
Date: Sat, 15 Jun 2019 13:34:24 +0000
Subject: [PATCH] Add patch for SSL compatibility with newer Jetty
The upstream commit 9db41703 [1] seems to fix an issue with the jetty9 version
that is currently in Debian testing which seems to be the cause for Debian bug
[1]
https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005
---
...maint-Disable-EndpointIdentification.patch | 46 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 47 insertions(+)
create mode 100644
debian/patches/0001-maint-Disable-EndpointIdentification.patch
diff --git a/debian/patches/0001-maint-Disable-EndpointIdentification.patch
b/debian/patches/0001-maint-Disable-EndpointIdentification.patch
new file mode 100644
index 0000000..39890d7
--- /dev/null
+++ b/debian/patches/0001-maint-Disable-EndpointIdentification.patch
@@ -0,0 +1,46 @@
+From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001
+From: Justin Stoller <[email protected]>
+Date: Fri, 24 May 2019 16:10:44 -0700
+Subject: [PATCH] (maint) Disable EndpointIdentification
+
+Previously, Jetty disabled Endpoint Identification by default as it is a best
+practice for most webservers who often cannot identify clients
+connecting to it. However, in 9.4.15 Jetty changed this default to
+"HTTPS", which is the best practice for _client_ SslContexts. This
+caused serious breakages throughout the Jetty ecosystem and since 9.4.16
+Jetty introduced static inner classes of SslContextFactory, named Server
+and Client, to create the correct contexts for each type of consumer.
+
+Unfortunately, because we subclass SslContextFactory with our own
+InternalSslContextFactory that overrides CRL handling, using these static
+inner class factories is problematic. Consequently, this patch takes the
+approach of simply setting the Endpoint Identification Algorithm to null
+as was previously the default (and necessary in most server
+environments).
+
+This will cause a warning of overriding a deprecated method during
+compilation in newer Java versions and our approach to handling CRLs
+will need to be reworked should we use this codebase as a basis for a
+trapperkeeper-webserver-jetty10 project.
+
+For more info see linked issues to the implementing PR here:
+https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913
+---
+ src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+index 3a577bb..02e7c7d 100644
+--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+@@ -197,6 +197,7 @@
+ (.setKeyStore (:keystore keystore-config))
+ (.setKeyStorePassword (:key-password keystore-config))
+ (.setTrustStore (:truststore keystore-config))
++ (.setEndpointIdentificationAlgorithm nil)
+ ;; Need to clear out the default cipher suite exclude list
so
+ ;; that Jetty doesn't potentially remove one or more ciphers
+ ;; that we want to be included.
+--
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index cfdab48..8534cb9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ jetty-9.4-compat
0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch
0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
+0001-maint-Disable-EndpointIdentification.patch
--
2.20.1
--- End Message ---
--- Begin Message ---
Source: trapperkeeper-webserver-jetty9-clojure
Source-Version: 1.7.0-2+deb10u1
We believe that the bug you reported is fixed in the latest version of
trapperkeeper-webserver-jetty9-clojure, which is due to be installed in the
Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <[email protected]> (supplier of updated
trapperkeeper-webserver-jetty9-clojure package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 13 Sep 2019 11:00:50 +0200
Source: trapperkeeper-webserver-jetty9-clojure
Architecture: source
Version: 1.7.0-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Julien Cristau <[email protected]>
Closes: 930562
Changes:
trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium
.
[ Manfred Stock ]
* Add patch for SSL compatibility with newer Jetty (closes: #930562).
Checksums-Sha1:
480b977c56c9087ed279309dc08ff1a9969c82da 2732
trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.dsc
6d2c9c391c3415b04e60310248fcb4785fbed395 11948
trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.debian.tar.xz
Checksums-Sha256:
801d2b87a92971507775a0a006be51ac71b20e061b8e5cd81f3b7091ae6adfc0 2732
trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.dsc
7181bf111b71c604611be0ca8f10bac18b636b3c775eb79b8e2c3509976c0172 11948
trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.debian.tar.xz
Files:
9b007937e17c84892ca7a3c1bb6e9a26 2732 java optional
trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.dsc
80e81d2eedfc14801dcf68a4fbf912e7 11948 java optional
trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAl17ZP0ACgkQnbAjVVb4
z624fRAAp5AkILQ+qHCh7PdqXgGFhG3YeiEVOHwibvVONceA4JRG+0IdPo7yyKnl
gWUlXxjZci4GKBmViy4wMDJhWoXrn+GHosU/AtkjqI/FfGuOY1Lthuz+Vr6tvvqd
Pnzz/xJd08KNnin1YurQPByPZkHYNbaOIvxW7/izO0emJ9ycDEDjWQPYpDImJTQ5
g7V4prlhYKSgxdo0cdjfr1DhBK/1e0rle9kKKvOm4rm/fpeliSL3m8IY+m9JUA0x
MCTmQVruRTiVUKk7Q097FJEh9k7OOoO93I4E0ck0IrFj2lGM6J1g9aiuTa5UIzYM
UBkPQ/wbGifggd4w4buTDpPhJEx8bIEQRI+rie6tdyjNu8lDjyHAcTu8ttqkSTkI
DgODdGSnGlE3/PG30RVsOEv5HxvNCriZj5/X/Qkz59XIfe8TeCEQTsza3vAsaITc
CkRFLEaAy6B0DfrBsfzKiDdPKZCJsHDBcS1ACryEYSSm6OuYebYUCznCJAaZDBlS
OKUYhtREeRBdTHavabvk8DRWSO6jMHL24eb0VvmJzrHe4/ocP+VGm0Nampa3q8nd
/dz836xgmfsZ+Pf8Gacd7HS3qf/G8Z1CFSx3RRXe3jlr1Wanffc3iHGVtmd1jkhR
Sp4z0Ynls2X4B3lBaDbM4jsJSVehuXaX2QSX9SJFdM3nYjj3HUk=
=JM6n
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
