Apollon Oikonomopoulos pushed to branch master at Debian Java Maintainers / trapperkeeper-webserver-jetty9-clojure
Commits: aa45407c by Manfred Stock at 2019-07-17T00:41:32Z Add patch for SSL compatibility with newer Jetty The upstream commit 9db41703 [1] seems to fix an issue with the jetty9 version that is currently in Debian testing which seems to be the cause for Debian bug [1] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005 - - - - - dfb997d2 by Apollon Oikonomopoulos at 2019-07-17T00:42:58Z Adjust patch file name Git-Dch: ignore - - - - - 1e75b5dd by Apollon Oikonomopoulos at 2019-07-17T00:43:41Z Bump dh compat level to 12; no changes needed - - - - - f7c21600 by Apollon Oikonomopoulos at 2019-07-17T00:43:58Z Bump Standards-Version to 4.4.0; no changes needed - - - - - fcb88af5 by Apollon Oikonomopoulos at 2019-07-17T00:44:58Z Release 1.7.0-3 - - - - - 5 changed files: - debian/changelog - debian/compat - debian/control - + debian/patches/0005-maint-Disable-EndpointIdentification.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,14 @@ +trapperkeeper-webserver-jetty9-clojure (1.7.0-3) unstable; urgency=medium + + [ Manfred Stock ] + * Add patch for SSL compatibility with newer Jetty (closes: #930562) + + [ Apollon Oikonomopoulos ] + * Bump dh compat level to 12; no changes needed + * Bump Standards-Version to 4.4.0; no changes needed + + -- Apollon Oikonomopoulos <apoi...@debian.org> Tue, 16 Jul 2019 21:44:14 -0300 + trapperkeeper-webserver-jetty9-clojure (1.7.0-2) unstable; urgency=medium * Fix compatibility with Jetty 9.4 ===================================== debian/compat ===================================== @@ -1 +1 @@ -11 +12 ===================================== debian/control ===================================== @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Uploaders: Apollon Oikonomopoulos <apoi...@debian.org> Build-Depends: - debhelper (>= 11), + debhelper (>= 12), javahelper (>= 0.32), maven-repo-helper (>= 1.7), clojure (>= 1.8), @@ -23,7 +23,7 @@ Build-Depends: libpuppetlabs-i18n-clojure, libtext-markdown-perl | markdown, default-jdk-headless -Standards-Version: 4.3.0 +Standards-Version: 4.4.0 Vcs-Git: https://salsa.debian.org/java-team/trapperkeeper-webserver-jetty9-clojure.git Vcs-Browser: https://salsa.debian.org/java-team/trapperkeeper-webserver-jetty9-clojure Homepage: https://github.com/puppetlabs/trapperkeeper-webserver-jetty9 ===================================== debian/patches/0005-maint-Disable-EndpointIdentification.patch ===================================== @@ -0,0 +1,46 @@ +From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001 +From: Justin Stoller <justin.stol...@gmail.com> +Date: Fri, 24 May 2019 16:10:44 -0700 +Subject: [PATCH] (maint) Disable EndpointIdentification + +Previously, Jetty disabled Endpoint Identification by default as it is a best +practice for most webservers who often cannot identify clients +connecting to it. However, in 9.4.15 Jetty changed this default to +"HTTPS", which is the best practice for _client_ SslContexts. This +caused serious breakages throughout the Jetty ecosystem and since 9.4.16 +Jetty introduced static inner classes of SslContextFactory, named Server +and Client, to create the correct contexts for each type of consumer. + +Unfortunately, because we subclass SslContextFactory with our own +InternalSslContextFactory that overrides CRL handling, using these static +inner class factories is problematic. Consequently, this patch takes the +approach of simply setting the Endpoint Identification Algorithm to null +as was previously the default (and necessary in most server +environments). + +This will cause a warning of overriding a deprecated method during +compilation in newer Java versions and our approach to handling CRLs +will need to be reworked should we use this codebase as a basis for a +trapperkeeper-webserver-jetty10 project. + +For more info see linked issues to the implementing PR here: +https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913 +--- + src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +index 3a577bb..02e7c7d 100644 +--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj ++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +@@ -197,6 +197,7 @@ + (.setKeyStore (:keystore keystore-config)) + (.setKeyStorePassword (:key-password keystore-config)) + (.setTrustStore (:truststore keystore-config)) ++ (.setEndpointIdentificationAlgorithm nil) + ;; Need to clear out the default cipher suite exclude list so + ;; that Jetty doesn't potentially remove one or more ciphers + ;; that we want to be included. +-- +2.20.1 + ===================================== debian/patches/series ===================================== @@ -2,3 +2,4 @@ jetty-9.4-compat 0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch +0005-maint-Disable-EndpointIdentification.patch View it on GitLab: https://salsa.debian.org/java-team/trapperkeeper-webserver-jetty9-clojure/compare/6c7a66b3fa22fa77c5bb9fbb3738718adaa8b95d...fcb88af5b07ef3aab1aa261a1f93bfbb49d8c651 -- View it on GitLab: https://salsa.debian.org/java-team/trapperkeeper-webserver-jetty9-clojure/compare/6c7a66b3fa22fa77c5bb9fbb3738718adaa8b95d...fcb88af5b07ef3aab1aa261a1f93bfbb49d8c651 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list pkg-java-comm...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits