Yeah, it seems the default configuration just use "old" ciphering and should be updated.
I guess we can override the default overtow.xml in Pax Web. Regards JB > Le 15 août 2020 à 08:35, Gerald Kallas <catsh...@mailbox.org> a écrit : > > I found a solution. I replaced the engine tag > > <w:engine enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" /> > > with > > <w:engine > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" /> > > Seems that the standard configuration of the undertow.xml is outdated. > > Best > Gerald > >> Gerald Kallas <catsh...@mailbox.org> hat am 14.08.2020 19:20 geschrieben: >> >> >> Dear all, >> >> I did setup a vanilla Karaf 4.3.0RC1 and executed the following commands >> >> feature:install pax-http-undertow >> feature:install webconsole >> >> How can I bind the webconsole (and later camel servlets) to the HTTPS port? >> >> Many thanks in advance. >> >> My undertow.xml looks like >> >> <?xml version="1.0" encoding="UTF-8"?> >> <!-- >> Licensed under the Apache License, Version 2.0 (the "License"); >> you may not use this file except in compliance with the License. >> You may obtain a copy of the License at >> >> http://www.apache.org/licenses/LICENSE-2.0 >> >> Unless required by applicable law or agreed to in writing, software >> distributed under the License is distributed on an "AS IS" BASIS, >> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or >> implied. >> >> See the License for the specific language governing permissions and >> limitations under the License. >> --> >> <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:w="urn:jboss:domain:5.0" >> xmlns:io="urn:jboss:domain:io:3.0" >> xsi:schemaLocation=" >> urn:jboss:domain:io:3.0 >> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd >> urn:jboss:domain:undertow:4.0 >> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd >> urn:jboss:domain:5.0 >> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd";> >> >> <!-- >> Only "default" worker and buffer-pool are supported and can be used >> to override the default values >> used by all listeners >> >> buffer-pool: >> - buffer-size defaults to: >> - when < 64MB of Xmx: 512 >> - when < 128MB of Xmx: 1024 >> - when >= 128MB of Xmx: 16K - 20 >> - direct-buffers defaults to: >> - when < 64MB of Xmx: false >> - when >= 64MB of Xmx: true >> >> worker: >> - io-threads defaults to >> Math.max(Runtime.getRuntime().availableProcessors(), 2); >> - task-core-threads and task-max-threads default to io-threads * 8 >> --> >> <!-- >> <subsystem xmlns="urn:jboss:domain:io:3.0"> >> <buffer-pool name="default" buffer-size="16364" direct-buffers="true" >> /> >> <worker name="default" io-threads="8" task-core-threads="64" >> task-max-threads="64" /> >> </subsystem> >> --> >> >> <!-- >> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration >> --> >> <subsystem xmlns="urn:jboss:domain:undertow:4.0"> >> <!-- org.wildfly.extension.undertow.BufferCacheDefinition --> >> <buffer-cache name="default" buffer-size="1024" >> buffers-per-region="1024" max-regions="10" /> >> <server name="default-server"> >> <!-- HTTP(S) Listener references Socket Binding (and indirectly - >> Interfaces) --> >> <http-listener name="http" socket-binding="http" /> >> <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, >> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED --> >> <https-listener name="https" socket-binding="https" >> security-realm="default" verify-client="NOT_REQUESTED" /> >> <host name="default-host" alias="localhost"> >> <!--<location name="/" handler="welcome-content" />--> >> <!--<location name="/docs" handler="docs-content" />--> >> <access-log directory="${karaf.data}/log" pattern="common" >> prefix="access_log." suffix="log" rotate="true" /> >> <filter-ref name="server-header" /> >> <filter-ref name="x-powered-by-header" /> >> </host> >> </server> >> <servlet-container name="default"> >> <jsp-config /> >> <websockets /> >> <welcome-files> >> <welcome-file name="index.html" /> >> <welcome-file name="index.txt" /> >> </welcome-files> >> </servlet-container> >> <handlers> >> <file name="welcome-content" path="${karaf.home}/welcome" /> >> <!--<file name="docs-content" path="${karaf.home}/docs" />--> >> </handlers> >> <filters> >> <!-- filters for reference from /host/filter-ref and >> /host/location/filter-ref --> >> <response-header name="server-header" header-name="Server" >> header-value="Pax-HTTP-Undertow" /> >> <response-header name="x-powered-by-header" >> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" /> >> </filters> >> </subsystem> >> >> <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms --> >> <!-- >> we'll use "default" security realm by default to configure >> jaas/properties authentication >> (io.undertow.security.idm.IdentityManager): >> - w:jaas - >> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager >> - w:properties - >> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager >> --> >> <security-realm name="default"> >> <w:server-identities> >> <w:ssl> >> <!-- sun.security.ssl.ProtocolVersion --> >> <!-- sun.security.ssl.CipherSuite --> >> <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort >> --> >> <w:engine >> >> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" >> enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" /> >> <w:keystore path="${karaf.etc}/keystore.p12" >> provider="PKCS12" alias="server" >> keystore-password="password" key-password="password" >> generate-self-signed-certificate-host="localhost" /> >> </w:ssl> >> </w:server-identities> >> <w:authentication> >> <!-- JaasIdentityManager for given realm --> >> <w:jaas name="karaf" /> >> <!-- OR PropertiesIdentityManager (mutually exclusive with >> <w:jaas>) --> >> <!--<w:properties path="users.properties" />--> >> <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" >> keystore-password="password" /> >> </w:authentication> >> >> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name> >> >> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name> >> <!--<role-principal-class-name>...</role-principal-class-name>--> >> </security-realm> >> >> <!-- Interface lists IP addresses to bind to --> >> <interface name="default"> >> <w:inet-address value="0.0.0.0" /> >> <!--<w:inet-address value="127.0.0.1" />--> >> </interface> >> >> <!-- Socket Binding adds port for each IP from referenced Interface --> >> <socket-binding name="http" interface="default" >> port="${org.osgi.service.http.port}" /> >> <socket-binding name="https" interface="default" >> port="${org.osgi.service.http.port.secure}" /> >> >> </undertow> >> >> The log shows >> >> 2020-08-14T19:12:59,801 | INFO | paxweb-config-1-thread-1 | >> ServerControllerImpl | 64 - org.ops4j.pax.web.pax-web-undertow - >> 7.2.14 | Using >> "file:/E:/apache-karaf/apache-karaf-4.3.0.RC1/etc/undertow.xml" to configure >> Undertow >> 2020-08-14T19:13:00,018 | INFO | activator-1-thread-2 | >> BouncyCastleSecurityProviderRegistrar | 39 - org.apache.sshd.core - 1.7.0 | >> getOrCreateProvider(BC) created instance of >> org.bouncycastle.jce.provider.BouncyCastleProvider >> 2020-08-14T19:13:00,050 | INFO | paxweb-config-1-thread-1 | >> ServerControllerImpl | 64 - org.ops4j.pax.web.pax-web-undertow - >> 7.2.14 | Starting undertow http listener on 0.0.0.0:8181 >> 2020-08-14T19:13:00,052 | INFO | paxweb-config-1-thread-1 | >> ServerControllerImpl | 64 - org.ops4j.pax.web.pax-web-undertow - >> 7.2.14 | Starting undertow https listener on 0.0.0.0:8443 >> 2020-08-14T19:13:00,093 | INFO | activator-1-thread-2 | CommandExtension >> | 36 - org.apache.karaf.shell.core - 4.3.0.RC1 | Registering >> commands for bundle org.apache.karaf.features.command/4.3.0.RC1 >> 2020-08-14T19:13:00,244 | INFO | activator-1-thread-2 | Activator >> | 20 - org.apache.karaf.deployer.features - 4.3.0.RC1 | >> Deployment finished. Registering FeatureDeploymentListener >> 2020-08-14T19:13:00,310 | INFO | activator-1-thread-3 | CommandExtension >> | 36 - org.apache.karaf.shell.core - 4.3.0.RC1 | Registering >> commands for bundle org.apache.karaf.kar.core/4.3.0.RC1 >> 2020-08-14T19:13:00,320 | INFO | activator-1-thread-2 | FeaturesPlugin >> | 73 - org.apache.karaf.webconsole.features - 4.3.0.RC1 | >> Features plugin deactivated >> 2020-08-14T19:13:00,333 | INFO | activator-1-thread-2 | FeaturesPlugin >> | 73 - org.apache.karaf.webconsole.features - 4.3.0.RC1 | >> Features plugin activated >> 2020-08-14T19:13:00,813 | INFO | activator-1-thread-2 | CommandExtension >> | 36 - org.apache.karaf.shell.core - 4.3.0.RC1 | Registering >> commands for bundle org.apache.karaf.shell.ssh/4.3.0.RC1 >> 2020-08-14T19:13:01,295 | INFO | paxweb-config-1-thread-1 | >> ServerControllerImpl | 64 - org.ops4j.pax.web.pax-web-undertow - >> 7.2.14 | Using in-memory session persistence >> 2020-08-14T19:13:01,344 | INFO | paxweb-config-1-thread-1 | >> HttpServiceFactoryImpl | 62 - org.ops4j.pax.web.pax-web-runtime - >> 7.2.14 | Binding bundle: [org.apache.karaf.webconsole.console [72]] to http >> service
