[CAMEL-10628] camel jetty9 endpoint configured with sslContextParametersRef and jetty handlers causes SSL handshake failure - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.18.0, 2.18.1
Fix Version/s: 2.18.2
Component/s: camel-jetty
Labels:
None

Patch Info:

Patch Available
Estimated Complexity:
Unknown

Description

I have a camel route using Rest DSL with Jetty component:

<camelContext id="camel" trace="true" streamCache="true" xmlns="http://camel.apache.org/schema/blueprint">
      <restConfiguration component="jetty" bindingMode="off" scheme="https" host="localhost" port="9080" contextPath="/">
        <endpointProperty key="sslContextParametersRef" value="sslContextParameter"/>
        <endpointProperty key="handlers" value="#securityHandler"/>
        <endpointProperty key="matchOnUriPrefix" value="true"/>
      </restConfiguration>
      <rest path="/customerservice">
          <get uri="/customers" >
              <to uri="direct:processGet"/>
          </get>
          <get uri="/customers/{id}" >
              <to uri="direct:processGet"/>
          </get>
          <post uri="/customers" consumes="application/json" produces="application/json">
              <to uri="direct:processPost"/>
          </post>
      </rest>

The underlying camel jetty component is configured with sslContextParametersRef and a Jetty Handler org.eclipse.jetty.security.ConstraintSecurityHandler to enforce SecurityConstraints on the Jetty endpoint.

If I remove the Jetty ConstraintSecurityHandler, it works fine, for instance:

<camelContext id="camel" trace="true" streamCache="true" xmlns="http://camel.apache.org/schema/blueprint">
      <restConfiguration component="jetty" bindingMode="off" scheme="https" host="localhost" port="9080" contextPath="/">
        <endpointProperty key="sslContextParametersRef" value="sslContextParameter"/>
        <!--endpointProperty key="handlers" value="#securityHandler"/-->
        <endpointProperty key="matchOnUriPrefix" value="true"/>
      </restConfiguration>

But when I add the Jetty ConstraintSecurityHandler back to the camel Rest DSL, I am getting following error:

***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp1424237190-118, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp1424237190-118, SEND TLSv1 ALERT:  fatal, description = handshake_failure
qtp1424237190-118, WRITE: TLSv1 Alert, length = 2
qtp1424237190-118, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

The root cause is that if we want to add a Jetty hander, we need to stop Jetty server. As part of Jetty server stop process, it's SslConnectionFactory also needs to stop, as well as SslContextFactory. Here is doStop() method of SslContextFactory in Jetty 9.2.x code base:

public class SslContextFactory extends AbstractLifeCycle
...
    protected void doStop() throws Exception
     {
         _context = null;
         super.doStop();
     }

We can see that it resets SSLContext to null. When the jetty server restarts, SslContextFactory creates a new SSLContext object instead, therefore, losing all the SSL properties from the original <camel:sslContextParameters> configuration.

We need to preserve the SSLContext before stopping the jetty server so we can reset the SSLContext back after the jetty server is restarted.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

patch.txt
20/Dec/16 20:11
2 kB
Joe Luo

Activity

People

Assignee:: Andrea Cosentino

Reporter:: Joe Luo

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Dec/16 19:52

Updated:: 29/Dec/16 07:01

Resolved:: 21/Dec/16 11:27