Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-11482

SSLContextParameters settings are not properly copied to SslContextFactory

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.19.0, 2.19.1
    • 2.19.4, 2.20.0
    • camel-jetty
    • None
    • Max OS X, Java 8 Update 131
      Ubuntu 14.04 LTS, Java 8 Update 111
      Camel 2.19.0
      Jetty9 9.4.5v20170502 and 9.3.14.v20161028

    • Unknown

    Description

      Jetty 9.3+ excludes unsecure ciphers which end on either MD5, SHA or SHA1 by default now. This will however remove all ciphers that are used by either TLSv1 or TLSv1.1 and thus no ciphers remain in order to agree on a cipher for TLSv1 or TLSv1.1 connection attempts. (Further reading: https://github.com/eclipse/jetty.project/issues/860)

      The Jetty 9 SSL configuration documentation (https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html) states that this exclusion cipher suites can be customized by providing an own exclusion list. On specifying SSLContextParameters like below however will not correctly propagate this exclution cipher suites to the SslContextFactory of Jetty and thus use the default setting which prevents TLSv1 and TLSv1.1 connections.

      SSLContextParameters Spring Config
        @Bean(name = "sslContextParameters")
        public SSLContextParameters sslContextParameters() {
          String keyStore = env.getProperty("ssl.keyStore.resource");
          URL keyStoreUrl = this.getClass().getResource(keyStore);
      
          // http://camel.apache.org/jetty.html
          KeyStoreParameters ksp = new KeyStoreParameters();
          ksp.setResource(keyStoreUrl.getPath());
          ksp.setPassword(env.getProperty("ssl.keyStore.password"));
      
          KeyManagersParameters kmp = new KeyManagersParameters();
          kmp.setKeyStore(ksp);
          kmp.setKeyPassword(env.getProperty("ssl.key.password"));
      
          SSLContextParameters scp = new SSLContextParameters();
          scp.setKeyManagers(kmp);
      
          // Jetty 9.3+ support only TLSv1.2 by default hence clients not supporting this protocol will fail
          List<String> supportedSslProtocols = Arrays.asList("TLSv1", "TLSv1.1", "TLSv1.2");
          SecureSocketProtocolsParameters protocolsParameters = new SecureSocketProtocolsParameters();
          protocolsParameters.setSecureSocketProtocol(supportedSslProtocols);
          scp.setSecureSocketProtocols(protocolsParameters);
      
          // TLS 1.0 / 1.1 have been disabled by jetty 9.3
          // this is a first attempt to re-enable them
          // see
          // - https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html
          // - https://github.com/eclipse/jetty.project/issues/860
          // - http://camel.apache.org/camel-configuration-utilities.html
          FilterParameters cipherParameters = new FilterParameters();
          cipherParameters.getInclude().add(".*");
          cipherParameters.getExclude().add("^.*_(MD5|SHA1)$");
          scp.setCipherSuitesFilter(cipherParameters);
      
          return scp;
        }
      

      A workaround is to use a custom JettyHttpComponent9 implementation that sets the excludedCipherSuites manually like depicted below:

      Workaround
        /**
         * A custom jetty http component which explicitly sets the excludedCipherSuites during creation of
         * the jetty connector.
         *
         * Why? It seems camel does not push included/excluded cipherSuites from {@link
         * SSLContextParameters} to the {@link SslContextFactory} nor does push explicitly listed cipher
         * suites (i.e. like <em>TLS_RSA_WITH_AES_256_CBC_SHA</em>) to the Jetty SSL context factory.
         */
        public static class HackedJettyHttpComponent extends JettyHttpComponent9 {
      
          @Override
          protected AbstractConnector createConnectorJettyInternal(Server server,
                                                                   JettyHttpEndpoint endpoint,
                                                                   SslContextFactory sslcf) {
      
            sslcf.setExcludeCipherSuites("^.*_(MD5|SHA1)$");
            return super.createConnectorJettyInternal(server, endpoint, sslcf);
          }
        }
      

      Attachments

        Activity

          People

            davsclaus Claus Ibsen
            Rovo Roman Vottner
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: