Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.19.0, 2.19.1
-
None
-
Max OS X, Java 8 Update 131
Ubuntu 14.04 LTS, Java 8 Update 111
Camel 2.19.0
Jetty9 9.4.5v20170502 and 9.3.14.v20161028
-
Unknown
Description
Jetty 9.3+ excludes unsecure ciphers which end on either MD5, SHA or SHA1 by default now. This will however remove all ciphers that are used by either TLSv1 or TLSv1.1 and thus no ciphers remain in order to agree on a cipher for TLSv1 or TLSv1.1 connection attempts. (Further reading: https://github.com/eclipse/jetty.project/issues/860)
The Jetty 9 SSL configuration documentation (https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html) states that this exclusion cipher suites can be customized by providing an own exclusion list. On specifying SSLContextParameters like below however will not correctly propagate this exclution cipher suites to the SslContextFactory of Jetty and thus use the default setting which prevents TLSv1 and TLSv1.1 connections.
@Bean(name = "sslContextParameters") public SSLContextParameters sslContextParameters() { String keyStore = env.getProperty("ssl.keyStore.resource"); URL keyStoreUrl = this.getClass().getResource(keyStore); // http://camel.apache.org/jetty.html KeyStoreParameters ksp = new KeyStoreParameters(); ksp.setResource(keyStoreUrl.getPath()); ksp.setPassword(env.getProperty("ssl.keyStore.password")); KeyManagersParameters kmp = new KeyManagersParameters(); kmp.setKeyStore(ksp); kmp.setKeyPassword(env.getProperty("ssl.key.password")); SSLContextParameters scp = new SSLContextParameters(); scp.setKeyManagers(kmp); // Jetty 9.3+ support only TLSv1.2 by default hence clients not supporting this protocol will fail List<String> supportedSslProtocols = Arrays.asList("TLSv1", "TLSv1.1", "TLSv1.2"); SecureSocketProtocolsParameters protocolsParameters = new SecureSocketProtocolsParameters(); protocolsParameters.setSecureSocketProtocol(supportedSslProtocols); scp.setSecureSocketProtocols(protocolsParameters); // TLS 1.0 / 1.1 have been disabled by jetty 9.3 // this is a first attempt to re-enable them // see // - https://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html // - https://github.com/eclipse/jetty.project/issues/860 // - http://camel.apache.org/camel-configuration-utilities.html FilterParameters cipherParameters = new FilterParameters(); cipherParameters.getInclude().add(".*"); cipherParameters.getExclude().add("^.*_(MD5|SHA1)$"); scp.setCipherSuitesFilter(cipherParameters); return scp; }
A workaround is to use a custom JettyHttpComponent9 implementation that sets the excludedCipherSuites manually like depicted below:
/**
* A custom jetty http component which explicitly sets the excludedCipherSuites during creation of
* the jetty connector.
*
* Why? It seems camel does not push included/excluded cipherSuites from {@link
* SSLContextParameters} to the {@link SslContextFactory} nor does push explicitly listed cipher
* suites (i.e. like <em>TLS_RSA_WITH_AES_256_CBC_SHA</em>) to the Jetty SSL context factory.
*/
public static class HackedJettyHttpComponent extends JettyHttpComponent9 {
@Override
protected AbstractConnector createConnectorJettyInternal(Server server,
JettyHttpEndpoint endpoint,
SslContextFactory sslcf) {
sslcf.setExcludeCipherSuites("^.*_(MD5|SHA1)$");
return super.createConnectorJettyInternal(server, endpoint, sslcf);
}
}