Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-14527

camel-jetty HTTPS consumer still fails with handshake failure

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not A Bug
    • Affects Version/s: 3.0.1
    • Fix Version/s: None
    • Component/s: camel-jetty
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      After several research I did create the following Blueprint DSL route that still fails with a TLS handshake failure.

      <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
      
       <sslContextParameters id="sslContextParameters" xmlns="http://camel.apache.org/schema/blueprint">
         <secureSocketProtocolsFilter>
           <include>TLSv1.2</include>
           <include>TLSv1.1</include>
         </secureSocketProtocolsFilter>
         <cipherSuitesFilter>
           <include>.*</include>
           <exclude/>
         </cipherSuitesFilter>
         <keyManagers keyPassword="xxxxx">
           <keyStore resource="etc/truststore.jks" password="xxxxx"/>
         </keyManagers>
         <trustManagers>
           <keyStore resource="etc/keystore.p12" password="xxxxx"/>
         </trustManagers>
       </sslContextParameters>
      
       <camelContext id="WEBISP001" xmlns="http://camel.apache.org/schema/blueprint">
         <route id="WEBISP001">
           <from uri="jetty:https://0.0.0.0:8444/hello?sslContextParameters=sslContextParameters"  />
           <log message="hello request body: ${in.body}" />
         </route>
       </camelContext>
      </blueprint>
      

      This is the deployment log

      2020-02-08T20:31:49,784 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/deploy | BlueprintContainerImpl           | 80 - org.apache.aries.blueprint.core - 1.10.2 | Blueprint bundle WEBISP001.xml/0.0.0 has been started
      2020-02-08T20:31:49,786 | INFO  | Blueprint Event Dispatcher: 1 | BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | Attempting to start CamelContext: WEBISP001
      2020-02-08T20:31:49,789 | INFO  | Blueprint Event Dispatcher: 1 | BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | Apache Camel 3.0.1 (CamelContext: WEBISP001) is starting
      2020-02-08T20:31:49,791 | INFO  | Blueprint Event Dispatcher: 1 | JmxManagementStrategy            | 88 - org.apache.camel.camel-api - 3.0.1 | JMX is enabled
      2020-02-08T20:31:49,877 | INFO  | Blueprint Event Dispatcher: 1 | HttpComponent                    | 88 - org.apache.camel.camel-api - 3.0.1 | Created ClientConnectionManager org.apache.http.impl.conn.PoolingHttpClientConnectionManager@12fc7e57
      2020-02-08T20:31:49,881 | INFO  | Blueprint Event Dispatcher: 1 | BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | StreamCaching is not in use. If using streams then its recommended to enable stream caching. See more details at http://camel.apache.org/stream-caching.html
      2020-02-08T20:31:49,896 | INFO  | Blueprint Event Dispatcher: 1 | SSLContextParameters             | 88 - org.apache.camel.camel-api - 3.0.1 | Available providers: SUN version 1.8.
      2020-02-08T20:31:49,906 | INFO  | Blueprint Event Dispatcher: 1 | JettyHttpComponent9              | 112 - org.apache.camel.camel-jetty - 3.0.1 | Connector on port: 8444 is using includeCipherSuites: [.*] excludeCipherSuites: [] includeProtocols: [TLSv1.3, TLSv1.2, TLSv1.1] excludeProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3]
      2020-02-08T20:31:49,907 | INFO  | Blueprint Event Dispatcher: 1 | Server                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | jetty-9.4.20.v20190813; built: 2019-08-13T21:28:18.144Z; git: 84700530e645e812b336747464d6fbbf370c9a20; jvm 1.8.0_242-b08
      2020-02-08T20:31:49,908 | INFO  | Blueprint Event Dispatcher: 1 | ContextHandler                   | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started o.e.j.s.ServletContextHandler@4d63dc0b{/,null,AVAILABLE}
      2020-02-08T20:31:49,915 | INFO  | Blueprint Event Dispatcher: 1 | SslContextFactory                | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Protocol TLSv1.3 not supported in [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
      2020-02-08T20:31:49,915 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,916 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,916 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,917 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,917 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,917 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,918 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,918 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,919 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,919 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,921 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,922 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,923 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,924 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,925 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,926 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,927 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,927 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,928 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,929 | WARN  | Blueprint Event Dispatcher: 1 | config                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@6234ffd1[provider=null,keyStore=null,trustStore=null]
      2020-02-08T20:31:49,930 | INFO  | Blueprint Event Dispatcher: 1 | AbstractConnector                | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started ServerConnector@11e4bb7f{ssl,[ssl, http/1.1]}{0.0.0.0:8444}
      2020-02-08T20:31:49,931 | INFO  | Blueprint Event Dispatcher: 1 | Server                           | 217 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started @1786570ms
      2020-02-08T20:31:49,932 | INFO  | Blueprint Event Dispatcher: 1 | BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | Route: WEBISP001 started and consuming from: jetty:https://0.0.0.0:8444/hello
      2020-02-08T20:31:49,933 | INFO  | Blueprint Event Dispatcher: 1 | BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | Total 1 routes, of which 1 are started
      2020-02-08T20:31:49,933 | INFO  | Blueprint Event Dispatcher: 1 | BlueprintCamelContext            | 88 - org.apache.camel.camel-api - 3.0.1 | Apache Camel 3.0.1 (CamelContext: WEBISP001) started in 0.145 seconds
      2020-02-08T20:31:49,987 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/deploy | fileinstall                      | 10 - org.apache.felix.fileinstall - 3.6.4 | Started bundle: blueprint:file:/opt/apache-karaf-4.2.7/deploy/WEBISP001.xml
      

      The request to the endpoint still fails with

      curl -vvv --insecure --location --request POST 'https://host:8444/hello'  --data-raw 'Hello World!'
      Note: Unnecessary use of -X or --request, POST is already inferred.
      *   Trying 10.0.0.147...
      * TCP_NODELAY set
      * Connected to host (10.0.0.147) port 8444 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS alert, handshake failure (552):
      * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
      * Closing connection 0
      curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

        Attachments

          Activity

            People

            • Assignee:
              jondruse Jiri Ondrusek
              Reporter:
              catshout Gerald Kallas

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment