Disable SSLv3/POODLE for Jetty in Pax-web 4.1

388 views

Skip to first unread message

Jason Talley

unread,

Nov 6, 2014, 10:47:30 AM11/6/14

to op...@googlegroups.com

I've been asked to remove SSLv3 from our jetty webserver/config.

We are using Knoplerfish/OSGI to launch pax-web-jetty.

I have added -Dorg.ops4j.pax.web.config.file=/opt/etc/jetty.xml to the init.xargs file in order to modify the config. However, I can't seem to find the magical jetty.xml file to do the trick.

I've tried various flavors of the following:

<?xml version="1.0"?>

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">

<Arg>

</Array>

</Set>

</New>

</Arg>

</Call>

</Configure>#

This results in the following exception:

(0000015202) [BundleStart #12] INFO org.ops4j.pax.web.service.internal.Activator - Pax Web started

(0000016270) 1970-01-01 02:33:39.423:INFO::pool-1-thread-1: Logging initialized @13149ms

(0000016348) 1970-01-01 02:33:39.552:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: org.ops4j.pax.web.service.jetty.internal.JettyServerWrapper@dafd1f added {qtp2

7046496{STOPPED,8<=0<=200,i=0,q=0},AUTO}

(0000016374) 1970-01-01 02:33:39.581:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: org.ops4j.pax.web.service.jetty.internal.JettyServerWrapper@dafd1f added {org.

ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection@145be76[],AUTO}

(0000016434) Memory Available = 222527488 <1429504>

(0000016589) Memory Available = 222355456 <172032>

(0000016784) 1970-01-01 02:33:39.991:WARN:oejx.XmlConfiguration:pool-1-thread-1: Config error at <Call name="addConnector"><Arg>|???<New class="org.eclipse.jetty.

util.ssl.SslContextFactory"><Set name="ExcludeProtocols">|????<Array type="java.lang.String"><Item>SSLv3</

(0000016785) tem></Array>|????</Set></New>|??</Arg></Call> java.lang.IllegalStateException: No Method: <Call name="addConnector"><Arg>

(0000016786) <New class="org.eclipse.jetty.util.ssl.SslContextFactory"><Set name="ExcludeProtocols">

(0000016786) <Array type="java.lang.String"><Item>SSLv3</Item></Array>

(0000016786) </Set></New>

(0000016787) </Arg></Call> on class org.ops4j.pax.web.service.jetty.internal.JettyServerWrapper in file:/opt/etc/jetty.xml

(0000016789) [pool-1-thread-1] ERROR org.ops4j.pax.web.service.internal.Activator - Unable to start pax web server: Exception while starting Jetty

(0000016795) java.lang.RuntimeException: Exception while starting Jetty

(0000016797) at org.ops4j.pax.web.service.jetty.internal.JettyServerImpl.start(JettyServerImpl.java:167)

(0000016797) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl$Stopped.start(ServerControllerImpl.java:415)

(0000016798) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl.start(ServerControllerImpl.java:71)

(0000016799) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl$Unconfigured.configure(ServerControllerImpl.java:736)

(0000016799) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl.configure(ServerControllerImpl.java:87)

(0000016800) at org.ops4j.pax.web.service.internal.Activator.updateController(Activator.java:349)

(0000016800) at org.ops4j.pax.web.service.internal.Activator$3.run(Activator.java:291)

(0000016801) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

(0000016802) at java.util.concurrent.FutureTask.run(Unknown Source)

(0000016802) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

(0000016803) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

(0000016803) at java.lang.Thread.run(Unknown Source)

(0000016805) Caused by: java.lang.reflect.InvocationTargetException

(0000016805) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

(0000016806) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

(0000016806) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

(0000016807) at java.lang.reflect.Method.invoke(Unknown Source)

(0000016807) at org.ops4j.pax.web.service.jetty.internal.JettyServerImpl.start(JettyServerImpl.java:131)

(0000016808) ... 11 more

(0000016809) Caused by: java.lang.IllegalStateException: No Method: <Call name="addConnector"><Arg>

(0000016810) <New class="org.eclipse.jetty.util.ssl.SslContextFactory"><Set name="ExcludeProtocols">

(0000016810) <Array type="java.lang.String"><Item>SSLv3</Item></Array>

(0000016810) </Set></New>

(0000016810) </Arg></Call> on class org.ops4j.pax.web.service.jetty.internal.JettyServerWrapper

(0000016811) at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:738)

(0000016812) at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:417)

(0000016812) at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:298)

(0000016813) at org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:248)

(0000016813) ... 16 more

(0000016814) Caused by: java.lang.NoSuchMethodException: addConnector

(0000016815) at org.eclipse.jetty.util.TypeUtil.call(TypeUtil.java:537)

(0000016816) at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:730)

(0000016816) ... 19 more

The app is servlet based and is started later on in the OSGI config. All the jetty examples want to show jetty.xml, jetty-http.xml, jetty-https.xml, and jetty-ssl.xml. Should I just append all those together?

One caveat that may make things slightly more complicated is that we install our own javax.net.ssl.SSLServerSocketFactory service. However, I tried creating my own SSLServerSocketFactory, but jetty didn't appear to use it.

Any help would be greatly appreciated.

Christoph Läubrich

unread,

Nov 6, 2014, 11:25:18 AM11/6/14

to op...@googlegroups.com

Even though IMO SSLv3 is better disabled on the client side to prevent the attack, you can disable it like this:

<Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Arg> <New class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="keyStore"><SystemProperty name="org.ops4j.pax.web.ssl.keystore"/></Set> <Set name="keyStorePassword"><SystemProperty name="org.ops4j.pax.web.ssl.password"/></Set> <Set name="keyManagerPassword"><SystemProperty name="org.ops4j.pax.web.ssl.keypassword"/></Set>

<Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> </New> </Arg>

</New> </Arg> </Call>

Just keep in mind that the XML configuration follows 1:1 the class API so for such configuration need the best start is to look to the coresponding jettty javadoc

--
--
------------------
OPS4J - http://www.ops4j.org - op...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jason Talley

unread,

Nov 6, 2014, 5:06:47 PM11/6/14

to op...@googlegroups.com

I'm using Jetty9 - the SslSelectChannelConnector doesn't appear to be valid anymore (I get a ClassNotFoundException).

I have managed to get a basic httpsConnector working, I know it is working b/c I can see the proto's have been disabled:

(0000059227) 1970-01-01 01:20:53.409:DBUG:oejus.SslContextFactory:pool-1-thread-1: Enabled Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]

But every time I add the SslConnectionFactory in, I get the following exception:

Jetty.xml

<?xml version="1.0"?>

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">

<!--Set name="secureScheme">https</Set>

</New>

<Set name="KeyStorePath">/opt/etc/security/cert.2</Set>

<Set name="KeyStorePassword">certpassword</Set>

<Item>SSLv2Hello</Item>

</Array>

</Set>

<Set name="keyStorePath">/opt/etc/security/cert.2</Set>

<Set name="keyStorePassword">certpassword</Set>

</New>

<Arg>

<Set name="secureScheme">https</Set>

<!-- Uncomment to enable handling of X-Forwarded- style headers

-->

</Call>

</New>

</Arg>

<Arg>

</Arg>

</Call>

</New>

</New>

<Arg>

<Item>

</New>

</Item>

<!--Item>

</New>

</Item-->

</Array>

</Arg>

</New>

</Arg>

</Call>

</Configure>

The exception is:

(0000059249) 1970-01-01 01:20:53.431:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @55961ms SslContextFactory@b4fe21(/opt/security/cert.2,/opt/security/cert.2)

(0000059280) 1970-01-01 01:20:53.463:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @55993ms SslConnectionFactory@6e74b2{SSL-http/1.1}

(0000059281) 1970-01-01 01:20:53.465:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: starting org.eclipse.jetty.server.ServerConnector$ServerConnectorManager@a02e3e

(0000059321) 1970-01-01 01:20:53.503:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: starting org.eclipse.jetty.io.SelectorManager$ManagedSelector@1b6fafc keys=-1 selected=-1

(0000059346) 1970-01-01 01:20:53.528:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56058ms org.eclipse.jetty.io.SelectorManager$ManagedSelector@1b6fafc keys=0 selected=0

(0000059353) 1970-01-01 01:20:53.536:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56066ms org.eclipse.jetty.server.ServerConnector$ServerConnectorManager@a02e3e

(0000059387) 1970-01-01 01:20:53.568:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: ServerConnector@1acf449{HTTP/1.1}{0.0.0.0:38355} added {acceptor-0@11161c1,POJO}

(0000059389) 1970-01-01 01:20:53.572:INFO:oejs.ServerConnector:pool-1-thread-1: Started ServerConnector@1acf449{HTTP/1.1}{0.0.0.0:38355}

(0000059391) 1970-01-01 01:20:53.574:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56103ms ServerConnector@1acf449{HTTP/1.1}{0.0.0.0:38355}

(0000059393) 1970-01-01 01:20:53.577:INFO:oejs.Server:pool-1-thread-1: Started @56106ms

(0000059394) 1970-01-01 01:20:53.577:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56107ms org.ops4j.pax.web.service.jetty.internal.JettyServerWrapper@1b6ec6d

(0000059413) [pool-1-thread-1] INFO org.ops4j.pax.web.service.jetty.internal.JettyServerImpl - Pax Web available at [0.0.0.0]:[0]

(0000059418) 1970-01-01 01:20:53.599:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: HttpConnectionFactory@dbb654{HTTP/1.1} added {HttpConfiguration@be92b8{32768,8192/8192,https://:8443,[]},POJO}

(0000059422) 1970-01-01 01:20:53.604:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: ServerConnector@5bb73c{null}{0.0.0.0:0} added {org.ops4j.pax.web.service.jetty.internal.JettyServerWrapper@1b6ec6d,UNMANAGED}

(0000059426) 1970-01-01 01:20:53.606:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: ServerConnector@5bb73c{null}{0.0.0.0:0} added {qtp13502850{STARTED,8<=8<=200,i=8,q=2},UNMANAGED}

(0000059428) 1970-01-01 01:20:53.610:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: ServerConnector@5bb73c{null}{0.0.0.0:0} added {org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@12cfd46,AUTO}

(0000059430) 1970-01-01 01:20:53.612:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: ServerConnector@5bb73c{null}{0.0.0.0:0} added {org.eclipse.jetty.io.ArrayByteBufferPool@17bca75,POJO}

(0000059433) 1970-01-01 01:20:53.615:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: ServerConnector@5bb73c{null}{0.0.0.0:0} added {HttpConnectionFactory@dbb654{HTTP/1.1},AUTO}

(0000059436) 1970-01-01 01:20:53.618:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: ServerConnector@5bb73c{HTTP/1.1}{0.0.0.0:0} added {org.eclipse.jetty.server.ServerConnector$ServerConnectorManager@10eb8b0,MANAGED}

(0000059438) [pool-1-thread-1] INFO org.ops4j.pax.web.service.jetty.internal.JettyServerImpl - Pax Web available at [0.0.0.0]:[80]

(0000059498) 1970-01-01 01:20:53.680:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: org.ops4j.pax.web.service.jetty.internal.JettyServerWrapper@1b6ec6d added {default@5bb73c{HTTP/1.1}{0.0.0.0:80},UNMANAGED}

(0000059500) 1970-01-01 01:20:53.683:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: starting default@5bb73c{HTTP/1.1}{0.0.0.0:80}

(0000059506) 1970-01-01 01:20:53.688:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: default@5bb73c{HTTP/1.1}{0.0.0.0:80} added {sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:80],POJO}

(0000059507) 1970-01-01 01:20:53.690:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: starting org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@12cfd46

(0000059508) 1970-01-01 01:20:53.691:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56221ms org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@12cfd46

(0000059509) 1970-01-01 01:20:53.692:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: starting HttpConnectionFactory@dbb654{HTTP/1.1}

(0000059511) 1970-01-01 01:20:53.694:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56223ms HttpConnectionFactory@dbb654{HTTP/1.1}

(0000059511) 1970-01-01 01:20:53.695:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: starting org.eclipse.jetty.server.ServerConnector$ServerConnectorManager@10eb8b0

(0000059513) 1970-01-01 01:20:53.696:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: starting org.eclipse.jetty.io.SelectorManager$ManagedSelector@152b3da keys=-1 selected=-1

(0000059514) 1970-01-01 01:20:53.698:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56227ms org.eclipse.jetty.io.SelectorManager$ManagedSelector@152b3da keys=0 selected=0

(0000059516) 1970-01-01 01:20:53.699:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56229ms org.eclipse.jetty.server.ServerConnector$ServerConnectorManager@10eb8b0

(0000059851) 1970-01-01 01:20:54.033:DBUG:oejuc.ContainerLifeCycle:pool-1-thread-1: default@5bb73c{HTTP/1.1}{0.0.0.0:80} added {acceptor-0@7d151b,POJO}

(0000059853) 1970-01-01 01:20:54.036:INFO:oejs.ServerConnector:pool-1-thread-1: Started default@5bb73c{HTTP/1.1}{0.0.0.0:80}

(0000059855) 1970-01-01 01:20:54.038:DBUG:oejuc.AbstractLifeCycle:pool-1-thread-1: STARTED @56567ms default@5bb73c{HTTP/1.1}{0.0.0.0:80}

(0000059857) [pool-1-thread-1] ERROR org.ops4j.pax.web.service.internal.Activator - Unable to start pax web server: null

(0000059869) java.lang.NullPointerException

(0000059871) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl$Stopped.start(ServerControllerImpl.java:509)

(0000059872) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl.start(ServerControllerImpl.java:71)

(0000059872) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl$Unconfigured.configure(ServerControllerImpl.java:736)

(0000059873) at org.ops4j.pax.web.service.jetty.internal.ServerControllerImpl.configure(ServerControllerImpl.java:87)

(0000059873) at org.ops4j.pax.web.service.internal.Activator.updateController(Activator.java:349)

(0000059873) at org.ops4j.pax.web.service.internal.Activator$3.run(Activator.java:291)

(0000059874) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

(0000059874) at java.util.concurrent.FutureTask.run(Unknown Source)

(0000059875) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

(0000059875) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

(0000059875) at java.lang.Thread.run(Unknown Source)

mxThreadSpawn tCypherConnRx ss:64000 p:98 tid:859239504

New thread, tid = 859239504 / PID = 6440 / LWP id = 6511

ServerControllerImpl.java:509 appears to be a split on name, but it seems odd that it could be null given the checks before hand.... I'm so close, yet so far...

Reply all

Reply to author

Forward

0 new messages