CAMEL-11482: SSLContextParameters settings are not properly copied to Jetty SslContextFactory. Thanks to Roman Vottner for reporting.
Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/f57a88ef Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/f57a88ef Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/f57a88ef Branch: refs/heads/camel-2.19.x Commit: f57a88ef93e3c965a4155a54da9abc7531380ffa Parents: 7bcefc1 Author: Claus Ibsen <davscl...@apache.org> Authored: Tue Sep 26 14:34:17 2017 +0200 Committer: Claus Ibsen <davscl...@apache.org> Committed: Tue Sep 26 14:39:32 2017 +0200 ---------------------------------------------------------------------- .../component/jetty/JettyHttpComponent.java | 35 ++++++++++ .../component/jetty9/JettyHttpComponent9.java | 35 ++++++---- .../jetty/ExcludeCipherSuitesTest.java | 71 ++++++++++++++++++++ 3 files changed, 129 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/f57a88ef/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpComponent.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpComponent.java b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpComponent.java index 71db799..ac1ecd4 100644 --- a/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpComponent.java +++ b/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpComponent.java @@ -621,6 +621,41 @@ public abstract class JettyHttpComponent extends HttpCommonComponent implements if (ssl != null) { answer.setSslContext(ssl.createSSLContext(getCamelContext())); } + + // jetty default is + // addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); + // setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$"); + + // configure include/exclude ciphers and protocols + if (ssl != null && ssl.getCipherSuitesFilter() != null) { + List<String> includeCiphers = ssl.getCipherSuitesFilter().getInclude(); + if (includeCiphers != null && !includeCiphers.isEmpty()) { + String[] arr = includeCiphers.toArray(new String[includeCiphers.size()]); + answer.setIncludeCipherSuites(arr); + } else { + answer.setIncludeCipherSuites(".*"); + } + List<String> excludeCiphers = ssl.getCipherSuitesFilter().getExclude(); + if (excludeCiphers != null && !excludeCiphers.isEmpty()) { + String[] arr = excludeCiphers.toArray(new String[excludeCiphers.size()]); + answer.setExcludeCipherSuites(arr); + } + } + if (ssl != null && ssl.getSecureSocketProtocolsFilter() != null) { + List<String> includeProtocols = ssl.getSecureSocketProtocolsFilter().getInclude(); + if (includeProtocols != null && !includeProtocols.isEmpty()) { + String[] arr = includeProtocols.toArray(new String[includeProtocols.size()]); + answer.setIncludeProtocols(arr); + } else { + answer.setIncludeProtocols(".*"); + } + List<String> excludeProtocols = ssl.getSecureSocketProtocolsFilter().getExclude(); + if (excludeProtocols != null && !excludeProtocols.isEmpty()) { + String[] arr = excludeProtocols.toArray(new String[excludeProtocols.size()]); + answer.setExcludeProtocols(arr); + } + } + return answer; } http://git-wip-us.apache.org/repos/asf/camel/blob/f57a88ef/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpComponent9.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpComponent9.java b/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpComponent9.java index 5ba4d02..ae9cd72 100644 --- a/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpComponent9.java +++ b/components/camel-jetty9/src/main/java/org/apache/camel/component/jetty9/JettyHttpComponent9.java @@ -36,9 +36,13 @@ import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.ssl.SslContextFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class JettyHttpComponent9 extends JettyHttpComponent { + private static final Logger LOG = LoggerFactory.getLogger(JettyHttpComponent9.class); + protected CamelHttpClient createCamelHttpClient(HttpClientTransport transport, SslContextFactory sslContextFactory) { return new CamelHttpClient9(transport, sslContextFactory); } @@ -52,7 +56,7 @@ public class JettyHttpComponent9 extends JettyHttpComponent { SslContextFactory sslcf) { try { String host = endpoint.getHttpUri().getHost(); - int porto = endpoint.getPort(); + int port = endpoint.getPort(); org.eclipse.jetty.server.HttpConfiguration httpConfig = new org.eclipse.jetty.server.HttpConfiguration(); httpConfig.setSendServerVersion(endpoint.isSendServerVersion()); httpConfig.setSendDateHeader(endpoint.isSendDateHeader()); @@ -87,24 +91,31 @@ public class JettyHttpComponent9 extends JettyHttpComponent { } connectionFactories.add(httpFactory); result.setConnectionFactories(connectionFactories); - result.setPort(porto); + result.setPort(port); if (host != null) { result.setHost(host); } - if (getSslSocketConnectorProperties() != null && "https".equals(endpoint.getProtocol())) { - // must copy the map otherwise it will be deleted - Map<String, Object> properties = new HashMap<String, Object>(getSslSocketConnectorProperties()); - IntrospectionSupport.setProperties(sslcf, properties); - if (properties.size() > 0) { - throw new IllegalArgumentException("There are " + properties.size() - + " parameters that couldn't be set on the SocketConnector." - + " Check the uri if the parameters are spelt correctly and that they are properties of the SelectChannelConnector." - + " Unknown parameters=[" + properties + "]"); - } + if (sslcf != null) { + if (getSslSocketConnectorProperties() != null && "https".equals(endpoint.getProtocol())) { + // must copy the map otherwise it will be deleted + Map<String, Object> properties = new HashMap<String, Object>(getSslSocketConnectorProperties()); + IntrospectionSupport.setProperties(sslcf, properties); + if (properties.size() > 0) { + throw new IllegalArgumentException("There are " + properties.size() + + " parameters that couldn't be set on the SocketConnector." + + " Check the uri if the parameters are spelt correctly and that they are properties of the SelectChannelConnector." + + " Unknown parameters=[" + properties + "]"); + } + } + + LOG.info("Connector on port: {} is using includeCipherSuites: {} excludeCipherSuites: {} includeProtocols: {} excludeProtocols: {}", + port, sslcf.getIncludeCipherSuites(), sslcf.getExcludeCipherSuites(), sslcf.getIncludeProtocols(), sslcf.getExcludeProtocols()); } + return result; } catch (Exception e) { throw ObjectHelper.wrapRuntimeCamelException(e); } } + } http://git-wip-us.apache.org/repos/asf/camel/blob/f57a88ef/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/ExcludeCipherSuitesTest.java ---------------------------------------------------------------------- diff --git a/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/ExcludeCipherSuitesTest.java b/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/ExcludeCipherSuitesTest.java new file mode 100644 index 0000000..9d7ab98 --- /dev/null +++ b/components/camel-jetty9/src/test/java/org/apache/camel/component/jetty/ExcludeCipherSuitesTest.java @@ -0,0 +1,71 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.jetty; + +import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.util.jsse.FilterParameters; +import org.apache.camel.util.jsse.KeyManagersParameters; +import org.apache.camel.util.jsse.KeyStoreParameters; +import org.apache.camel.util.jsse.SSLContextParameters; +import org.junit.Ignore; +import org.junit.Test; + +@Ignore +public class ExcludeCipherSuitesTest extends BaseJettyTest { + + protected String pwd = "changeit"; + + private SSLContextParameters createSslContextParameters() throws Exception { + KeyStoreParameters ksp = new KeyStoreParameters(); + ksp.setResource(this.getClass().getClassLoader().getResource("jsse/localhost.ks").toString()); + ksp.setPassword(pwd); + + KeyManagersParameters kmp = new KeyManagersParameters(); + kmp.setKeyPassword(pwd); + kmp.setKeyStore(ksp); + + SSLContextParameters sslContextParameters = new SSLContextParameters(); + sslContextParameters.setKeyManagers(kmp); + + FilterParameters filter = new FilterParameters(); + filter.getExclude().add("^.*_(MD5|SHA|SHA1)$"); + sslContextParameters.setCipherSuitesFilter(filter); + + return sslContextParameters; + } + + @Test + public void testExclude() throws Exception { + getMockEndpoint("mock:a").expectedBodiesReceived(1); + + template.sendBody("jetty:https://localhost:"; + getPort() + "/test", "Hello World"); + + assertMockEndpointsSatisfied(); + } + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + public void configure() throws Exception { + JettyHttpComponent jetty = getContext().getComponent("jetty", JettyHttpComponent.class); + jetty.setSslContextParameters(createSslContextParameters()); + + from("jetty:https://localhost:"; + getPort() + "/test").to("mock:a"); + } + }; + } +} \ No newline at end of file
