Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
A jetty9 update broke trapperkeeper-webserver-jetty9-clojure, and as a result puppetdb, in buster (bug#924005). This is a minimal fix on the trapperkeeper-webserver-jetty9-clojure side to work around the breakage. This has been confirmed to work in sid/bullseye (1.7.0-3). For the trapperkeeper-webserver-jetty9-clojure maintainers, I pushed the change to: https://salsa.debian.org/jcristau/trapperkeeper-webserver-jetty9-clojure/commits/debian/buster Cheers, Julien diff --git a/debian/changelog b/debian/changelog index 3bfef40..3d8b882 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium + + [ Manfred Stock ] + * Add patch for SSL compatibility with newer Jetty (closes: #930562). + + -- Julien Cristau <jcris...@debian.org> Fri, 13 Sep 2019 11:00:50 +0200 + trapperkeeper-webserver-jetty9-clojure (1.7.0-2) unstable; urgency=medium * Fix compatibility with Jetty 9.4 diff --git a/debian/patches/0005-maint-Disable-EndpointIdentification.patch b/debian/patches/0005-maint-Disable-EndpointIdentification.patch new file mode 100644 index 0000000..39890d7 --- /dev/null +++ b/debian/patches/0005-maint-Disable-EndpointIdentification.patch @@ -0,0 +1,46 @@ +From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001 +From: Justin Stoller <justin.stol...@gmail.com> +Date: Fri, 24 May 2019 16:10:44 -0700 +Subject: [PATCH] (maint) Disable EndpointIdentification + +Previously, Jetty disabled Endpoint Identification by default as it is a best +practice for most webservers who often cannot identify clients +connecting to it. However, in 9.4.15 Jetty changed this default to +"HTTPS", which is the best practice for _client_ SslContexts. This +caused serious breakages throughout the Jetty ecosystem and since 9.4.16 +Jetty introduced static inner classes of SslContextFactory, named Server +and Client, to create the correct contexts for each type of consumer. + +Unfortunately, because we subclass SslContextFactory with our own +InternalSslContextFactory that overrides CRL handling, using these static +inner class factories is problematic. Consequently, this patch takes the +approach of simply setting the Endpoint Identification Algorithm to null +as was previously the default (and necessary in most server +environments). + +This will cause a warning of overriding a deprecated method during +compilation in newer Java versions and our approach to handling CRLs +will need to be reworked should we use this codebase as a basis for a +trapperkeeper-webserver-jetty10 project. + +For more info see linked issues to the implementing PR here: +https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913 +--- + src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +index 3a577bb..02e7c7d 100644 +--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj ++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +@@ -197,6 +197,7 @@ + (.setKeyStore (:keystore keystore-config)) + (.setKeyStorePassword (:key-password keystore-config)) + (.setTrustStore (:truststore keystore-config)) ++ (.setEndpointIdentificationAlgorithm nil) + ;; Need to clear out the default cipher suite exclude list so + ;; that Jetty doesn't potentially remove one or more ciphers + ;; that we want to be included. +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index cfdab48..1d6304e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ jetty-9.4-compat 0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch +0005-maint-Disable-EndpointIdentification.patch
