New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(#19884) Intermittent SSL handshake error #512
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,8 @@ | |
(:import (org.eclipse.jetty.server Server) | ||
(org.eclipse.jetty.server.nio SelectChannelConnector)) | ||
(:require [ring.adapter.jetty :as jetty]) | ||
(:use [clojure.tools.logging :as log])) | ||
(:use [clojure.tools.logging :as log] | ||
[clojure.string :only (split trim)])) | ||
|
||
;; We need to monkey-patch `add-ssl-connector!` in order to set the | ||
;; appropriate options for Client Certificate Authentication, and use | ||
|
@@ -26,6 +27,22 @@ | |
(catch Throwable e | ||
(log/error e "Could not remove security providers; HTTPS may not work!")))) | ||
|
||
;; TODO: Only do this on certain 1.7 jdks | ||
;; | ||
;; Due to weird issues between JSSE and OpenSSL clients on some 1.7 | ||
;; jdks when using Diffie-Hellman exchange, we need to only enable | ||
;; RSA-based ciphers. | ||
;; | ||
;; https://forums.oracle.com/forums/thread.jspa?messageID=10999587 | ||
;; https://issues.apache.org/jira/browse/APLO-287 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we file an official bug report w/Oracle so that we have a link in the code here that allows us to track when this has been resolved? How hard would it be to put together a repro jar for them? Failing that it would be good to find somewhere to put your repro case code / docs so that we have a way to test this again in the future. |
||
(def acceptable-ciphers ["TLS_RSA_WITH_AES_256_CBC_SHA256" | ||
"TLS_RSA_WITH_AES_256_CBC_SHA" | ||
"TLS_RSA_WITH_AES_128_CBC_SHA256" | ||
"TLS_RSA_WITH_AES_128_CBC_SHA" | ||
"SSL_RSA_WITH_RC4_128_SHA" | ||
"SSL_RSA_WITH_3DES_EDE_CBC_SHA" | ||
"SSL_RSA_WITH_RC4_128_MD5"]) | ||
|
||
;; Monkey-patched version of `create-server` that will only create a | ||
;; non-SSL connector if the options specifically dictate it. | ||
|
||
|
@@ -44,9 +61,15 @@ | |
(.addConnector server (plaintext-connector options))) | ||
|
||
(when (or (options :ssl?) (options :ssl-port)) | ||
(let [ssl-host (options :ssl-host (options :host "localhost")) | ||
options (assoc options :host ssl-host)] | ||
(.addConnector server (#'jetty/ssl-connector options)))) | ||
(let [ssl-host (options :ssl-host (options :host "localhost")) | ||
options (assoc options :host ssl-host) | ||
connector (#'jetty/ssl-connector options) | ||
ciphers (if-let [txt (options :cipher-suites)] | ||
(map trim (split txt #",")) | ||
acceptable-ciphers)] | ||
(doto (.getSslContextFactory connector) | ||
(.setIncludeCipherSuites (into-array ciphers))) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you have any idea what happens here if there is a bogus ciper name in the list? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Jetty ignores ciphers it doesn't recognize. Under the hood, it takes the list of ciphers available in the JVM and does an intersection with the list you supply as the whitelist. The bogus cipher name won't exist in the JVM list, and will hence fall out of the intersection. |
||
(.addConnector server connector))) | ||
server)) | ||
|
||
(defn run-jetty | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth mentioning that we do this only for the known affected versions of the JDK?