(#19884) Intermittent SSL handshake error

documentation/configure.markdown

@@ -394,6 +394,12 @@ Optional. This describes the path to a file that contains a list of certificate
 
 If not supplied, PuppetDB uses standard HTTPS without any additional authorization. All HTTPS clients must still supply valid, verifiable SSL client certificates.
 
+### `cipher-suites`
+
+Optional. A comma-separated list of cryptographic ciphers to allow for incoming SSL connections. Valid names are listed in the [official JDK cryptographic providers documentation](http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites); you'll need to use the all-caps cipher suite name.
+
+If not supplied, PuppetDB uses the complete, non-DHE set of ciphers.
+
 `[repl]` Settings
 -----
 

src/com/puppetlabs/jetty.clj

@@ -4,7 +4,8 @@
   (:import (org.eclipse.jetty.server Server)
            (org.eclipse.jetty.server.nio SelectChannelConnector))
   (:require [ring.adapter.jetty :as jetty])
-  (:use [clojure.tools.logging :as log]))
+  (:use [clojure.tools.logging :as log]
+        [clojure.string :only (split trim)]))
 
 ;; We need to monkey-patch `add-ssl-connector!` in order to set the
 ;; appropriate options for Client Certificate Authentication, and use
@@ -26,6 +27,22 @@
     (catch Throwable e
       (log/error e "Could not remove security providers; HTTPS may not work!"))))
 
+;; TODO: Only do this on certain 1.7 jdks
+;;
+;; Due to weird issues between JSSE and OpenSSL clients on some 1.7
+;; jdks when using Diffie-Hellman exchange, we need to only enable
+;; RSA-based ciphers.
+;;
+;; https://forums.oracle.com/forums/thread.jspa?messageID=10999587
+;; https://issues.apache.org/jira/browse/APLO-287
+(def acceptable-ciphers ["TLS_RSA_WITH_AES_256_CBC_SHA256"
+                         "TLS_RSA_WITH_AES_256_CBC_SHA"
+                         "TLS_RSA_WITH_AES_128_CBC_SHA256"
+                         "TLS_RSA_WITH_AES_128_CBC_SHA"
+                         "SSL_RSA_WITH_RC4_128_SHA"
+                         "SSL_RSA_WITH_3DES_EDE_CBC_SHA"
+                         "SSL_RSA_WITH_RC4_128_MD5"])
+
 ;; Monkey-patched version of `create-server` that will only create a
 ;; non-SSL connector if the options specifically dictate it.
 
@@ -44,9 +61,15 @@
       (.addConnector server (plaintext-connector options)))
 
     (when (or (options :ssl?) (options :ssl-port))
-      (let [ssl-host (options :ssl-host (options :host "localhost"))
-            options  (assoc options :host ssl-host)]
-        (.addConnector server (#'jetty/ssl-connector options))))
+      (let [ssl-host  (options :ssl-host (options :host "localhost"))
+            options   (assoc options :host ssl-host)
+            connector (#'jetty/ssl-connector options)
+            ciphers   (if-let [txt (options :cipher-suites)]
+                        (map trim (split txt #","))
+                        acceptable-ciphers)]
+        (doto (.getSslContextFactory connector)
+          (.setIncludeCipherSuites (into-array ciphers)))
+        (.addConnector server connector)))
     server))
 
 (defn run-jetty