Is there any specific exclusion list available which disables only SSLv3 ciphers are not TLSv1/2.
I have jetty 8, and upgrading to 9 is not an option now. My current jetty-ssl.xml looks as follows
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
.........
</New>
</Arg>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>SSL_RSA_WITH_NULL_MD5</Item>
<Item>SSL_RSA_WITH_NULL_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
<Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
<Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_RC4_128_SHA</Item>
<Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
still when i run "sslscan --no-failed --ssl3 localhost:443" i get
Supported Server Cipher(s):
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Prefered Server Cipher(s):
SSLv3 128 bits DHE-RSA-AES128-SHA
I had to disable SSLv3 in an application where we integrate Jetty source code. Based on what I changed in code, I would guess you add the following:
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
Give it a shot and let me know if it works for you.
To expand on #Lars answer ..
For Jetty 7, Jetty 8, and Jetty 9 you have to exclude the protocol SSLv3 (not the cipher) on any SslContextFactory you are using to configure for an SSL based Connector.
For a Jetty Distribution
Edit the ${jetty.home}/etc/jetty-ssl.xml and add the following XML snippet.
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
Inside of any element that manages a org.eclipse.jetty.http.ssl.SslContextFactory
For Jetty Embedded
Any SslContextFactory you create/manage for your SSL based Connectors you just need to set the excluded protocols.
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.addExcludeProtocols("SSLv3");
sslContextFactory.setKeyStorePath(...);
...
I have configurated Jetty 8.1 whitout ssl3. You can see the complete structure of jetty-ssl.xml.
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore">... </Set>
<Set name="keyStorePassword">... </Set>
<Set name="keyManagerPassword">... </Set>
<Set name="trustStore">... </Set>
<Set name="trustStorePassword>... </Set
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3 </Item>
</Array>
</Set>
</New>
</Arg>
<Set name="port">... </Set>
<Set name="maxIdleTime">... </Set>
</New>
</Arg>
</Call>
</Configure>
Related
I'm trying to configure a jetty-servlet in java using maven. I've create a jetty.xml file with the following entries
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Set name="ThreadPool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">200</Set>
<Set name="detailedDump">false</Set>
</New>
</Set>
</Configure>
upon running the server
mvn jetty:run
I see the error
[WARNING] Config error at <Set name="ThreadPool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool"><Set
name="minThreads">10</Set><Set name="maxThreads">200</Set><Set
name="detailedDump">false</Set></New>
</Set>
but cannot figure out what the problem actually is. I've also included jetty-util as a dependency in the pom.xml file. I'm using jetty version 9.4.12.v20180830 and java 8. Thanks for any help!
ThreadPool is a constructor argument for Server.
See: Javadoc for org.eclipse.jetty.server.Server
It's not a field and/or setter on Server, so you cannot use the <Set name="ThreadPool"> syntax.
Instead of replacing the threadpool, just "Get" the existing one and change settings on it.
Eg:
<Get name="ThreadPool">
<Set name="minThreads" type="int">10</Set>
<Set name="maxThreads" type="int">200</Set>
<Set name="detailedDump">false</Set>
</Get>
I'm trying to set up session clustering using this
My jetty.xml:
....
<Set name="sessionIdManager">
<New id="jdbcIdMgr" class="org.eclipse.jetty.server.session.JDBCSessionIdManager">
<Arg>
<Ref id="Server"/>
</Arg>
<Set name="workerName"><Property name="jetty.jdbcSession.workerName" default="node1"/></Set>
<Set name="scavengeInterval"><Property name="jetty.jdbcSession.scavenge" default="1800"/></Set>
<Call name="setDriverInfo">
<Arg><Property name="jetty.jdbcSession.driverClass"
default="com.mysql.jdbc.jdbc2.optional.MysqlDataSource"/></Arg>
<Arg><Property name="jetty.jdbcSession.connectionURL"
default="jdbc:mysql://${datasource.dbServerName}:${datasource.dbServerPort}/${datasource.dbName}"/></Arg>
</Call>
</New>
</Set>
.....
My jetty-web.xml :
<Get name="Server">
<Get id="jdbcIdMgr" name="sessionIdManager"/>
</Get>
<Set name="sessionHandler">
<New class="org.eclipse.jetty.server.session.SessionHandler">
<Arg>
<New id="jdbcmgr" class="org.eclipse.jetty.server.session.JDBCSessionManager">
<Set name="idManager">
<Ref id="jdbcIdMgr"/>
</Set>
</New>
</Arg>
</New>
</Set>
The problem is that I'm getting NPE during server startup, because Server instance is not set to my WebAppContext instance so I can't get my sessionIdManager using :
<Get name="Server">
<Get id="jdbcIdMgr" name="sessionIdManager"/>
</Get>
I looked at jetty-maven plugin sources and found that at first it configures my WebAppContext instance and then in calls setServer:
//set up the webapp and any context provided
this.server.configureHandlers();
configureWebApplication();
this.server.addWebApplication(webApp);
How can I properly set up my session clustering stuff?
After digging in the sources I extended JDBCSessionManager class, where I set _sessionIdManager property:
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.session.HashSessionIdManager;
import org.eclipse.jetty.server.session.JDBCSessionManager;
public class ScoopSessionManager extends JDBCSessionManager {
#Override
public void doStart() throws Exception {
final Server server = getSessionHandler().getServer();
_sessionIdManager = server.getSessionIdManager();
if (_sessionIdManager == null) {
_sessionIdManager = new HashSessionIdManager();
server.setSessionIdManager(_sessionIdManager);
}
super.doStart();
}
}
Seems to be working now.
I have a war project with Java Based Spring Configuration (without web.xml) that runs perfectly on mvn jetty:run but when I put inside the machines with Jetty 9 the project is not running.
The jetty 9 server runs but the application doesn`t initialize at all.
The application consists in a Queue Subscriber.
It seems like I need to have a web.xml file.
Does anyone have an ideia what I`m missing?
The xml configuration file for the App on Jetty 9 server is (edit: with the correct conf file)
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<!--
JETTY_HOME="<%=node['api']['worker']['jetty']['jetty_home']%>"
JAVA_HOME="<%=node['api']['worker']['jetty']['java_home']%>"
JETTY_CONSOLE="<%=node['api']['worker']['jetty']['jetty_console']%>"
JETTY_USER="<%=node['api']['worker']['jetty']['jetty_user']%>"
JETTY_ARGS="<%=node['api']['worker']['jetty']['jetty_args']%>"
JETTY_RUN="<%=node['api']['worker']['jetty']['jetty_run']%>"
JAVA_OPTIONS="<%=node['api']['worker']['jetty']['java_options']%>"
-->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Get name="ThreadPool">
<Set name="minThreads" type="int"><Property name="threads.min" default="10"/></Set>
<Set name="maxThreads" type="int"><Property name="threads.max" default="200"/></Set>
<Set name="idleTimeout" type="int"><Property name="threads.timeout" default="60000"/></Set>
<Set name="detailedDump">false</Set>
</Get>
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.util.thread.ScheduledExecutorScheduler"/>
</Arg>
</Call>
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort"><Property name="jetty.secure.port" default="8443" /></Set>
<Set name="outputBufferSize"><Property name="jetty.output.buffer.size" default="32768" /></Set>
<Set name="requestHeaderSize"><Property name="jetty.request.header.size" default="8192" /></Set>
<Set name="responseHeaderSize"><Property name="jetty.response.header.size" default="8192" /></Set>
<Set name="sendServerVersion"><Property name="jetty.send.server.version" default="true" /></Set>
<Set name="sendDateHeader"><Property name="jetty.send.date.header" default="false" /></Set>
<Set name="headerCacheSize">512</Set>
</New>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="httpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.host" /></Set>
<Set name="port"><Property name="jetty.port" default="8080"/></Set>
<Set name="idleTimeout"><Property name="http.timeout" default="30000"/></Set>
<Set name="soLingerTime"><Property name="http.soLingerTime" default="-1"/></Set>
<Set name="acceptQueueSize"><Property name="http.acceptQueueSize" default="0"/></Set>
</New>
<Call class="java.lang.System" name="setProperty">
<Arg>logback.configurationFile</Arg>
<Arg>file:///conf/worker/logback.xml</Arg>
</Call>
<Call class="java.lang.System" name="setProperty" >
<Arg>service.config.path</Arg>
<Arg>/opt/webapps/worker</Arg>
</Call>
<Set name="handler">
<New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
</Item>
<Item>
<New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
<Set name="showContexts">false</Set>
</New>
</Item>
</Array>
</Set>
</New>
</Set>
<New class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/</Set>
<Set name="war"><Property name="jetty.webapps" default="." />/opt/webapps/worker.war</Set>
<Set name="extractWAR">true</Set>
</New>
<Call name="addBean">
<Arg>
<New id="DeploymentManager" class="org.eclipse.jetty.deploy.DeploymentManager">
<Set name="contexts">
<Ref refid="Contexts" />
</Set>
<Call id="webappprovider" name="addAppProvider">
<Arg>
<New class="org.eclipse.jetty.deploy.providers.WebAppProvider">
<Set name="monitoredDirName"><Property name="jetty.home" default="." />/webapps</Set>
<Set name="scanInterval">1</Set>
<Set name="extractWars">true</Set>
<Set name="configurationClasses">
<Array type="java.lang.String">
<Item>org.eclipse.jetty.webapp.WebInfConfiguration</Item>
<Item>org.eclipse.jetty.webapp.WebXmlConfiguration</Item>
<Item>org.eclipse.jetty.webapp.MetaInfConfiguration</Item>
<Item>org.eclipse.jetty.webapp.FragmentConfiguration</Item>
<Item>org.eclipse.jetty.annotations.AnnotationConfiguration</Item>
<Item>org.eclipse.jetty.webapp.JettyWebXmlConfiguration</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
</New>
</Arg>
</Call>
<Set name="stopAtShutdown">true</Set>
<Set name="stopTimeout">5000</Set>
<Set name="dumpAfterStart"><Property name="jetty.dump.start" default="false"/></Set>
<Set name="dumpBeforeStop"><Property name="jetty.dump.stop" default="false"/></Set>
</Configure>
The jetty-console log is
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=128m; support was removed in 8.0
WARNING: System properties and/or JVM args set. Consider using --dry-run or --exec
2014-12-19 19:32:49.749:INFO:oejs.Server:main: jetty-9.0.3.v20130506
2014-12-19 19:32:49.800:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:/opt/jetty- distribution-9.0.3.v20130506/webapps/] at interval 1
2014-12-19 19:32:51.554:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext#45afc369{/,file:/tmp/jetty-0.0.0.0-8080-worker.war-_-any-/webapp/,AVAILABLE}{/worker/worker.war}
2014-12-19 19:32:51.560:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:/opt/jetty-distribution-9.0.3.v20130506/webapps/] at interval 1
2014-12-19 19:32:51.587:INFO:oejs.ServerConnector:main: Started ServerConnector#34cd072c{HTTP/1.1}{0.0.0.0:8080}
Edit: The xml configuration file is now correct and I had to uncomment the above options at ${jetty.home}/start.ini
# ===========================================================
# Enable additional webapp environment configurators
# -----------------------------------------------------------
OPTIONS=plus
etc/jetty-plus.xml
# ===========================================================
# Enable servlet 3.1 annotations
# -----------------------------------------------------------
OPTIONS=annotations
etc/jetty-annotations.xml
Some obvious things to fix first.
You are using Java 8, upgrade to Jetty 9.2.6 (Jetty 9.0.3 is too old and does not support Java 8 well)
Your DTD reference is bad, it is the one from Jetty 7, it has been known to cause problems in Jetty 9.
Use <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> instead.
Your class reference is bad, and should be fixed. "org.eclipse.jetty_runˆy.server.Server" doesn't exist
I am using the guide here here to try to setup ssl for our Jetty 8 instance(s) but getting the following errors:
curl https://localhost/service/health
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
My jetty-ssl.xml is below.
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->
<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="KeyStorePassword">PASSWORD</Set>
<Set name="TrustStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="TrustStorePassword">PASSWORD</Set>
</New>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
<Arg><Ref id="sslContextFactory" /></Arg>
<Set name="host"><Property name="jetty.host" /></Set>
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
</New>
</Arg>
</Call>
</Configure>
To loaded the certs I using.
keytool -keystore keystore -import -alias jetty -file public.pem
My cert file looks like this.
An I am running this inside a docker/ubuntu:14.04 container if that makes any difference.
Any ideas on what I am missing from for configuration?
I have a web application which is running on jetty. Continues builds are built on hudson. I would like to make a hot deploy on demand from hudson.
I found cargo plugin which should be able to do so but cargo's web doesn't show any complete example how to do it - for remote jetty server - may be I miss it?
What do you suggest? Do you have any other better solution?
thank you,
Vitek
Cargo's documentation shows that it is possible to deploy to jetty via maven 2.
And here is the configuration.
I assume you tried this?
What was the problem?
Jetty : can be run as as standalone : just remote copy the war you build .
Standalone Jetty instances can be run independent ports .
Yml : eg
<Set name="ThreadPool">
-->
<New class="org.mortbay.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">50</Set>
<Set name="lowThreads">5</Set>
<Set name="SpawnOrShrinkAt">2</Set>
</New>
</Set>
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="host"><SystemProperty name="jetty.host" default="0.0.0.0" /></Set>
<Set name="port"><SystemProperty name="jetty.port" default="8880"/></Set>
<Set name="maxIdleTime">300000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8441</Set>
<Set name="lowResourcesConnections">20000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
</New>
</Arg>
</Call>
<Set name="handler">
<New id="Handlers" class="org.mortbay.jetty.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.mortbay.jetty.Handler">
<Item>
<New id="Contexts" class="org.mortbay.jetty.handler.ContextHandlerCollection"/>
</Item>
<Item>
<New id="DefaultHandler" class="org.mortbay.jetty.handler.DefaultHandler"/>
</Item>
<Item>
<New id="RequestLog" class="org.mortbay.jetty.handler.RequestLogHandler"/>
</Item>
</Array>
</Set>
</New>
</Set>
<Call name="addLifeCycle">
<Arg>
<New class="org.mortbay.jetty.deployer.ContextDeployer">
<Set name="contexts"><Ref id="Contexts"/></Set>
<Set name="configurationDir"><SystemProperty name="jetty.home" default="."/>/contexts/</Set>
<Set name="scanInterval">1</Set>
</New>
</Arg>
</Call>
<Set name="UserRealms">
<Array type="org.mortbay.jetty.security.UserRealm">
<Item>
<New class="org.mortbay.jetty.security.HashUserRealm">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Item>
</Array>
</Set>
<Ref id="RequestLog">
<Set name="requestLog">
<New id="RequestLogImpl" class="org.mortbay.jetty.NCSARequestLog">
<Set name="filename"><SystemProperty name="jetty.logs" default="./logs"/>/yyyy_mm_dd.request.log</Set>
<Set name="filenameDateFormat">yyyy_MM_dd</Set>
<Set name="retainDays">90</Set>
<Set name="append">true</Set>
<Set name="extended">true</Set>
<Set name="logCookies">false</Set>
<Set name="LogTimeZone">GMT</Set>
</New>
</Set>
</Ref>
<Set name="stopAtShutdown">true</Set>
<Set name="sendServerVersion">true</Set>
<Set name="sendDateHeader">true</Set>
<Set name="gracefulShutdown">1000</Set>
For those of you using Windows, if you run into file locking errors, visit:
http://docs.codehaus.org/display/JETTY/Files+locked+on+Windows
Windows locks the files Jetty loads into memory. The above link will show you how to prevent that.