NIFI-7730 Added regression tests for multiple certificate keystores.

Cleaned up JettyServer code.
Changed test logging severity to include debug statements.
Added test resources.

This closes #4498.

Co-authored-by: Kotaro Terada <kotarot@apache.org>
This commit is contained in:
Kotaro Terada 2020-08-11 18:19:23 +09:00 committed by Andy LoPresto
parent 1e6619b91f
commit c3cab48325
No known key found for this signature in database
GPG Key ID: 6EC293152D90B61D
18 changed files with 136 additions and 98 deletions

View File

@ -453,7 +453,7 @@ public class TestHttpClient {
final ServletHandler wrongPathServletHandler = new ServletHandler(); final ServletHandler wrongPathServletHandler = new ServletHandler();
wrongPathContextHandler.insertHandler(wrongPathServletHandler); wrongPathContextHandler.insertHandler(wrongPathServletHandler);
final SslContextFactory sslContextFactory = new SslContextFactory(); final SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks"); sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
sslContextFactory.setKeyStorePassword("passwordpassword"); sslContextFactory.setKeyStorePassword("passwordpassword");
sslContextFactory.setKeyStoreType("JKS"); sslContextFactory.setKeyStoreType("JKS");

View File

@ -975,19 +975,13 @@ public class JettyServer implements NiFiServer, ExtensionUiLoader {
} }
private SslContextFactory createSslContextFactory() { private SslContextFactory createSslContextFactory() {
final SslContextFactory contextFactory = new SslContextFactory(); final SslContextFactory.Server serverContextFactory = new SslContextFactory.Server();
configureSslContextFactory(contextFactory, props); configureSslContextFactory(serverContextFactory, props);
return contextFactory; return serverContextFactory;
} }
protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) { protected static void configureSslContextFactory(SslContextFactory.Server contextFactory, NiFiProperties props) {
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
contextFactory.setEndpointIdentificationAlgorithm(null);
// Explicitly exclude legacy TLS protocol versions // Explicitly exclude legacy TLS protocol versions
// contextFactory.setProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions()); contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions());
contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3"); contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3");

View File

@ -19,6 +19,9 @@ package org.apache.nifi.web.server
import org.apache.log4j.AppenderSkeleton import org.apache.log4j.AppenderSkeleton
import org.apache.log4j.spi.LoggingEvent import org.apache.log4j.spi.LoggingEvent
import org.apache.nifi.bundle.Bundle import org.apache.nifi.bundle.Bundle
import org.apache.nifi.nar.ExtensionManagerHolder
import org.apache.nifi.nar.ExtensionMapping
import org.apache.nifi.nar.SystemBundle
import org.apache.nifi.processor.DataUnit import org.apache.nifi.processor.DataUnit
import org.apache.nifi.properties.StandardNiFiProperties import org.apache.nifi.properties.StandardNiFiProperties
import org.apache.nifi.security.util.CertificateUtils import org.apache.nifi.security.util.CertificateUtils
@ -121,6 +124,8 @@ class JettyServerGroovyTest extends GroovyTestCase {
@After @After
void tearDown() throws Exception { void tearDown() throws Exception {
// Cleans up the EMH so it can be reinitialized when a new Jetty server starts
ExtensionManagerHolder.INSTANCE = null
TestAppender.reset() TestAppender.reset()
} }
@ -196,10 +201,9 @@ class JettyServerGroovyTest extends GroovyTestCase {
assert !bothConfigsPresentForHttp assert !bothConfigsPresentForHttp
assert !bothConfigsPresentForHttps assert !bothConfigsPresentForHttps
// Verifies that the warning was not logged // Verifies that the warning was not logged (messages are duplicated because of log4j.properties settings)
assert log.size() == 2 assert log.size() == 4
assert log.first() == "Both configs present for HTTP properties: false" assert log.every { it =~ "Both configs present for HTTPS? properties: false" }
assert log.last() == "Both configs present for HTTPS properties: false"
} }
@Test @Test
@ -242,10 +246,84 @@ class JettyServerGroovyTest extends GroovyTestCase {
// Assertions defined above // Assertions defined above
} }
/**
* Regression test added after NiFi 1.12.0 because Jetty upgrade to 9.4.26 no longer works
* with multiple certificate keystores.
*/
@Test
void testShouldStartWithMultipleCertificatePKCS12Keystore() {
// Arrange
final String externalHostname = "localhost"
NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
(NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
(NiFiProperties.WEB_HTTPS_HOST): externalHostname,
(NiFiProperties.SECURITY_KEYSTORE): "src/test/resources/multiple_cert_keystore.p12",
(NiFiProperties.SECURITY_KEYSTORE_PASSWD): "passwordpassword",
(NiFiProperties.SECURITY_KEYSTORE_TYPE): "PKCS12",
(NiFiProperties.NAR_LIBRARY_DIRECTORY): "target/"
]))
JettyServer jetty = createJettyServer(httpsProps)
Server internalServer = jetty.server
List<Connector> connectors = Arrays.asList(internalServer.connectors)
// Act
jetty.start()
// Assert
assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
// Clean up
jetty.stop()
}
/**
* Regression test added after NiFi 1.12.0 because Jetty upgrade to 9.4.26 no longer works
* with multiple certificate keystores.
*/
@Test
void testShouldStartWithMultipleCertificateJKSKeystore() {
// Arrange
final String externalHostname = "localhost"
NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
(NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
(NiFiProperties.WEB_HTTPS_HOST): externalHostname,
(NiFiProperties.SECURITY_KEYSTORE): "src/test/resources/multiple_cert_keystore.jks",
(NiFiProperties.SECURITY_KEYSTORE_PASSWD): "passwordpassword",
(NiFiProperties.SECURITY_KEYSTORE_TYPE): "JKS",
(NiFiProperties.NAR_LIBRARY_DIRECTORY): "target/"
]))
JettyServer jetty = createJettyServer(httpsProps)
Server internalServer = jetty.server
List<Connector> connectors = Arrays.asList(internalServer.connectors)
// Act
jetty.start()
// Assert
assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
// Clean up
jetty.stop()
}
private static JettyServer createJettyServer(StandardNiFiProperties httpsProps) {
Server internalServer = new Server()
JettyServer jetty = new JettyServer(internalServer, httpsProps)
jetty.systemBundle = SystemBundle.create(httpsProps)
jetty.bundles = [] as Set<Bundle>
jetty.extensionMapping = [size: { -> 0 }] as ExtensionMapping
jetty.configureHttpsConnector(internalServer, new HttpConfiguration())
jetty
}
@Test @Test
void testShouldConfigureHTTPSConnector() { void testShouldConfigureHTTPSConnector() {
// Arrange // Arrange
final String externalHostname = "secure.host.com" final String externalHostname = "localhost"
NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([ NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
(NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String, (NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
@ -260,9 +338,7 @@ class JettyServerGroovyTest extends GroovyTestCase {
List<Connector> connectors = Arrays.asList(internalServer.connectors) List<Connector> connectors = Arrays.asList(internalServer.connectors)
// Assert // Assert
assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
// Set the expected TLS protocols to null because no actual keystore/truststore is loaded here
assertServerConnector(connectors, "TLS", null, null, externalHostname, HTTPS_PORT)
} }
@Test @Test
@ -411,16 +487,13 @@ class JettyServerGroovyTest extends GroovyTestCase {
assert connector.port == EXPECTED_PORT assert connector.port == EXPECTED_PORT
assert connector.getProtocols() == ['ssl', 'http/1.1'] assert connector.getProtocols() == ['ssl', 'http/1.1']
// This kind of testing is not ideal as it breaks encapsulation, but is necessary to enforce verification of the TLS protocol versions specified
SslConnectionFactory connectionFactory = connector.getConnectionFactory("ssl") as SslConnectionFactory SslConnectionFactory connectionFactory = connector.getConnectionFactory("ssl") as SslConnectionFactory
SslContextFactory sslContextFactory = connectionFactory._sslContextFactory as SslContextFactory SslContextFactory sslContextFactory = connectionFactory.getSslContextFactory()
logger.debug("SSL Context Factory: ${sslContextFactory.dump()}") logger.debug("SSL Context Factory: ${sslContextFactory.dump()}")
// Using the getters is subject to NPE due to blind array copies assert sslContextFactory.getProtocol() == EXPECTED_TLS_PROTOCOL
assert sslContextFactory._sslProtocol == EXPECTED_TLS_PROTOCOL assert Arrays.asList(sslContextFactory.getIncludeProtocols()).containsAll(EXPECTED_INCLUDED_PROTOCOLS ?: Collections.emptySet())
assert sslContextFactory._includeProtocols.containsAll(EXPECTED_INCLUDED_PROTOCOLS ?: Collections.emptySet()) assert (sslContextFactory.getExcludeProtocols() as List<String>).containsAll(LEGACY_TLS_PROTOCOLS)
assert (sslContextFactory._excludeProtocols as List<String>).containsAll(LEGACY_TLS_PROTOCOLS)
assert sslContextFactory._selectedProtocols == EXPECTED_SELECTED_PROTOCOLS as String[]
} }
@Test @Test

View File

@ -43,12 +43,12 @@ public class JettyServerTest {
addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword); addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword);
addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword); addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps); NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class); SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties); JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStorePassword(testKeystorePassword); verify(mockSCF).setKeyStorePassword(testKeystorePassword);
verify(contextFactory).setKeyManagerPassword(testKeyPassword); verify(mockSCF).setKeyManagerPassword(testKeyPassword);
} }
@Test @Test
@ -59,12 +59,12 @@ public class JettyServerTest {
final Map<String, String> addProps = new HashMap<>(); final Map<String, String> addProps = new HashMap<>();
addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword); addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps); NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class); SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties); JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyManagerPassword(testKeyPassword); verify(mockSCF).setKeyManagerPassword(testKeyPassword);
verify(contextFactory, never()).setKeyStorePassword(anyString()); verify(mockSCF, never()).setKeyStorePassword(anyString());
} }
@Test @Test
@ -75,12 +75,12 @@ public class JettyServerTest {
final Map<String, String> addProps = new HashMap<>(); final Map<String, String> addProps = new HashMap<>();
addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword); addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps); NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class); SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties); JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStorePassword(testKeystorePassword); verify(mockSCF).setKeyStorePassword(testKeystorePassword);
verify(contextFactory).setKeyManagerPassword(testKeystorePassword); verify(mockSCF).setKeyManagerPassword(testKeystorePassword);
} }
@Test @Test
@ -90,12 +90,12 @@ public class JettyServerTest {
String keyStoreType = KeystoreType.JKS.toString(); String keyStoreType = KeystoreType.JKS.toString();
addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType); addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps); NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class); SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties); JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStoreType(keyStoreType); verify(mockSCF).setKeyStoreType(keyStoreType);
verify(contextFactory).setKeyStoreProvider(SUN_PROVIDER_NAME); verify(mockSCF).setKeyStoreProvider(SUN_PROVIDER_NAME);
} }
@Test @Test
@ -105,12 +105,12 @@ public class JettyServerTest {
String keyStoreType = KeystoreType.PKCS12.toString(); String keyStoreType = KeystoreType.PKCS12.toString();
addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType); addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps); NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class); SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties); JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setKeyStoreType(keyStoreType); verify(mockSCF).setKeyStoreType(keyStoreType);
verify(contextFactory).setKeyStoreProvider(BouncyCastleProvider.PROVIDER_NAME); verify(mockSCF).setKeyStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
} }
@Test @Test
@ -120,12 +120,12 @@ public class JettyServerTest {
String trustStoreType = KeystoreType.JKS.toString(); String trustStoreType = KeystoreType.JKS.toString();
addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType); addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps); NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class); SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties); JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setTrustStoreType(trustStoreType); verify(mockSCF).setTrustStoreType(trustStoreType);
verify(contextFactory).setTrustStoreProvider(SUN_PROVIDER_NAME); verify(mockSCF).setTrustStoreProvider(SUN_PROVIDER_NAME);
} }
@Test @Test
@ -135,11 +135,11 @@ public class JettyServerTest {
String trustStoreType = KeystoreType.PKCS12.toString(); String trustStoreType = KeystoreType.PKCS12.toString();
addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType); addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType);
NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps); NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
SslContextFactory contextFactory = mock(SslContextFactory.class); SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
JettyServer.configureSslContextFactory(contextFactory, nifiProperties); JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
verify(contextFactory).setTrustStoreType(trustStoreType); verify(mockSCF).setTrustStoreType(trustStoreType);
verify(contextFactory).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME); verify(mockSCF).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
} }
} }

View File

@ -16,6 +16,7 @@
# #
log4j.rootLogger=INFO,console,test log4j.rootLogger=INFO,console,test
log4j.logger.org.apache.nifi.web=DEBUG,console,test
log4j.appender.console=org.apache.log4j.ConsoleAppender log4j.appender.console=org.apache.log4j.ConsoleAppender
log4j.appender.console.Target=System.err log4j.appender.console.Target=System.err

View File

@ -77,12 +77,7 @@ public class NiFiTestServer {
// TODO: Refactor this method to use proper factory methods // TODO: Refactor this method to use proper factory methods
private void createSecureConnector() { private void createSecureConnector() {
org.eclipse.jetty.util.ssl.SslContextFactory contextFactory = new org.eclipse.jetty.util.ssl.SslContextFactory(); org.eclipse.jetty.util.ssl.SslContextFactory contextFactory = new org.eclipse.jetty.util.ssl.SslContextFactory.Server();
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
contextFactory.setEndpointIdentificationAlgorithm(null);
// require client auth when not supporting login or anonymous access // require client auth when not supporting login or anonymous access
if (StringUtils.isBlank(properties.getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER))) { if (StringUtils.isBlank(properties.getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER))) {

View File

@ -113,7 +113,7 @@ public class PrometheusServer {
} }
private SslContextFactory createSslFactory(final SSLContextService sslService, boolean needClientAuth, boolean wantClientAuth) { private SslContextFactory createSslFactory(final SSLContextService sslService, boolean needClientAuth, boolean wantClientAuth) {
SslContextFactory sslFactory = new SslContextFactory(); SslContextFactory sslFactory = new SslContextFactory.Server();
sslFactory.setNeedClientAuth(needClientAuth); sslFactory.setNeedClientAuth(needClientAuth);
sslFactory.setWantClientAuth(wantClientAuth); sslFactory.setWantClientAuth(wantClientAuth);

View File

@ -520,18 +520,13 @@ public class HandleHttpRequest extends AbstractProcessor {
} }
private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) { private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
final SslContextFactory sslFactory = new SslContextFactory(); final SslContextFactory sslFactory = new SslContextFactory.Server();
sslFactory.setNeedClientAuth(needClientAuth); sslFactory.setNeedClientAuth(needClientAuth);
sslFactory.setWantClientAuth(wantClientAuth); sslFactory.setWantClientAuth(wantClientAuth);
sslFactory.setProtocol(sslService.getSslAlgorithm()); sslFactory.setProtocol(sslService.getSslAlgorithm());
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null.
sslFactory.setEndpointIdentificationAlgorithm(null);
if (sslService.isKeyStoreConfigured()) { if (sslService.isKeyStoreConfigured()) {
sslFactory.setKeyStorePath(sslService.getKeyStoreFile()); sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
sslFactory.setKeyStorePassword(sslService.getKeyStorePassword()); sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());

View File

@ -256,14 +256,9 @@ public class ListenHTTP extends AbstractSessionFactoryProcessor {
final boolean needClientAuth = sslContextService != null && sslContextService.getTrustStoreFile() != null; final boolean needClientAuth = sslContextService != null && sslContextService.getTrustStoreFile() != null;
final SslContextFactory contextFactory = new SslContextFactory(); final SslContextFactory contextFactory = new SslContextFactory.Server();
contextFactory.setNeedClientAuth(needClientAuth); contextFactory.setNeedClientAuth(needClientAuth);
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
contextFactory.setEndpointIdentificationAlgorithm(null);
if (needClientAuth) { if (needClientAuth) {
contextFactory.setTrustStorePath(sslContextService.getTrustStoreFile()); contextFactory.setTrustStorePath(sslContextService.getTrustStoreFile());
contextFactory.setTrustStoreType(sslContextService.getTrustStoreType()); contextFactory.setTrustStoreType(sslContextService.getTrustStoreType());

View File

@ -141,7 +141,7 @@ class TestGetHTTPGroovy extends GroovyTestCase {
private private
static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) { static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) {
final SslContextFactory contextFactory = new SslContextFactory() final SslContextFactory contextFactory = new SslContextFactory.Server()
contextFactory.needClientAuth = false contextFactory.needClientAuth = false
contextFactory.wantClientAuth = false contextFactory.wantClientAuth = false

View File

@ -133,7 +133,7 @@ class TestPostHTTPGroovy extends GroovyTestCase {
private private
static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) { static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) {
final SslContextFactory contextFactory = new SslContextFactory() final SslContextFactory contextFactory = new SslContextFactory.Server()
contextFactory.needClientAuth = false contextFactory.needClientAuth = false
contextFactory.wantClientAuth = false contextFactory.wantClientAuth = false

View File

@ -76,7 +76,7 @@ public class TestServer {
} }
private void createSecureConnector(final Map<String, String> sslProperties) { private void createSecureConnector(final Map<String, String> sslProperties) {
SslContextFactory ssl = new SslContextFactory(); SslContextFactory ssl = new SslContextFactory.Server();
if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) { if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName())); ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
@ -97,11 +97,6 @@ public class TestServer {
ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth)); ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
} }
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
ssl.setEndpointIdentificationAlgorithm(null);
// build the connector // build the connector
final ServerConnector https = new ServerConnector(jetty, ssl); final ServerConnector https = new ServerConnector(jetty, ssl);

View File

@ -67,7 +67,7 @@ public abstract class AbstractJettyWebSocketService extends AbstractWebSocketSer
protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth, final String endpointIdentificationAlgorithm) { protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth, final String endpointIdentificationAlgorithm) {
final SslContextFactory sslFactory = new SslContextFactory(); final SslContextFactory sslFactory = new SslContextFactory.Server();
sslFactory.setNeedClientAuth(needClientAuth); sslFactory.setNeedClientAuth(needClientAuth);
sslFactory.setWantClientAuth(wantClientAuth); sslFactory.setWantClientAuth(wantClientAuth);

View File

@ -46,7 +46,7 @@ public class WebSocketClientExample {
String destUri = "wss://localhost:50010/test"; String destUri = "wss://localhost:50010/test";
final CountDownLatch replyLatch = new CountDownLatch(1); final CountDownLatch replyLatch = new CountDownLatch(1);
final SslContextFactory sslContextFactory = new SslContextFactory(); final SslContextFactory sslContextFactory = new SslContextFactory.Client();
sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks"); sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
sslContextFactory.setKeyStorePassword("passwordpassword"); sslContextFactory.setKeyStorePassword("passwordpassword");
sslContextFactory.setKeyStoreType("JKS"); sslContextFactory.setKeyStoreType("JKS");

View File

@ -152,16 +152,11 @@ public class WebSocketServerExample {
httpConnector = new ServerConnector(server); httpConnector = new ServerConnector(server);
httpConnector.setPort(50010); httpConnector.setPort(50010);
final SslContextFactory sslContextFactory = new SslContextFactory(); final SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks"); sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
sslContextFactory.setKeyStorePassword("passwordpassword"); sslContextFactory.setKeyStorePassword("passwordpassword");
sslContextFactory.setKeyStoreType("JKS"); sslContextFactory.setKeyStoreType("JKS");
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
sslContextFactory.setEndpointIdentificationAlgorithm(null);
final HttpConfiguration https = new HttpConfiguration(); final HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer()); https.addCustomizer(new SecureRequestCustomizer());
sslConnector = new ServerConnector(server, sslConnector = new ServerConnector(server,

View File

@ -62,16 +62,11 @@ public class TlsCertificateAuthorityService {
private static Server createServer(Handler handler, int port, KeyStore keyStore, String keyPassword) throws Exception { private static Server createServer(Handler handler, int port, KeyStore keyStore, String keyPassword) throws Exception {
Server server = new Server(); Server server = new Server();
SslContextFactory sslContextFactory = new SslContextFactory(); SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setIncludeProtocols(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); sslContextFactory.setIncludeProtocols(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
sslContextFactory.setKeyStore(keyStore); sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setKeyManagerPassword(keyPassword); sslContextFactory.setKeyManagerPassword(keyPassword);
// Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
// not a client. Server does not need to perform hostname verification on the client.
// Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
sslContextFactory.setEndpointIdentificationAlgorithm(null);
HttpConfiguration httpsConfig = new HttpConfiguration(); HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.addCustomizer(new SecureRequestCustomizer()); httpsConfig.addCustomizer(new SecureRequestCustomizer());