Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'jetty-9.4.x' into jetty-10.0.x

This commit is contained in:
olivier lamy 2018-11-02 19:27:14 +10:00
parent 254dc88743 af7dba1249
commit b5d058d128
11 changed files with 150 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc
View File

@ -772,6 +772,12 @@ Both `setIncludeCipherSuites` and `setExcludeCipherSuites` can be fed by the exa
If you have a need to adjust the Includes or Excludes, then this is best done with a custom XML that configures the `SslContextFactory` to suit your needs.
____
[NOTE]
Jetty *does* allow users to enable weak/deprecated cipher suites (or even no cipher suites at all).
By default, if you have these suites enabled warning messages will appear in the server logs.
____
To do this, first create a new `${jetty.base}/etc/tweak-ssl.xml` file (this can be any name, just avoid prefixing it with "jetty-").
[source, xml, subs="{sub-order}"]
@ -820,7 +826,7 @@ ____
____
[TIP]
You can enable the `org.eclipse.jetty.util.ssl` named logger at DEBUG level to see what the list of selected Protocols and Cipher suites are at startup of Jetty.
You can enable the `org.eclipse.jetty.util.ssl` named logger at `DEBUG` level to see what the list of selected Protocols and Cipher suites are at startup of Jetty.
____
Additional Include / Exclude examples:

2
jetty-server/src/main/config/etc/jetty-ssl-context.xml
View File

@ -21,7 +21,7 @@
<Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword"/></Set>
<Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType"/></Set>
<Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
\ <Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" default="false"/></Set>
<Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>

2
jetty-server/src/main/config/modules/https.mod
View File

@ -1,4 +1,4 @@
DO NOT EDIT - See: https://www.eclipse.org/jetty/documentation/current/startup-modules.html
# DO NOT EDIT - See: https://www.eclipse.org/jetty/documentation/current/startup-modules.html
[description]
Adds HTTPS protocol support to the TLS(SSL) Connector

4
jetty-server/src/main/config/modules/ssl.mod
View File

@ -56,6 +56,10 @@ etc/jetty-ssl-context.xml
## Note that OBF passwords are not secure, just protected from casual observation
## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
## The Endpoint Identification Algorithm
## Same as javax.net.ssl.SSLParameters#setEndpointIdentificationAlgorithm(String)
#jetty.sslContext.endpointIdentificationAlgorithm=HTTPS
## SSL JSSE Provider
# jetty.sslContext.provider=

85
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java
View File

@ -31,6 +31,7 @@ import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
@ -40,7 +41,9 @@ import java.util.concurrent.LinkedBlockingQueue;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.servlet.http.HttpServletRequest;
@ -48,6 +51,8 @@ import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.io.Connection;
import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.ssl.SslConnection;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Request;
@ -75,11 +80,6 @@ public class SniSslConnectionFactoryTest
@BeforeEach
public void before() throws Exception
{
String keystorePath = "src/test/resources/snikeystore";
File keystoreFile = new File(keystorePath);
if (!keystoreFile.exists())
throw new FileNotFoundException(keystoreFile.getAbsolutePath());
_server = new Server();
HttpConfiguration http_config = new HttpConfiguration();
@ -87,7 +87,36 @@ public class SniSslConnectionFactoryTest
http_config.setSecurePort(8443);
http_config.setOutputBufferSize(32768);
_https_config = new HttpConfiguration(http_config);
_https_config.addCustomizer(new SecureRequestCustomizer());
SecureRequestCustomizer src = new SecureRequestCustomizer();
src.setSniHostCheck(true);
_https_config.addCustomizer(src);
_https_config.addCustomizer((connector,httpConfig,request)->
{
EndPoint endp = request.getHttpChannel().getEndPoint();
if (endp instanceof SslConnection.DecryptedEndPoint)
{
try
{
SslConnection.DecryptedEndPoint ssl_endp = (SslConnection.DecryptedEndPoint)endp;
SslConnection sslConnection = ssl_endp.getSslConnection();
SSLEngine sslEngine = sslConnection.getSSLEngine();
SSLSession session = sslEngine.getSession();
for (Certificate c : session.getLocalCertificates())
request.getResponse().getHttpFields().add("X-Cert",((X509Certificate)c).getSubjectDN().toString());
}
catch(Throwable th)
{
th.printStackTrace();
}
}
});
}
protected void start(String keystorePath) throws Exception
{
File keystoreFile = new File(keystorePath);
if (!keystoreFile.exists())
throw new FileNotFoundException(keystoreFile.getAbsolutePath());
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
@ -95,8 +124,8 @@ public class SniSslConnectionFactoryTest
sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
ServerConnector https = _connector = new ServerConnector(_server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(_https_config));
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(_https_config));
_server.addConnector(https);
_server.setHandler(new AbstractHandler.ErrorDispatchHandler()
@ -125,6 +154,7 @@ public class SniSslConnectionFactoryTest
@Test
public void testConnect() throws Exception
{
start("src/test/resources/keystore_sni.p12");
String response = getResponse("127.0.0.1", null);
assertThat(response, Matchers.containsString("X-HOST: 127.0.0.1"));
}
@ -132,31 +162,22 @@ public class SniSslConnectionFactoryTest
@Test
public void testSNIConnectNoWild() throws Exception
{
// Use the alternate keystore without wildcard certificates.
_server.stop();
_server.removeConnector(_connector);
start("src/test/resources/keystore_sni_nowild.p12");
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("src/test/resources/snikeystore_nowild");
sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
String response = getResponse("www.acme.org", null);
assertThat(response, Matchers.containsString("X-HOST: www.acme.org"));
assertThat(response, Matchers.containsString("X-Cert: OU=default"));
_connector = new ServerConnector(_server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(_https_config));
_server.addConnector(_connector);
_server.start();
_port = _connector.getLocalPort();
// The first entry in the keystore is www.example.com, and it will
// be returned by default, so make sure that here we don't ask for it.
String response = getResponse("jetty.eclipse.org", "jetty.eclipse.org");
assertThat(response, Matchers.containsString("X-HOST: jetty.eclipse.org"));
response = getResponse("www.example.com", null);
assertThat(response, Matchers.containsString("X-HOST: www.example.com"));
assertThat(response, Matchers.containsString("X-Cert: OU=example"));
}
@Test
public void testSNIConnect() throws Exception
{
start("src/test/resources/keystore_sni.p12");
String response = getResponse("jetty.eclipse.org", "jetty.eclipse.org");
assertThat(response, Matchers.containsString("X-HOST: jetty.eclipse.org"));
@ -176,6 +197,8 @@ public class SniSslConnectionFactoryTest
@Test
public void testWildSNIConnect() throws Exception
{
start("src/test/resources/keystore_sni.p12");
String response = getResponse("domain.com", "www.domain.com", "*.domain.com");
assertThat(response, Matchers.containsString("X-HOST: www.domain.com"));
@ -189,6 +212,8 @@ public class SniSslConnectionFactoryTest
@Test
public void testBadSNIConnect() throws Exception
{
start("src/test/resources/keystore_sni.p12");
String response = getResponse("www.example.com", "some.other.com", "www.example.com");
assertThat(response, Matchers.containsString("HTTP/1.1 400 "));
assertThat(response, Matchers.containsString("Host does not match SNI"));
@ -197,6 +222,8 @@ public class SniSslConnectionFactoryTest
@Test
public void testSameConnectionRequestsForManyDomains() throws Exception
{
start("src/test/resources/keystore_sni.p12");
SslContextFactory clientContextFactory = new SslContextFactory(true);
clientContextFactory.start();
SSLSocketFactory factory = clientContextFactory.getSslContext().getSocketFactory();
@ -253,6 +280,8 @@ public class SniSslConnectionFactoryTest
@Test
public void testSameConnectionRequestsForManyWildDomains() throws Exception
{
start("src/test/resources/keystore_sni.p12");
SslContextFactory clientContextFactory = new SslContextFactory(true);
clientContextFactory.start();
SSLSocketFactory factory = clientContextFactory.getSslContext().getSocketFactory();
@ -336,7 +365,7 @@ public class SniSslConnectionFactoryTest
SSLSocketFactory factory = clientContextFactory.getSslContext().getSocketFactory();
try (SSLSocket sslSocket = (SSLSocket)factory.createSocket("127.0.0.1", _port))
{
if (cn != null)
if (sniHost != null)
{
SNIHostName serverName = new SNIHostName(sniHost);
List<SNIServerName> serverNames = new ArrayList<>();
@ -367,6 +396,8 @@ public class SniSslConnectionFactoryTest
@Test
public void testSocketCustomization() throws Exception
{
start("src/test/resources/keystore_sni.p12");
final Queue<String> history = new LinkedBlockingQueue<>();
_connector.addBean(new SocketCustomizationListener()

0
jetty-server/src/test/resources/snikeystore → jetty-server/src/test/resources/keystore_sni.p12
View File

BIN
jetty-server/src/test/resources/keystore_sni_nowild.p12 Normal file
View File

Binary file not shown.

BIN
jetty-server/src/test/resources/snikeystore_nowild
View File

Binary file not shown.

74
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View File

@ -113,6 +113,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
}};
private static final Logger LOG = Log.getLogger(SslContextFactory.class);
private static final Logger LOG_CONFIG = LOG.getLogger("config");
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
(Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
@ -128,6 +129,24 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** String name of keystore password property. */
public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
/** Default Excluded Protocols List */
private static final String[] DEFAULT_EXCLUDED_PROTOCOLS = {"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};
/** Default Excluded Cipher Suite List */
private static final String[] DEFAULT_EXCLUDED_CIPHER_SUITES = {
// Exclude weak / insecure ciphers
"^.*_(MD5|SHA|SHA1)$",
// Exclude ciphers that don't support forward secrecy
"^TLS_RSA_.*$",
// The following exclusions are present to cleanup known bad cipher
// suites that may be accidentally included via include patterns.
// The default enabled cipher list in Java will not include these
// (but they are available in the supported list).
"^SSL_.*$",
"^.*_NULL_.*$",
"^.*_anon_.*$"
};
private final Set<String> _excludeProtocols = new LinkedHashSet<>();
private final Set<String> _includeProtocols = new LinkedHashSet<>();
private final Set<String> _excludeCipherSuites = new LinkedHashSet<>();
@ -210,19 +229,8 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
private SslContextFactory(boolean trustAll, String keyStorePath)
{
setTrustAll(trustAll);
addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
// Exclude weak / insecure ciphers
setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
// Exclude ciphers that don't support forward secrecy
addExcludeCipherSuites("^TLS_RSA_.*$");
// The following exclusions are present to cleanup known bad cipher
// suites that may be accidentally included via include patterns.
// The default enabled cipher list in Java will not include these
// (but they are available in the supported list).
addExcludeCipherSuites("^SSL_.*$");
addExcludeCipherSuites("^.*_NULL_.*$");
addExcludeCipherSuites("^.*_anon_.*$");
setExcludeProtocols(DEFAULT_EXCLUDED_PROTOCOLS);
setExcludeCipherSuites(DEFAULT_EXCLUDED_CIPHER_SUITES);
if (keyStorePath != null)
setKeyStorePath(keyStorePath);
@ -239,6 +247,38 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
{
load();
}
secureConfigurationCheck();
}
protected void secureConfigurationCheck()
{
if (isTrustAll())
LOG_CONFIG.warn("Trusting all certificates configured for {}",this);
if (getEndpointIdentificationAlgorithm()==null)
LOG_CONFIG.warn("No Client EndPointIdentificationAlgorithm configured for {}",this);
SSLEngine engine = _factory._context.createSSLEngine();
customize(engine);
SSLParameters supported = engine.getSSLParameters();
for (String protocol : supported.getProtocols())
{
for (String excluded : DEFAULT_EXCLUDED_PROTOCOLS)
{
if (excluded.equals(protocol))
LOG_CONFIG.warn("Protocol {} not excluded for {}", protocol, this);
}
}
for (String suite : supported.getCipherSuites())
{
for (String excludedSuiteRegex : DEFAULT_EXCLUDED_CIPHER_SUITES)
{
if (suite.matches(excludedSuiteRegex))
LOG_CONFIG.warn("Weak cipher suite {} enabled for {}", suite, this);
}
}
}
private void load() throws Exception
@ -1033,8 +1073,9 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
}
/**
* When set to "HTTPS" hostname verification will be enabled
*
* When set to "HTTPS" hostname verification will be enabled.
* Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIndentificationAlgorithm
* is not set.
* @param endpointIdentificationAlgorithm Set the endpointIdentificationAlgorithm
*/
public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
@ -1123,7 +1164,8 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
}
}
if (!_certWilds.isEmpty() || _certHosts.size()>1)
// Is SNI needed to select a certificate?
if (!_certWilds.isEmpty() || _certHosts.size()>1 || _certHosts.size()==1 && _aliasX509.size()>1)
{
for (int idx = 0; idx < managers.length; idx++)
{

37
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/X509.java
View File

@ -20,9 +20,9 @@ package org.eclipse.jetty.util.ssl;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
@ -62,16 +62,15 @@ public class X509
private final X509Certificate _x509;
private final String _alias;
private final List<String> _hosts=new ArrayList<>();
private final List<String> _wilds=new ArrayList<>();
private final Set<String> _hosts=new LinkedHashSet<>();
private final Set<String> _wilds=new LinkedHashSet<>();
public X509(String alias,X509Certificate x509) throws CertificateParsingException, InvalidNameException
{
_alias=alias;
_alias = alias;
_x509 = x509;
// Look for alternative name extensions
boolean named=false;
Collection<List<?>> altNames = x509.getSubjectAlternativeNames();
if (altNames!=null)
{
@ -83,28 +82,22 @@ public class X509
if (LOG.isDebugEnabled())
LOG.debug("Certificate SAN alias={} CN={} in {}",alias,cn,this);
if (cn!=null)
{
named=true;
addName(cn);
}
}
}
}
// If no names found, look up the CN from the subject
if (!named)
LdapName name=new LdapName(x509.getSubjectX500Principal().getName(X500Principal.RFC2253));
for (Rdn rdn : name.getRdns())
{
LdapName name=new LdapName(x509.getSubjectX500Principal().getName(X500Principal.RFC2253));
for (Rdn rdn : name.getRdns())
if (rdn.getType().equalsIgnoreCase("CN"))
{
if (rdn.getType().equalsIgnoreCase("CN"))
{
String cn = rdn.getValue().toString();
if (LOG.isDebugEnabled())
LOG.debug("Certificate CN alias={} CN={} in {}",alias,cn,this);
if (cn!=null && cn.contains(".") && !cn.contains(" "))
addName(cn);
}
String cn = rdn.getValue().toString();
if (LOG.isDebugEnabled())
LOG.debug("Certificate CN alias={} CN={} in {}",alias,cn,this);
if (cn!=null && cn.contains(".") && !cn.contains(" "))
addName(cn);
}
}
}
@ -130,12 +123,12 @@ public class X509
public Set<String> getHosts()
{
return new HashSet<>(_hosts);
return Collections.unmodifiableSet(_hosts);
}
public Set<String> getWilds()
{
return new HashSet<>(_wilds);
return Collections.unmodifiableSet(_wilds);
}
public boolean matches(String host)

9
pom.xml
View File

@ -27,6 +27,9 @@
</pluginRepositories>
<properties>
<compiler.source>11</compiler.source>
<compiler.target>11</compiler.target>
<compiler.release>11</compiler.release>
<jetty.url>http://www.eclipse.org/jetty</jetty.url>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<build-support.version>1.4</build-support.version>
@ -429,9 +432,9 @@
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven.compiler.plugin.version}</version>
<configuration>
<source>11</source>
<target>11</target>
<release>11</release>
<source>${compiler.source}</source>
<target>${compiler.target}</target>
<release>${compiler.release}</release>
</configuration>
</plugin>
<plugin>