Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'jetty-9.4.x'

This commit is contained in:
Jesse McConnell 2016-08-26 14:37:18 -05:00
parent 2d5078cc24 174a3bc9be
commit d100ed16a4
3 changed files with 40 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jetty-documentation/pom.xml
View File

@ -72,6 +72,7 @@
<plugin>
<groupId>com.agilejava.docbkx</groupId>
<artifactId>docbkx-maven-plugin</artifactId>
<version>2.0.17</version>
<executions>
<execution>
<id>html</id>
@ -81,7 +82,7 @@
</goals>
<configuration>
<htmlStylesheet>css/docbook.css</htmlStylesheet>
<htmlCustomization>${basedir}/src/main/docbkx-stylesheet/html/docbook.xsl</htmlCustomization>
<htmlCustomization>${project.basedir}/src/main/docbkx-stylesheet/html/docbook.xsl</htmlCustomization>
<preProcess>
<!-- pull over the images from the source material -->
<copy todir="target/docbkx/html/index/images" flatten="true">

11
jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc
View File

@ -24,29 +24,28 @@ This document provides an overview of how to configure SSL and TLS for Jetty.
Which browser/OS supports which protocols can be https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers[found on Wikipedia].
* TLS v1.1 and v1.2: The protocols which should be used wherever possible.
* TLS v1.2: The protocol which should be used wherever possible.
All CBC based ciphers are supported since Java 7, the new GCM modes are supported since Java 8.
===== Older Protocols
Both TLS v1.0 and SSL v3 are no longer supported by default. If your Jetty implementation requires these protocols for legacy support, they can be enabled manually.
TLS v1.0, v1.1 and SSL v3 are no longer supported by default. If your Jetty implementation requires these protocols for legacy support, they can be enabled manually.
____
[NOTE]
Once TLS v1.3 is released, there will be no workaround available for TLS v1.0.
Once TLS v1.3 is released, there will be no workaround available for TLS v1.0 or v1.1.
Plans for TLS v1.3 include banning ciphers with known vulnerabilities from being present at any level.
It is recommended to upgrade any clients using these ciphers as soon as possible or face being locked into a outdated version of Jetty, Java or even OS.
____
By default, Jetty exclused these ciphers in the link:{GITBROWSEURL}/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L253-L256[`SslContextFactory`.]
By default, Jetty excludes these ciphers in the link:{GITBROWSEURL}/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L249-L256[`SslContextFactory`.]
You can re-enable these by re-declaring the ciphers you want excluded in code:
[source, java, subs="{sub-order}"]
----
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setExcludeCipherSuites(
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
"^.*_(MD5|SHA|SHA1)$");
----
If, after making these changes, you still have issues using these ciphers they are likely being blocked at the JVM level.

69
jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java
View File

@ -38,12 +38,12 @@ import org.eclipse.jetty.util.StringUtil;
* This customizer looks at at HTTP request for headers that indicate
* it has been forwarded by one or more proxies. Specifically handled are
* <ul>
* <li>Forwarded, as defined by <a href="https://tools.ietf.org/html/rfc7239">rfc7239</a>
* <li>X-Forwarded-Host</li>
* <li>X-Forwarded-Server</li>
* <li>X-Forwarded-For</li>
* <li>X-Forwarded-Proto</li>
* <li>X-Proxied-Https</li>
* <li>{@code Forwarded}, as defined by <a href="https://tools.ietf.org/html/rfc7239">rfc7239</a>
* <li>{@code X-Forwarded-Host}</li>
* <li>{@code X-Forwarded-Server}</li>
* <li>{@code X-Forwarded-For}</li>
* <li>{@code X-Forwarded-Proto}</li>
* <li>{@code X-Proxied-Https}</li>
* </ul>
* <p>If these headers are present, then the {@link Request} object is updated
* so that the proxy is not seen as the other end point of the connection on which
@ -68,7 +68,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* @return true if the proxy address obtained via
* X-Forwarded-Server or RFC7239 "by" is used as
* {@code X-Forwarded-Server} or RFC7239 "by" is used as
* the request authority. Default false
*/
public boolean getProxyAsAuthority()
@ -78,7 +78,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* @param proxyAsAuthority if true, use the proxy address obtained via
* X-Forwarded-Server or RFC7239 "by" as the request authority.
* {@code X-Forwarded-Server} or RFC7239 "by" as the request authority.
*/
public void setProxyAsAuthority(boolean proxyAsAuthority)
{
@ -87,7 +87,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* Configure to only support the RFC7239 Forwarded header and to
* not support any X-Forwarded- headers. This convenience method
* not support any {@code X-Forwarded-} headers. This convenience method
* clears all the non RFC headers if passed true and sets them to
* the default values (if not already set) if passed false.
*/
@ -159,7 +159,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* @param forwardedHostHeader
* The header name for forwarded hosts (default x-forwarded-host)
* The header name for forwarded hosts (default {@code X-Forwarded-Host})
*/
public void setForwardedHostHeader(String forwardedHostHeader)
{
@ -176,7 +176,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* @param forwardedServerHeader
* The header name for forwarded server (default x-forwarded-server)
* The header name for forwarded server (default {@code X-Forwarded-Server})
*/
public void setForwardedServerHeader(String forwardedServerHeader)
{
@ -193,7 +193,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* @param forwardedRemoteAddressHeader
* The header name for forwarded for (default x-forwarded-for)
* The header name for forwarded for (default {@code X-Forwarded-For})
*/
public void setForwardedForHeader(String forwardedRemoteAddressHeader)
{
@ -203,7 +203,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* Get the forwardedProtoHeader.
*
* @return the forwardedProtoHeader (default X-Forwarded-For)
* @return the forwardedProtoHeader (default {@code X-Forwarded-Proto})
*/
public String getForwardedProtoHeader()
{
@ -214,7 +214,7 @@ public class ForwardedRequestCustomizer implements Customizer
* Set the forwardedProtoHeader.
*
* @param forwardedProtoHeader
* the forwardedProtoHeader to set (default X-Forwarded-For)
* the forwardedProtoHeader to set (default {@code X-Forwarded-Proto})
*/
public void setForwardedProtoHeader(String forwardedProtoHeader)
{
@ -222,7 +222,7 @@ public class ForwardedRequestCustomizer implements Customizer
}
/**
* @return The header name holding a forwarded cipher suite (default Proxy-auth-cert)
* @return The header name holding a forwarded cipher suite (default {@code Proxy-auth-cert})
*/
public String getForwardedCipherSuiteHeader()
{
@ -231,7 +231,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* @param forwardedCipherSuite
* The header name holding a forwarded cipher suite (default Proxy-auth-cert)
* The header name holding a forwarded cipher suite (default {@code Proxy-auth-cert})
*/
public void setForwardedCipherSuiteHeader(String forwardedCipherSuite)
{
@ -239,7 +239,7 @@ public class ForwardedRequestCustomizer implements Customizer
}
/**
* @return The header name holding a forwarded SSL Session ID (default Proxy-ssl-id)
* @return The header name holding a forwarded SSL Session ID (default {@code Proxy-ssl-id})
*/
public String getForwardedSslSessionIdHeader()
{
@ -248,7 +248,7 @@ public class ForwardedRequestCustomizer implements Customizer
/**
* @param forwardedSslSessionId
* The header name holding a forwarded SSL Session ID (default Proxy-ssl-id)
* The header name holding a forwarded SSL Session ID (default {@code Proxy-ssl-id})
*/
public void setForwardedSslSessionIdHeader(String forwardedSslSessionId)
{
@ -256,7 +256,7 @@ public class ForwardedRequestCustomizer implements Customizer
}
/**
* @return The header name holding a forwarded Https (on|off true|false) value
* @return The header name holding a forwarded Https status indicator (on|off true|false) (default {@code X-Proxied-Https})
*/
public String getForwardedHttpsHeader()
{
@ -264,7 +264,7 @@ public class ForwardedRequestCustomizer implements Customizer
}
/**
* @param forwardedHttpsHeader
* @param forwardedHttpsHeader the header name holding a forwarded Https status indicator(default {@code X-Proxied-Https})
*/
public void setForwardedHttpsHeader(String forwardedHttpsHeader)
{
@ -294,7 +294,7 @@ public class ForwardedRequestCustomizer implements Customizer
{
HttpFields httpFields = request.getHttpFields();
RFC7239 rfc7230 = null;
RFC7239 rfc7239 = null;
String forwardedHost = null;
String forwardedServer = null;
String forwardedFor = null;
@ -343,9 +343,9 @@ public class ForwardedRequestCustomizer implements Customizer
if (_forwardedHeader!=null && _forwardedHeader.equalsIgnoreCase(name))
{
if (rfc7230==null)
rfc7230= new RFC7239();
rfc7230.addValue(field.getValue());
if (rfc7239==null)
rfc7239= new RFC7239();
rfc7239.addValue(field.getValue());
}
}
@ -356,9 +356,9 @@ public class ForwardedRequestCustomizer implements Customizer
httpFields.put(_forcedHost);
request.setAuthority(_forcedHost.getHost(),_forcedHost.getPort());
}
else if (rfc7230!=null && rfc7230._host!=null)
else if (rfc7239!=null && rfc7239._host!=null)
{
HostPortHttpField auth = rfc7230._host;
HostPortHttpField auth = rfc7239._host;
httpFields.put(auth);
request.setAuthority(auth.getHost(),auth.getPort());
}
@ -370,9 +370,9 @@ public class ForwardedRequestCustomizer implements Customizer
}
else if (_proxyAsAuthority)
{
if (rfc7230!=null && rfc7230._by!=null)
if (rfc7239!=null && rfc7239._by!=null)
{
HostPortHttpField auth = rfc7230._by;
HostPortHttpField auth = rfc7239._by;
httpFields.put(auth);
request.setAuthority(auth.getHost(),auth.getPort());
}
@ -383,9 +383,9 @@ public class ForwardedRequestCustomizer implements Customizer
}
// handle remote end identifier
if (rfc7230!=null && rfc7230._for!=null)
if (rfc7239!=null && rfc7239._for!=null)
{
request.setRemoteAddr(InetSocketAddress.createUnresolved(rfc7230._for.getHost(),rfc7230._for.getPort()));
request.setRemoteAddr(InetSocketAddress.createUnresolved(rfc7239._for.getHost(),rfc7239._for.getPort()));
}
else if (forwardedFor != null)
{
@ -393,10 +393,10 @@ public class ForwardedRequestCustomizer implements Customizer
}
// handle protocol identifier
if (rfc7230!=null && rfc7230._proto!=null)
if (rfc7239!=null && rfc7239._proto!=null)
{
request.setScheme(rfc7230._proto);
if (rfc7230._proto.equals(config.getSecureScheme()))
request.setScheme(rfc7239._proto);
if (rfc7239._proto.equals(config.getSecureScheme()))
request.setSecure(true);
}
else if (forwardedProto != null)
@ -455,9 +455,6 @@ public class ForwardedRequestCustomizer implements Customizer
_forcedHost = new HostPortHttpField(hostHeader);
}
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
private final class RFC7239 extends QuotedCSV
{
HostPortHttpField _by;