【问题标题】:Jetty IncludeCipherSuites码头包括密码套件
【发布时间】:2019-02-18 07:41:52
【问题描述】:

我面临的问题是,在 jetty-ssl.xml 中包含 CipherSuites 后,由于配置错误,我的码头 (9.4.7) 不想启动。

我刚刚收到以下配置错误:

2018-09-13 16:10:02.896:WARN:oejx.XmlConfiguration:main: Config error at <Set name="IncludeCipherSuites">|/jetty-ssl.xml
2018-09-13 16:10:02.897:WARN:oejx.XmlConfiguration:main: Config error at <New class="org.eclipse.jetty.server.SslConnectionFactory"><Set name="IncludeCipherSuites">|            <Array l
2018-09-13 16:10:02.897:WARN:oejx.XmlConfiguration:main:
java.security.PrivilegedActionException: org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$1: class org.eclipse.jetty.server.SslConnectionFactory.setIncludeCipherSuites(class [Ljava.lang.String;)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1507)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.eclipse.jetty.start.Main.invokeMain(Main.java:221)
        at org.eclipse.jetty.start.Main.start(Main.java:506)
        at org.eclipse.jetty.start.Main.main(Main.java:78)
Caused by:
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$1: class org.eclipse.jetty.server.SslConnectionFactory.setIncludeCipherSuites(class [Ljava.lang.String;)

我使用以下 xml 来包含密码套件:

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!-- =========================================================== -->
  <!-- Add a SSL Connector with no protocol factories              -->
  <!-- =========================================================== -->
  <Call  name="addConnector">
    <Arg>
      <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecated="ssl.acceptors" default="-1"/></Arg>
        <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecated="ssl.selectors" default="-1"/></Arg>
        <Arg name="factories">
          <Array type="org.eclipse.jetty.server.ConnectionFactory">
            <!-- uncomment to support proxy protocol
            <Item>
              <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
            </Item>-->
          </Array>
        </Arg>

        <Set name="host"><Property name="jetty.ssl.host" deprecated="jetty.host" /></Set>
        <Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="20743" /></Set>
        <Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.timeout" default="30000"/></Set>
        <Set name="soLingerTime"><Property name="jetty.ssl.soLingerTime" deprecated="ssl.soLingerTime" default="-1"/></Set>
        <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
        <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize" default="0"/></Set>
        <Get name="SelectorManager">
          <Set name="connectTimeout"><Property name="jetty.ssl.connectTimeout" default="15000"/></Set>
          <Set name="reservedThreads"><Property name="jetty.ssl.reservedThreads" default="-2"/></Set>
        </Get>

        <New class="org.eclipse.jetty.server.SslConnectionFactory">
            <Set name="IncludeCipherSuites">
            <Array type="java.lang.String">
            <Item>ECDHE-ECDSA-CHACHA20-POLY1305</Item>
            <Item>ECDHE-RSA-CHACHA20-POLY1305</Item>
            <Item>ECDHE-ECDSA-AES128-GCM-SHA256</Item>
            <Item>ECDHE-RSA-AES128-GCM-SHA256</Item>
            <Item>ECDHE-ECDSA-AES256-GCM-SHA384</Item>
            <Item>ECDHE-RSA-AES256-GCM-SHA384</Item>
            <Item>DHE-RSA-AES128-GCM-SHA256</Item>
            <Item>DHE-RSA-AES256-GCM-SHA384</Item>
            <Item>ECDHE-ECDSA-AES128-SHA256</Item>
            <Item>ECDHE-RSA-AES128-SHA256</Item>
	    <Item>ECDHE-ECDSA-AES128-SHA</Item>
            <Item>ECDHE-RSA-AES256-SHA384</Item>
            <Item>ECDHE-RSA-AES128-SHA</Item>
	    <Item>ECDHE-ECDSA-AES256-SHA384</Item>
            <Item>ECDHE-ECDSA-AES256-SHA</Item>
	    <Item>ECDHE-RSA-AES256-SHA</Item>
            <Item>DHE-RSA-AES128-SHA256</Item>
            <Item>DHE-RSA-AES128-SHA</Item>
            <Item>DHE-RSA-AES256-SHA256</Item>
            <Item>DHE-RSA-AES256-SHA</Item>
            <Item>ECDHE-ECDSA-DES-CBC3-SHA</Item>
            <Item>ECDHE-RSA-DES-CBC3-SHA</Item>
            <Item>EDH-RSA-DES-CBC3-SHA</Item>
            <Item>AES128-GCM-SHA256</Item>
            <Item>AES256-GCM-SHA384</Item>
            <Item>AES128-SHA256</Item>
            <Item>AES256-SHA256</Item>
            <Item>AES128-SHA</Item>
            <Item>AES256-SHA</Item>
            <Item>DES-CBC3-SHA</Item>
            </Array>
            </Set>
        </New>


      </New>
    </Arg>
  </Call>

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>

</Configure>

我还尝试了设置此 CipherSuites 的不同方法,但始终以相同的行为结束。 提前感谢您的帮助。

【问题讨论】:

  • 如果从 org.eclipse.jetty.server.SslConnectionFactory 更改为 org.eclipse.jetty.server.SslSocketConnector 会怎样
  • 无论如何我都会在课堂外添加 IncludeCipherSuites 集
  • 密码套件列表有很多问题。如果您使用的是 jetty-home/jetty-distribution,那么您不应该编辑 jetty-ssl.xml。 Java 上也不存在这些密码名称(按这些名称)。你从哪里得到这份清单的?您是否使用 RFC 密码套件名称?你试图完成什么? (最终目标,而不是步骤)
  • 嗨,我目前遇到的问题是,如果我尝试浏览码头站点,我只会收到以下错误消息“SSL_ERROR_NO_CYPHER_OVERLAP”。
  • 注意:Jetty 9.4.7 是多个CVEs 的主题,明智的做法是尽快升级到 Jetty 9.4.12。

标签: security encryption web jetty jetty-9


【解决方案1】:

使用了错误的类。

必须使用&lt;New class="org.eclipse.jetty.util.ssl.SslContextFactory"&gt;

问题解决了。 谢谢!

【讨论】:

    猜你喜欢
    • 2020-01-07
    • 2017-05-08
    • 1970-01-01
    • 2017-10-10
    • 2012-09-03
    • 1970-01-01
    • 2021-05-02
    • 2013-04-02
    • 1970-01-01
    相关资源
    最近更新 更多