Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory")

[Markus Koschany]

Hello,

Am Samstag, dem 04.11.2023 um 17:03 +0000 schrieb Adam D. Barratt:
> Source: jetty9
> Version: 9.4.50-4+deb10u1
> Severity: serious
> X-Debbugs-Cc: dsa at debian.org
> 
> Hi,
> 
> Upgrading libjetty9-java and libjetty9-extra-java to the version from
> DLA 3641-1 reliably causes PuppetDB to fail to start, with the
> stacktrace shown below. Downgrading resolves the issue.
> 
> I'm not sure which keystore is being referred to, but none of the files
> listed in /etc/puppetdb/conf.d/jetty.ini appear to contain more than a
> single certificate.

thanks for the report. This looks like a bug in trapperkeeper-webserver-jetty9-
clojure to me. Upstream commit

https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/3ee6a410436c1a236ca33d511c5373c3328054ef

appears to address the problem. The version in Buster lacks the
InternalSslContextFactory class though. Instead the deprecated
SslContextFactory class is referenced in jetty9_config.clj and
jetty9_core.clj. 

My first idea is to change SslContextFactory occurrences to
SslContextFactory.Server.

Backporting the version of trapperkeeper-webserver-jetty9-clojure from Bullseye
to Buster is the second one. AFAICS puppetdb and puppetserver are the only
consumers.

Could you install the version of trapperkeeper-webserver-jetty9-clojure from
Bullseye and reinstall the jetty9 security update and report back if this
solves your problem?

Regards,

Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20231104/928d7f44/attachment.sig>