Bug#930562: libtrapperkeeper-webserver-jetty9-clojure: Incompatibility with jetty9 (9.4.15) in Buster with PuppetDB/SSL

Manfred Stock m-debian at nfred.ch
Sat Jun 15 15:05:33 BST 2019 

Package: libtrapperkeeper-webserver-jetty9-clojure
Version: 1.7.0-2
Severity: normal
Tags: patch

Dear Maintainer,

I recently noticed that access to PuppetDB via SSL is not working anymore. It
seems that this has already been reported as a bug against jetty9 [1], since an
update of Jetty seems to be the cause for this breakage. While looking into
this issue, I noticed that running the trapperkeeper-webserver-jetty9 tests
against the same version of Jetty that is currently in Buster already fails
(not only in the SSL-related tests, but also some others, which are probably
not relevant for the issue at hand). Interestingly, a pull request [2] was
merged last night which upgrades the Jetty dependency to a newer version. It
seems that applying the commit 9db41703 [3] from this PR to the Debian package
of libtrapperkeeper-webserver-jetty9-clojure makes PuppetDB accessible again.

The attached patch adds the relevant patch to debian/patches, and a package
built from this seemed to make PuppetDB work again on my system.

Kind regards
Manfred

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005
[2] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/pull/201
[3] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages libtrapperkeeper-webserver-jetty9-clojure depends on:
ii  libclojure-java              1.10.0-1
ii  libjanino-java               2.7.0-2
ii  libjava-jmx-clojure          0.3.4-1
ii  libjetty9-extra-java         9.4.15-1
ii  libjetty9-java               9.4.15-1
ii  libkitchensink-clojure       2.3.0-2
ii  libprismatic-schema-clojure  1.1.6-1
ii  libpuppetlabs-i18n-clojure   0.8.0-1
ii  libring-codec-clojure        1.0.1-1
ii  libring-servlet-clojure      1.6.2-2
ii  libservlet-api-java          4.0.1-2
ii  libssl-utils-clojure         0.8.3-2
ii  libtools-logging-clojure     0.2.3-6
ii  libtrapperkeeper-clojure     1.5.2-2

libtrapperkeeper-webserver-jetty9-clojure recommends no packages.

libtrapperkeeper-webserver-jetty9-clojure suggests no packages.

-- no debconf information
-------------- next part --------------
>From b938d1bb2e2c2d88ba07e06f991919ef128f0e87 Mon Sep 17 00:00:00 2001
From: Manfred Stock <m-debian at nfred.ch>
Date: Sat, 15 Jun 2019 13:34:24 +0000
Subject: [PATCH] Add patch for SSL compatibility with newer Jetty

The upstream commit 9db41703 [1] seems to fix an issue with the jetty9 version
that is currently in Debian testing which seems to be the cause for Debian bug

[1] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924005
---
 ...maint-Disable-EndpointIdentification.patch | 46 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 debian/patches/0001-maint-Disable-EndpointIdentification.patch

diff --git a/debian/patches/0001-maint-Disable-EndpointIdentification.patch b/debian/patches/0001-maint-Disable-EndpointIdentification.patch
new file mode 100644
index 0000000..39890d7
--- /dev/null
+++ b/debian/patches/0001-maint-Disable-EndpointIdentification.patch
@@ -0,0 +1,46 @@
+From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001
+From: Justin Stoller <justin.stoller at gmail.com>
+Date: Fri, 24 May 2019 16:10:44 -0700
+Subject: [PATCH] (maint) Disable EndpointIdentification
+
+Previously, Jetty disabled Endpoint Identification by default as it is a best
+practice for most webservers who often cannot identify clients
+connecting to it. However, in 9.4.15 Jetty changed this default to
+"HTTPS", which is the best practice for _client_ SslContexts. This
+caused serious breakages throughout the Jetty ecosystem and since 9.4.16
+Jetty introduced static inner classes of SslContextFactory, named Server
+and Client, to create the correct contexts for each type of consumer.
+
+Unfortunately, because we subclass SslContextFactory with our own
+InternalSslContextFactory that overrides CRL handling, using these static
+inner class factories is problematic. Consequently, this patch takes the
+approach of simply setting the Endpoint Identification Algorithm to null
+as was previously the default (and necessary in most server
+environments).
+
+This will cause a warning of overriding a deprecated method during
+compilation in newer Java versions and our approach to handling CRLs
+will need to be reworked should we use this codebase as a basis for a
+trapperkeeper-webserver-jetty10 project.
+
+For more info see linked issues to the implementing PR here:
+https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913
+---
+ src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+index 3a577bb..02e7c7d 100644
+--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+@@ -197,6 +197,7 @@
+                   (.setKeyStore (:keystore keystore-config))
+                   (.setKeyStorePassword (:key-password keystore-config))
+                   (.setTrustStore (:truststore keystore-config))
++                  (.setEndpointIdentificationAlgorithm nil)
+                   ;; Need to clear out the default cipher suite exclude list so
+                   ;; that Jetty doesn't potentially remove one or more ciphers
+                   ;; that we want to be included.
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index cfdab48..8534cb9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ jetty-9.4-compat
 0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch
 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
+0001-maint-Disable-EndpointIdentification.patch
-- 
2.20.1

More information about the pkg-java-maintainers mailing list