Bug#940170: buster-pu: package trapperkeeper-webserver-jetty9-clojure/1.7.0-2+deb10u1
Julien Cristau
jcristau at debian.org
Fri Sep 13 10:52:12 BST 2019
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
A jetty9 update broke trapperkeeper-webserver-jetty9-clojure, and as a
result puppetdb, in buster (bug#924005). This is a minimal fix on the
trapperkeeper-webserver-jetty9-clojure side to work around the breakage.
This has been confirmed to work in sid/bullseye (1.7.0-3).
For the trapperkeeper-webserver-jetty9-clojure maintainers, I pushed the
change to:
https://salsa.debian.org/jcristau/trapperkeeper-webserver-jetty9-clojure/commits/debian/buster
Cheers,
Julien
diff --git a/debian/changelog b/debian/changelog
index 3bfef40..3d8b882 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium
+
+ [ Manfred Stock ]
+ * Add patch for SSL compatibility with newer Jetty (closes: #930562).
+
+ -- Julien Cristau <jcristau at debian.org> Fri, 13 Sep 2019 11:00:50 +0200
+
trapperkeeper-webserver-jetty9-clojure (1.7.0-2) unstable; urgency=medium
* Fix compatibility with Jetty 9.4
diff --git a/debian/patches/0005-maint-Disable-EndpointIdentification.patch b/debian/patches/0005-maint-Disable-EndpointIdentification.patch
new file mode 100644
index 0000000..39890d7
--- /dev/null
+++ b/debian/patches/0005-maint-Disable-EndpointIdentification.patch
@@ -0,0 +1,46 @@
+From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001
+From: Justin Stoller <justin.stoller at gmail.com>
+Date: Fri, 24 May 2019 16:10:44 -0700
+Subject: [PATCH] (maint) Disable EndpointIdentification
+
+Previously, Jetty disabled Endpoint Identification by default as it is a best
+practice for most webservers who often cannot identify clients
+connecting to it. However, in 9.4.15 Jetty changed this default to
+"HTTPS", which is the best practice for _client_ SslContexts. This
+caused serious breakages throughout the Jetty ecosystem and since 9.4.16
+Jetty introduced static inner classes of SslContextFactory, named Server
+and Client, to create the correct contexts for each type of consumer.
+
+Unfortunately, because we subclass SslContextFactory with our own
+InternalSslContextFactory that overrides CRL handling, using these static
+inner class factories is problematic. Consequently, this patch takes the
+approach of simply setting the Endpoint Identification Algorithm to null
+as was previously the default (and necessary in most server
+environments).
+
+This will cause a warning of overriding a deprecated method during
+compilation in newer Java versions and our approach to handling CRLs
+will need to be reworked should we use this codebase as a basis for a
+trapperkeeper-webserver-jetty10 project.
+
+For more info see linked issues to the implementing PR here:
+https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913
+---
+ src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+index 3a577bb..02e7c7d 100644
+--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+@@ -197,6 +197,7 @@
+ (.setKeyStore (:keystore keystore-config))
+ (.setKeyStorePassword (:key-password keystore-config))
+ (.setTrustStore (:truststore keystore-config))
++ (.setEndpointIdentificationAlgorithm nil)
+ ;; Need to clear out the default cipher suite exclude list so
+ ;; that Jetty doesn't potentially remove one or more ciphers
+ ;; that we want to be included.
+--
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index cfdab48..1d6304e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ jetty-9.4-compat
0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch
0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
+0005-maint-Disable-EndpointIdentification.patch
More information about the pkg-java-maintainers
mailing list