Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-12847

SslContextFactory needs to be changed to SslContextFactory.Server in jetty.xml



    • Horizon 2020 - August 5, Horizon 2020 - August 19
    • Backlog CM


      Going with Major priority since this problem, while totally surprising and startup-killing, affects relatively few users and exists entirely in configuration that is shipped disabled.

      Thinking I was at the end of a rough upgrade, I hit this lovely speed bump in the logs:

      2020-08-11 17:26:36,593 WARN  [Main] o.e.j.u.c.AbstractLifeCycle: FAILED ServerConnector@711e4cd3{SSL, (ssl, http/1.1)}{}: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

      The OPENNMS_HOME/etc/examples/jetty.xml that we ship includes a commented-out section that's meant to be a turnkey way to enable HTTPS:

        <!-- Add HTTPS support -->
        <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
          <Arg><Ref refid="httpConfig"/></Arg>
          <Call name="addCustomizer">
              <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
                <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
                <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
                <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
          <Set name="KeyStorePath"><SystemProperty name="org.opennms.netmgt.jetty.https-keystore" /></Set>
          <Set name="KeyStorePassword"><SystemProperty name="org.opennms.netmgt.jetty.https-keystorepassword" default="changeit" /></Set>

      It turns out that the Jetty maintainers deprecated the direct use of SslContextFactory in favor of SslContextFactory.Server (or SslContextFactory.Client, but that's not appropriate in our use case), and then pulled the rug in a point release earlier this year. We recently upgraded our Jetty to an impacted version in all supported Meridian trains.

      To fix it we just need to change one line of the above section:

        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">


        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">

      The fix is trivially easy, but not at all obvious. We should put a prominent notice about this in the release notes for all the next releases. In theory we could also do an upgrader task, but that might not be the best solution.




            indigo Ronny Trommer
            jeffg Jeff Gehlbach
            0 Vote for this issue
            2 Start watching this issue