Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-12847

SslContextFactory needs to be changed to SslContextFactory.Server in jetty.xml

    XMLWordPrintable

    Details

    • Sprint:
      Horizon 2020 - August 5, Horizon 2020 - August 19
    • HB Backlog Status:
      Backlog CM

      Description

      Going with Major priority since this problem, while totally surprising and startup-killing, affects relatively few users and exists entirely in configuration that is shipped disabled.

      Thinking I was at the end of a rough upgrade, I hit this lovely speed bump in the logs:

      2020-08-11 17:26:36,593 WARN  [Main] o.e.j.u.c.AbstractLifeCycle: FAILED ServerConnector@711e4cd3{SSL, (ssl, http/1.1)}{10.20.30.40:8443}: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
      

      The OPENNMS_HOME/etc/examples/jetty.xml that we ship includes a commented-out section that's meant to be a turnkey way to enable HTTPS:

      ...
        <!-- Add HTTPS support -->
        <!--
        <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
          <Arg><Ref refid="httpConfig"/></Arg>
          <Call name="addCustomizer">
            <Arg>
              <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
                <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
                <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
                <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
              </New>
            </Arg>
          </Call>
        </New>
      
        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
          <Set name="KeyStorePath"><SystemProperty name="org.opennms.netmgt.jetty.https-keystore" /></Set>
          <Set name="KeyStorePassword"><SystemProperty name="org.opennms.netmgt.jetty.https-keystorepassword" default="changeit" /></Set>
      ...
      

      It turns out that the Jetty maintainers deprecated the direct use of SslContextFactory in favor of SslContextFactory.Server (or SslContextFactory.Client, but that's not appropriate in our use case), and then pulled the rug in a point release earlier this year. We recently upgraded our Jetty to an impacted version in all supported Meridian trains.

      To fix it we just need to change one line of the above section:

        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
      

      to:

        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
      

      The fix is trivially easy, but not at all obvious. We should put a prominent notice about this in the release notes for all the next releases. In theory we could also do an upgrader task, but that might not be the best solution.

        Attachments

          Activity

            People

            Assignee:
            indigo Ronny Trommer
            Reporter:
            jeffg Jeff Gehlbach
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration