[jetty-dev] SSL Renegotiation issue in Jetty HttpClient

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] SSL Renegotiation issue in Jetty HttpClient

From: chuckdumont <chuckd@xxxxxxxxxx>
Date: Tue, 27 Oct 2015 08:20:24 -0700 (PDT)
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

I have a Jetty base proxy servlet (extends
org.eclipse.jetty.proxy.ProxyServlet.Transparent) that is experiencing
intermittent failures with proxied requests to the upstream server due to
SSL handshaking failures in the proxy's HttpClient client.  I'm using Jetty
9.2.13.v20150730 running on Karaf 4.0.1 and Java 1.8.0_66 on a Linux
machine.

The upstream server is fronted by an F5 that is configured by iRule to
disallow client initiated SSL renegotiation.  Any attempt by a client to
renegotiate the SSL session results in the F5 shutting down the connection
by sending a RST packet.  So I configured the proxy's HttpClient to disallow
SSL renegotiation by invoking
`SslContextFactory.setRenegotiationAllowed(false);`.  But this just results
in requests failing internally within the HttpClient because of
"Renegotiation disallowed" error as seen in the Jetty logs.

I have observed two distinct failure modes.  In the first failure mode, the
SSL handshaking appears to complete normally (the log message "server-side
handshaking completed" is output by org.eclipse.jetty.io.ssl.SslConnection)
but then is followed immediately by the log message "renegotiation denied"
and the connection is closed before any application data is exchanged.  See
the  jetty1.log <http://jetty.4.x6.nabble.com/file/n4964879/jetty1.log>  
and  tcptrace1.txt
<http://jetty.4.x6.nabble.com/file/n4964879/tcptrace1.txt>  .

In the second failure mode, the SSL handshaking completes and application
data is actually exchanged before Jetty decides that renegotiation is
needed.  See  jetty2.log
<http://jetty.4.x6.nabble.com/file/n4964879/jetty2.log>  and  tcptrace2.txt
<http://jetty.4.x6.nabble.com/file/n4964879/tcptrace2.txt>  .

Following is the code I'm using to initialize the HttpClient:

  @Override
  protected HttpClient newHttpClient() {
    SslContextFactory scf = new SslContextFactory();
    scf.setTrustAll(true);
    // Uncomment the line below to disable Diffie-Hellman cipher suites so
that Wireshark can decrypt SSL traffic
    // (assuming the SSL Certificate private-key and password are provided)
    scf.addExcludeCipherSuites(EXCLUDED_CIPHER_SUITES);
    scf.addExcludeProtocols(EXCLUDED_PROTOCOLS);  // Excluse SSL so that we
use only TLS
    // F5 doesn't allow client initiated SSL renegotiation
    scf.setRenegotiationAllowed(false);
    HttpClient client = new HttpClient(scf);
    // Redirects must be proxied as is, not followed
    client.setFollowRedirects(false);
    // Must not store cookies, otherwise cookies of different clients will
mix
    client.setCookieStore(new HttpCookieStore.Empty());
    client.setIdleTimeout(3*60*1000);   // 3 minutes

    return client;
  }

Any suggestions on how to solve or work around this issue would be
appreciated. 



--
View this message in context: http://jetty.4.x6.nabble.com/SSL-Renegotiation-issue-in-Jetty-HttpClient-tp4964879.html
Sent from the Jetty Dev mailing list archive at Nabble.com.

Follow-Ups:
- Re: [jetty-dev] SSL Renegotiation issue in Jetty HttpClient
  - From: chuckdumont

Prev by Date: Re: [jetty-dev] Class project
Next by Date: Re: [jetty-dev] SSL Renegotiation issue in Jetty HttpClient
Previous by thread: [jetty-dev] Unix Sockets for Jetty
Next by thread: Re: [jetty-dev] SSL Renegotiation issue in Jetty HttpClient
Index(es):
- Date
- Thread

Breadcrumbs