Jetty 9.3 SSL Keystore Path and SOAP Backchannel Errors

Wed Aug 19 14:37:11 EDT 2015

Thanks Scott. I've done a bit more testing, and Jetty is still exiting with the [files] directive left in place, even though it only logs at Warning. A regression on this point was introduced in Jetty 9.3.X, when they refactored how modules are loaded. The code on the 9.2.X branch looks fine: Jetty should log the warnings, but proceed to start anyway.

(This used to be included in Main.java, but got spun out into org.eclipse.jetty.start.BaseBuilder in 9.3, where the old logic didn't follow it.)

I've opened a bug report [1] on that; for now, as a better workaround, as opposed to modifying the ssl.mod file in place or creating a copy in JETTY_BASE, you can just tack --skip-file-validation=ssl on the effective command-line when starting Jetty, and all's well that ends well. Shib wiki page Jetty93 updated accordingly.

As to the second issue, I did a bit more digging and found that this was actually caused a Confluence bug [2] related to the copy-paste functionality in the code macro.

Briefly, using Google Chrome, if you double-click a code block to select it, it copies (some? most?) space characters as character 160 (NBSP) as opposed to a standard space (32). If you select the text by hand, then copy, no such problems occur.

I've bumped the existing issue to see if I can't get any movement on it -- it's been open for years, and Atlassian has had it marked as "Resolved / Won't Fix" for over a year now.

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=475409
[2] https://jira.atlassian.com/browse/CONF-25771

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, August 18, 2015 11:56 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Jetty 9.3 SSL Keystore Path and SOAP Backchannel Errors

On 8/18/15, 11:49 AM, "users on behalf of Domingues, Michael D" <users-bounces at shibboleth.net on behalf of michael-domingues at uiowa.edu> wrote:

>My first issue is that when I attempt to start Jetty, it logs a warning and exits immediately, indicating that a required keystore file is missing. Verbatim error message follows:

I didn't think the warning caused Jetty to exit, but maybe that's wrong.

> 
>In the meantime, this can be worked around by putting a copy of ssl.mod into JETTY_BASE/modules and removing the [files] stanza.

I just edit it in place, that's simpler than making a copy that doesn't really need to be made that might fall out of sync later. As I said I don't think it actually hurts anything, but if I'm wrong then we can note removing it.

> 
>Since net.shibboleth.utilities.jetty9.DelegateToApplicationSslContextFactory extends org.eclipse.jetty.util.ssl.SslContextFactory (where the method setIncludeCipherSuites is defined) this error ought not to occur, unless the object isn’t getting initialized properly, the parent Jetty class has changed, or some earlier exception is occurring and not getting handled.

I'm not getting that error, so I don't know what to tell you other than you can obviously change the example to suit if you have to to get farther. We've always used that method dating back to the 9.2 example, and I use it in production with V2.

Chances are there's a typo that we both must not be seeing, I'll eyeball it again.

> 
>I noticed Scott’s note on a previous version of the Jetty93 wiki page indicating that the back channel configuration was largely untested, so I suppose my question is, is this still the case?

They're entirely untested because I wrote the examples from my running copy, not the other way around, so there are bound to be typos and things. The general approach hasn't been tested with the IdP, I only tested that Jetty was running with the IdP loaded and that the ports were behaving properly.

> If not, is there something that I’m missing, or did the Jetty SSL refactoring have further implications than the ones which have been commented upon in previous threads?

There are/were a ton of changes, but the page is updated with everything I have been able to work out or work around.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net