[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#940170: marked as done (buster-pu: package trapperkeeper-webserver-jetty9-clojure/1.7.0-2+deb10u1)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #940170,
regarding buster-pu: package trapperkeeper-webserver-jetty9-clojure/1.7.0-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
940170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940170
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

A jetty9 update broke trapperkeeper-webserver-jetty9-clojure, and as a
result puppetdb, in buster (bug#924005).  This is a minimal fix on the
trapperkeeper-webserver-jetty9-clojure side to work around the breakage.
This has been confirmed to work in sid/bullseye (1.7.0-3).

For the trapperkeeper-webserver-jetty9-clojure maintainers, I pushed the
change to:
https://salsa.debian.org/jcristau/trapperkeeper-webserver-jetty9-clojure/commits/debian/buster

Cheers,
Julien

diff --git a/debian/changelog b/debian/changelog
index 3bfef40..3d8b882 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium
+
+  [ Manfred Stock ]
+  * Add patch for SSL compatibility with newer Jetty (closes: #930562).
+
+ -- Julien Cristau <jcristau@debian.org>  Fri, 13 Sep 2019 11:00:50 +0200
+
 trapperkeeper-webserver-jetty9-clojure (1.7.0-2) unstable; urgency=medium
 
   * Fix compatibility with Jetty 9.4
diff --git a/debian/patches/0005-maint-Disable-EndpointIdentification.patch b/debian/patches/0005-maint-Disable-EndpointIdentification.patch
new file mode 100644
index 0000000..39890d7
--- /dev/null
+++ b/debian/patches/0005-maint-Disable-EndpointIdentification.patch
@@ -0,0 +1,46 @@
+From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001
+From: Justin Stoller <justin.stoller@gmail.com>
+Date: Fri, 24 May 2019 16:10:44 -0700
+Subject: [PATCH] (maint) Disable EndpointIdentification
+
+Previously, Jetty disabled Endpoint Identification by default as it is a best
+practice for most webservers who often cannot identify clients
+connecting to it. However, in 9.4.15 Jetty changed this default to
+"HTTPS", which is the best practice for _client_ SslContexts. This
+caused serious breakages throughout the Jetty ecosystem and since 9.4.16
+Jetty introduced static inner classes of SslContextFactory, named Server
+and Client, to create the correct contexts for each type of consumer.
+
+Unfortunately, because we subclass SslContextFactory with our own
+InternalSslContextFactory that overrides CRL handling, using these static
+inner class factories is problematic. Consequently, this patch takes the
+approach of simply setting the Endpoint Identification Algorithm to null
+as was previously the default (and necessary in most server
+environments).
+
+This will cause a warning of overriding a deprecated method during
+compilation in newer Java versions and our approach to handling CRLs
+will need to be reworked should we use this codebase as a basis for a
+trapperkeeper-webserver-jetty10 project.
+
+For more info see linked issues to the implementing PR here:
+https://github.com/eclipse/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913
+---
+ src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+index 3a577bb..02e7c7d 100644
+--- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
++++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
+@@ -197,6 +197,7 @@
+                   (.setKeyStore (:keystore keystore-config))
+                   (.setKeyStorePassword (:key-password keystore-config))
+                   (.setTrustStore (:truststore keystore-config))
++                  (.setEndpointIdentificationAlgorithm nil)
+                   ;; Need to clear out the default cipher suite exclude list so
+                   ;; that Jetty doesn't potentially remove one or more ciphers
+                   ;; that we want to be included.
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index cfdab48..1d6304e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ jetty-9.4-compat
 0001-SERVER-2213-Remove-call-to-MBeanContainer-resetUniqu.patch
 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
+0005-maint-Disable-EndpointIdentification.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: