[jetty-dev] SSL Renegotiation issue in Jetty HttpClient

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-dev] SSL Renegotiation issue in Jetty HttpClient

chuckdumont
This post was updated on .
I have a Jetty base proxy servlet (extends org.eclipse.jetty.proxy.ProxyServlet.Transparent) that is experiencing intermittent failures with proxied requests to the upstream server due to SSL handshaking failures in the proxy's HttpClient client.  I'm using Jetty 9.2.13.v20150730 running on Karaf 4.0.1 and Java 1.8.0_66 on a Linux machine.

The upstream server is fronted by an F5 that is configured by iRule to disallow client initiated SSL renegotiation.  Any attempt by a client to renegotiate the SSL session results in the F5 shutting down the connection by sending a RST packet.  So I configured the proxy's HttpClient to disallow SSL renegotiation by invoking `SslContextFactory.setRenegotiationAllowed(false);`.  But this just results in requests failing internally within the HttpClient because of "Renegotiation disallowed" error as seen in the Jetty logs.

I have observed two distinct failure modes.  In the first failure mode, the SSL handshaking appears to complete normally (the log message "server-side handshaking completed" is output by org.eclipse.jetty.io.ssl.SslConnection) but then is followed immediately by the log message "renegotiation denied" and the connection is closed before any application data is exchanged.  See the jetty1.log and tcptrace1.txt.

In the second failure mode, the SSL handshaking completes and application data is actually exchanged before Jetty decides that renegotiation is needed.  See jetty2.logand tcptrace2.txt.

Following is the code I'm using to initialize the HttpClient:

  @Override
  protected HttpClient newHttpClient() {
    SslContextFactory scf = new SslContextFactory();
    scf.setTrustAll(true);
    // Uncomment the line below to disable Diffie-Hellman cipher suites so that Wireshark can decrypt SSL traffic
    // (assuming the SSL Certificate private-key and password are provided)
    scf.addExcludeCipherSuites(EXCLUDED_CIPHER_SUITES);
    scf.addExcludeProtocols(EXCLUDED_PROTOCOLS);  // Excluse SSL so that we use only TLS
    // F5 doesn't allow client initiated SSL renegotiation
    scf.setRenegotiationAllowed(false);
    HttpClient client = new HttpClient(scf);
    // Redirects must be proxied as is, not followed
    client.setFollowRedirects(false);
    // Must not store cookies, otherwise cookies of different clients will mix
    client.setCookieStore(new HttpCookieStore.Empty());
    client.setIdleTimeout(3*60*1000);   // 3 minutes

    return client;
  }

Any suggestions on how to solve or work around this issue would be appreciated.
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] SSL Renegotiation issue in Jetty HttpClient

chuckdumont
I've identified the cause of the problem and opened a bug report with the proposed fix.

https://bugs.eclipse.org/bugs/show_bug.cgi?id=481006