[jetty-dev] trying to get jetty properties honored in private SSL module

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-dev] trying to get jetty properties honored in private SSL module

Brian Reichert
I'm using jetty 9.3.21.v20170918, and I'm running into inconsistent
behavior about processing jetty properties.

The inconsistency is that this setting seemes to be only honored
from the start.ini file, but not from within a module file.

I'd appreciate a second set of eyes, if someone is willing to review. I must
be missing something basic here. :/

I'm specifically trying to set

  jetty.sslContext.wantClientAuth=true

Here, I do all my testing from
'jetty-distribution-9.3.21.v20170918/demo-base':

Create my own module based on the stock 'ssl' module; alter it to
set the property's value; basically, replace the commented-out
property with the value I want:

  cp -p ../modules/ssl.mod modules/my-ssl.mod
  perl -pi -e 's/^ssl$/my-ssl/' modules/my-ssl.mod
  perl -pi -e 's/^(# )*(jetty.sslContext.wantClientAuth)=.*/${2}=true/' \
    modules/my-ssl.mod
  grep wantClientAuth modules/my-ssl.mod

    (shows jetty.sslContext.wantClientAuth=true in [ini-template])

Observe that this property doesn't show up in '--list-config':

  java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

If I add it to start.ini, it now shows up:

  echo jetty.sslContext.wantClientAuth=true >> start.ini
  java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

   (shows jetty.sslContext.wantClientAuth = true)

Should --list-config show my setting in my module?

I'm testing the effect using OpenSSL.  When working, that looks
like this:

  openssl s_client -connect localhost:8443 \
    -state -debug -cert example.pem -key example.pem < /dev/null 2>&1 |
  grep 'write client certificate'

And the result looks like this:

  0220 - d1 64 40 4a 27 10 e4 28-0d 5d a7 cSSL_connect:SSLv3 write client certificate A

So, irrespective of what '--list-config' presents, I can test to
see if the property is indeed being utilized my the module.

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] trying to get jetty properties honored in private SSL module

Chris Walker
Brian,

Properties are not meant to be set in module files.The [ini-template] section is just that - a template for properties for configuration when a module is activated in a distribution, either by using --add-to-start or --add-to-startd.  Once a module is activated these properties will be added to, in your case, the start.ini file, where they can be modified. This was done to encourage users to make edits to the associated ini file(s) as opposed to editing Jetty XML, leaving it as the standard of truth. 

Best,
Chris

On Mon, Oct 9, 2017 at 3:11 PM, Brian Reichert <[hidden email]> wrote:
I'm using jetty 9.3.21.v20170918, and I'm running into inconsistent
behavior about processing jetty properties.

The inconsistency is that this setting seemes to be only honored
from the start.ini file, but not from within a module file.

I'd appreciate a second set of eyes, if someone is willing to review. I must
be missing something basic here. :/

I'm specifically trying to set

  jetty.sslContext.wantClientAuth=true

Here, I do all my testing from
'jetty-distribution-9.3.21.v20170918/demo-base':

Create my own module based on the stock 'ssl' module; alter it to
set the property's value; basically, replace the commented-out
property with the value I want:

  cp -p ../modules/ssl.mod modules/my-ssl.mod
  perl -pi -e 's/^ssl$/my-ssl/' modules/my-ssl.mod
  perl -pi -e 's/^(# )*(jetty.sslContext.wantClientAuth)=.*/${2}=true/' \
    modules/my-ssl.mod
  grep wantClientAuth modules/my-ssl.mod

    (shows jetty.sslContext.wantClientAuth=true in [ini-template])

Observe that this property doesn't show up in '--list-config':

  java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

If I add it to start.ini, it now shows up:

  echo jetty.sslContext.wantClientAuth=true >> start.ini
  java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

   (shows jetty.sslContext.wantClientAuth = true)

Should --list-config show my setting in my module?

I'm testing the effect using OpenSSL.  When working, that looks
like this:

  openssl s_client -connect localhost:8443 \
    -state -debug -cert example.pem -key example.pem < /dev/null 2>&1 |
  grep 'write client certificate'

And the result looks like this:

  0220 - d1 64 40 4a 27 10 e4 28-0d 5d a7 cSSL_connect:SSLv3 write client certificate A

So, irrespective of what '--list-config' presents, I can test to
see if the property is indeed being utilized my the module.

--
Brian Reichert                          <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] trying to get jetty properties honored in private SSL module

Greg Wilkins
Brian,

note that there is also an [ini] section within modules, that can be used to set properties whenever the module is activated, as apposed to the [ini-template] section, which as Chris says is only a template for generating an ini file.

Typically [ini] sections are discouraged as they can be hard to modify, but they are appropriate in some circumstances.  Often they are used with the ?= syntax, so the property is set only if it has not already been set on the command line or in an ini file.

An example is from the new conscrypt module that sets the version and provider with:

[ini]
conscrypt.version?=1.0.0.RC10
jetty.sslContext.provider?=Conscrypt

These are properties that are unlikely to be edited by a user (in an ini file), so no template is generated, but if a user did manually add them to an ini or the command line, then they ?= syntax would not override that.

regards




 

On 10 October 2017 at 07:15, Chris Walker <[hidden email]> wrote:
Brian,

Properties are not meant to be set in module files.The [ini-template] section is just that - a template for properties for configuration when a module is activated in a distribution, either by using --add-to-start or --add-to-startd.  Once a module is activated these properties will be added to, in your case, the start.ini file, where they can be modified. This was done to encourage users to make edits to the associated ini file(s) as opposed to editing Jetty XML, leaving it as the standard of truth. 

Best,
Chris

On Mon, Oct 9, 2017 at 3:11 PM, Brian Reichert <[hidden email]> wrote:
I'm using jetty 9.3.21.v20170918, and I'm running into inconsistent
behavior about processing jetty properties.

The inconsistency is that this setting seemes to be only honored
from the start.ini file, but not from within a module file.

I'd appreciate a second set of eyes, if someone is willing to review. I must
be missing something basic here. :/

I'm specifically trying to set

  jetty.sslContext.wantClientAuth=true

Here, I do all my testing from
'jetty-distribution-9.3.21.v20170918/demo-base':

Create my own module based on the stock 'ssl' module; alter it to
set the property's value; basically, replace the commented-out
property with the value I want:

  cp -p ../modules/ssl.mod modules/my-ssl.mod
  perl -pi -e 's/^ssl$/my-ssl/' modules/my-ssl.mod
  perl -pi -e 's/^(# )*(jetty.sslContext.wantClientAuth)=.*/${2}=true/' \
    modules/my-ssl.mod
  grep wantClientAuth modules/my-ssl.mod

    (shows jetty.sslContext.wantClientAuth=true in [ini-template])

Observe that this property doesn't show up in '--list-config':

  java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

If I add it to start.ini, it now shows up:

  echo jetty.sslContext.wantClientAuth=true >> start.ini
  java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

   (shows jetty.sslContext.wantClientAuth = true)

Should --list-config show my setting in my module?

I'm testing the effect using OpenSSL.  When working, that looks
like this:

  openssl s_client -connect localhost:8443 \
    -state -debug -cert example.pem -key example.pem < /dev/null 2>&1 |
  grep 'write client certificate'

And the result looks like this:

  0220 - d1 64 40 4a 27 10 e4 28-0d 5d a7 cSSL_connect:SSLv3 write client certificate A

So, irrespective of what '--list-config' presents, I can test to
see if the property is indeed being utilized my the module.

--
Brian Reichert                          <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev



--

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] trying to get jetty properties honored in private SSL module

Brian Reichert
On Tue, Oct 10, 2017 at 11:15:31AM +1100, Greg Wilkins wrote:
> Brian,
>
> note that there is also an [ini] section within modules, that can be used
> to set properties whenever the module is activated, as apposed to the
> [ini-template] section, which as Chris says is only a template for
> generating an ini file.

Gee, well, that nails it.  Putting my settings in the [ini] section
does seem to do what I want.

I failed to notice the distinction, and assumed the pre-populated
[ini-template] was the what I was supposed to use. :/

> Typically [ini] sections are discouraged as they can be hard to modify, but
> they are appropriate in some circumstances.  Often they are used with the
> ?= syntax, so the property is set only if it has not already been set on
> the command line or in an ini file.

That's a neat hack I was unaware of...

> An example is from the new conscrypt module that sets the version and
> provider with:
>
> [ini]
> > conscrypt.version?=1.0.0.RC10
> > jetty.sslContext.provider?=Conscrypt

> regards
>

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev