Specific image ID: 1dc9280cc083
Jetty starts, and the contexts appear to come up. However, all attempts to access them via SSL fail as follows. Yes, the port is exposed and not firewalled etc - this happens even via localhost.
EDIT: confirmed. 8u181-b13-1~deb9u1
works, 8u181-b13-2~deb9u1
BREAKS, 8u212-b01-1~deb9u1
works again (caveat: have to add an alpn-impl pointing at alpn-boot-8.1.13.v20181017)
draeath@ginnungagap:~/scratch$ curl --insecure --ciphers ALL -I -v https://REDACTED:44420/cas
* Trying REDACTED...
* TCP_NODELAY set
* Connected to REDACTED (REDACTED) port 44420 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to REDACTED:44420
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to REDACTED:44420
Note if I leave the ciphers parameter off, the defaults fail in the same way.
Packet capture shows:
-> SYN
<- SYN,ACK
-> ACK
-> TLSv1 Client Hello
<- ACK
<- FIN, ACK
-> FIN, ACK
<- ACK
There is no log, STDOUT, or STDERR emissions from Jetty when this occurs.
Digging around, I discovered the following. I have an older build of this software that's working fine. I performed a docker container export
of both the old build and the new one (which fails), and did a recursive diff between. Ignoring binary differences, I found the following differences, and only the following differences, presumably from upstream openjdk:8-jre
- curl, libcurl3 packages upgraded from
7.52.1-5+deb9u6
to 7.52.1-5+deb9u7
- openjdk-8-jre, openjdk-8-jre-headless packages upgraded from
8u181-b13-1~deb9u1
to 8u181-b13-2~deb9u1
Debian package changelogs for these show the curl change seems unrelated:
curl (7.52.1-5+deb9u7) stretch-security; urgency=high
* Fix NTLM password overflow via integer overflow as per CVE-2018-14618
https://curl.haxx.se/docs/CVE-2018-14618.html
-- Alessandro Ghedini <[email protected]> Mon, 03 Sep 2018 23:50:29 +0100
However the java changelog seems particularly relevant:
openjdk-8 (8u181-b13-2) unstable; urgency=high
[ Tiago Stürmer Daitx ]
* Apply patches from 8u191-b12 security update.
- CVE-2018-3136, S8194534: Manifest better support.
- CVE-2018-3139, S8196902: Better HTTP Redirection.
- CVE-2018-3149, S8199177: Enhance JNDI lookups.
- CVE-2018-3169, S8199226: Improve field accesses.
- CVE-2018-3180, S8202613: Improve TLS connections stability.
- CVE-2018-3183, S8202936: Improve script engine support.
- CVE-2018-3214, S8205361: Better RIFF reading support.
- CVE-2018-3211: Unspecified vulnerability in the Serviceability component.
- S8195868: Address Internet Addresses.
- S8195874: Improve jar specification adherence.
- S8201756: Improve cipher inputs.
- S8203654: Improve cypher state updates.
- S8204497: Better formatting of decimals.
* debian/patches/jdk-freetypeScaler-crash.diff: removed as this patch causes
a memory leak; upstream fixed it in openjdk-7, albeit in a different way.
Closes: #910672.
[ Matthias Klose ]
* Bump standards version.
-- Matthias Klose <[email protected]> Sun, 21 Oct 2018 12:23:32 +0200
Specifically this update touches several areas around TLS/SSL.
Now, for some of my local info for context.
Dockerfile:
# ---- runtime ---- #
FROM jetty:9-jre8 AS runtime
USER root
# mountpoint for runtime volume - easy persistent logs
RUN mkdir -pv /mnt/jetty-logs && chown -v jetty:jetty /mnt/jetty-logs
USER jetty
ENV JAVA_OPTIONS "-Xmx512m -Xms512m"
RUN java -jar ${JETTY_HOME}/start.jar --add-to-start=https,http2 --approve-all-licenses
RUN rm -v ${JETTY_BASE}/start.d/http.ini
ADD --chown=jetty:jetty cas-redirect.war /var/lib/jetty/webapps/ROOT.war
COPY --chown=jetty:jetty cas.war /var/lib/jetty/webapps/cas.war
ADD --chown=jetty:jetty etc/cas /etc/cas
ADD --chown=jetty:jetty keystore /var/lib/jetty/etc/keystore
ADD --chown=jetty:jetty ssl.ini /var/lib/jetty/start.d/ssl.ini
Referenced ssl.ini content:
jetty.sslContext.keyStorePassword=REDACTED
jetty.sslContext.keyManagerPassword=REDACTED
- 'cas.war' is a build of
https://apereo.github.io/cas/5.3.x/index.html
but this issue happens even if this context is omitted
- 'cas-redirect.war' is a custom app, super simple (just takes anything from it's own context and 302's it to the /cas context) and is installed as the root context. I will reply with a comment shortly with this code, to show that it's not doing anything fancy.
keystore is valid with one private key and public cert pair:
draeath@ginnungagap:~/scratch$ keytool -list -keystore ./keystore
Enter keystore password: REDACTED
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
REDACTED, Aug 10, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA-256): REDACTED