[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] trying to get jetty properties honored in private SSL module

Brian,

note that there is also an [ini] section within modules, that can be used to set properties whenever the module is activated, as apposed to the [ini-template] section, which as Chris says is only a template for generating an ini file.

Typically [ini] sections are discouraged as they can be hard to modify, but they are appropriate in some circumstances. Often they are used with the ?= syntax, so the property is set only if it has not already been set on the command line or in an ini file.

An example is from the new conscrypt module that sets the version and provider with:

[ini]
conscrypt.version?=1.0.0.RC10
jetty.sslContext.provider?=Conscrypt

These are properties that are unlikely to be edited by a user (in an ini file), so no template is generated, but if a user did manually add them to an ini or the command line, then they ?= syntax would not override that.

regards




Â

On 10 October 2017 at 07:15, Chris Walker <chris@xxxxxxxxxxx> wrote:
Brian,

Properties are not meant to be set in module files.The [ini-template] section is just that - a template for properties for configuration when a module is activated in a distribution, either by using --add-to-start or --add-to-startd. Once a module is activated these properties will be added to, in your case, the start.iniÂfile, where they can be modified. This was done to encourage users to make edits to the associated ini file(s) as opposed to editing Jetty XML, leaving it as the standard of truth.Â

Best,
Chris

On Mon, Oct 9, 2017 at 3:11 PM, Brian Reichert <reichert@xxxxxxxxxxx> wrote:
I'm using jetty 9.3.21.v20170918, and I'm running into inconsistent
behavior about processing jetty properties.

The inconsistency is that this setting seemes to be only honored
from the start.ini file, but not from within a module file.

I'd appreciate a second set of eyes, if someone is willing to review. I must
be missing something basic here. :/

I'm specifically trying to set

 jetty.sslContext.wantClientAuth=true

Here, I do all my testing from
'jetty-distribution-9.3.21.v20170918/demo-base':

Create my own module based on the stock 'ssl' module; alter it to
set the property's value; basically, replace the commented-out
property with the value I want:

 cp -p ../modules/ssl.mod modules/my-ssl.mod
 perl -pi -e 's/^ssl$/my-ssl/' modules/my-ssl.mod
 perl -pi -e 's/^(# )*(jetty.sslContext.wantClientAuth)=.*/${2}=true/' \
  modules/my-ssl.mod
 grep wantClientAuth modules/my-ssl.mod

  (shows jetty.sslContext.wantClientAuth=true in [ini-template])

Observe that this property doesn't show up in '--list-config':

 java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

If I add it to start.ini, it now shows up:

 echo jetty.sslContext.wantClientAuth=true >> start.ini
 java -jar ../start.jar --module=my-ssl --list-config | grep wantClientAuth

 Â(shows jetty.sslContext.wantClientAuth = true)

Should --list-config show my setting in my module?

I'm testing the effect using OpenSSL. When working, that looks
like this:

 openssl s_client -connect localhost:8443 \
  -state -debug -cert example.pem -key example.pem < /dev/null 2>&1 |
 grep 'write client certificate'

And the result looks like this:

 0220 - d1 64 40 4a 27 10 e4 28-0d 5d a7 cSSL_connect:SSLv3 write client certificate A

So, irrespective of what '--list-config' presents, I can test to
see if the property is indeed being utilized my the module.

--
Brian Reichert             <reichert@xxxxxxxxxxx>
BSD admin/developer at large
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev



--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com