Merge pull request #8559 from vespa-engine/bjorncs/upgrade-jetty

Bjorncs/upgrade jetty

4 files changed, 4 insertions, 2 deletions

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
index 1a7224fdc71..61ac8f7a7e2 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
@@ -124,6 +124,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp
                         .orElseGet(() -> updateKeystore(configserverIdentity, generateKeystorePassword(), keyProvider, ztsClient, zoneConfig));
         factory.setKeyStore(keyStore);
         factory.setKeyStorePassword("");
+        factory.setEndpointIdentificationAlgorithm(null); // disable https hostname verification of clients (must be disabled when using Athenz x509 certificates)
         return factory;
     }
 
diff --git a/container-dependency-versions/pom.xml b/container-dependency-versions/pom.xml
index 0f971078ffb..48cd9da9a01 100644
--- a/container-dependency-versions/pom.xml
+++ b/container-dependency-versions/pom.xml
@@ -452,7 +452,7 @@
         <guava.version>20.0</guava.version>
         <guice.version>3.0</guice.version>
         <jaxb.version>2.3.0</jaxb.version>
-        <jetty.version>9.4.14.v20181114</jetty.version>
+        <jetty.version>9.4.15.v20190215</jetty.version>
         <slf4j.version>1.7.5</slf4j.version>
 
         <!-- These must be kept in sync with version used by current jersey2.version. -->
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tls/ControllerSslContextFactoryProvider.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tls/ControllerSslContextFactoryProvider.java
index d20c86528a5..dcc61b13bab 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tls/ControllerSslContextFactoryProvider.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tls/ControllerSslContextFactoryProvider.java
@@ -63,6 +63,7 @@ public class ControllerSslContextFactoryProvider extends AbstractComponent imple
         factory.setTrustStore(truststore);
         factory.setKeyStore(keystore);
         factory.setKeyStorePassword("");
+        factory.setEndpointIdentificationAlgorithm(null); // disable https hostname verification of clients (must be disabled when using Athenz x509 certificates)
         return factory;
     }
 
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
index c381ba738a3..f9cdefeb5e8 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java
@@ -16,7 +16,6 @@ import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
-import java.util.Arrays;
 import java.util.List;
 
 /**
@@ -55,6 +54,7 @@ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvid
             factory.setTrustStore(createTruststore(sslConfig));
         }
         factory.setProtocol("TLS");
+        factory.setEndpointIdentificationAlgorithm(null); // disable hostname verification of client certs
         return factory;
     }