'UnsupportedOperationException: X509ExtendedKeyManager only supported on Server' after upgrading to 9.4.24

[mkemmerz]

We upgraded from 9.4.22.v20191022 to 9.4.24.v20191120, Java 11.

We are encountering a new exception that prevents our software from working correctly. On startup Jetty calls a method that has been marked as deprecated in 9.4.24 (deprecated list).

org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager​(X509ExtendedKeyManager)	use SslContextFactory.Server.newSniX509ExtendedKeyManager(X509ExtendedKeyManager) instead

Jetty calls the method internally so I am not sure if our team has to do changes on our side or it is a bug.

The changes effecting this issue were done in #4325

Stacktrace:

2019-12-16 08:11:34,357 WARN  [main           ]  org.eclipse.jetty.util.component.AbstractLifeCycle : FAILED Server@49293b43{FAILED}[9.4.24.v20191120]: java.lang.UnsupportedOperationException: X509ExtendedKeyManager only supported on Server
java.lang.UnsupportedOperationException: X509ExtendedKeyManager only supported on Server
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1273)
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1255)
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.server.Server.doStart(Server.java:385)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)

Jetty calls the deprecated method in SslContextFactory.java:1255

                // Is SNI needed to select a certificate?
                if (!_certWilds.isEmpty() || _certHosts.size() > 1 || (_certHosts.size() == 1 && _aliasX509.size() > 1))
                {
                    for (int idx = 0; idx < managers.length; idx++)
                    {
                        if (managers[idx] instanceof X509ExtendedKeyManager)
                            managers[idx] = newSniX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx]);
                    }
                }

My guess would be that Jetty uses the non-deprecated method to create such an object? Has this been missed or was it on purpose?

Any idea how to prevent this from happening? If we don't use a certificate for the software everything is working fine. It only starts to cause issues if we try to use a certificate.

@joakime Maybe you can provide any insight or help?

[gregw]

@mkemmerz The issue is that we had to split the SslContextFactory into a client and server version, rather than a single class for both.
If you have code that previously instantiated SslContextFactory directly, then it will mostly work other than SNI. The fix is to change to use
SslContextFactory.Server instead of just SslContextFactory.

[gregw]

@joakime @sbordet That warning is not really clear that Server means SslContextFactory.Server. I think in this case we should be a bit more verbose

[mkemmerz]

@gregw Thanks for the information and hint!

I will give it a try.

[mkemmerz]

I was able to solve the issue by using SslContextFactory.Server, thanks to @gregw.

Due to the explanation that you split the SslContextFactory in client and server the exception makes sense now. I doubt that people will get the issue if they don't know the context though.

Just a small example how I fixed it (if someon else encounters this problem):

SslContextFactory sslContextFactory = new SslContextFactory("server.pkcs12");`

changed to

SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("server.pkcs12");

[joakime]

The error message was updated in jetty-9.4.x head as a result of issue #4385.

Current message is ...

https://github.com/eclipse/jetty.project/blob/cf7f6a52f56d550cfd833b633e1365b719457c6b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L1275-L1279

[joakime]

Closing as this was addressed in issue #4385