Jetty SSL ciphers and Firefox

When releasing alien4cloud 1.3.0 we upgraded spring boot and jetty (as a spring boot dependency). We recently found that our SSL configuration failed with Firefox while it was working fine under chrome or safari.

The error was quite clear and explained that Firefox wasn’t able to find a valid cipher to communicate with alien4cloud (SSL_ERROR_NO_CYPHER_OVERLAP). Having changed nothing on our side this error was quite unexpected and we had to dive into multiple reading to find out what the issue could be. Hopefully we found some interesting bug reports on mozilla bug tracker first (https://bugzilla.mozilla.org/show_bug.cgi?id=1029179) that explained quite easily while firefox was more restrictive than other browser.

Starting from here we managed to find that our previous version had the ‘TLS_RSA_WITH_AES_256_CBC_SHA’ cipher used by Firefox to communicate with alien4cloud. We also found out that some elliptic curve based ciphers that firefox seems to like more like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 where not working under all of configurations (RHEL OpenJDK 8).

The solution for us was to specify a list of ciphers using spring boot server.ssl.ciphers property and basically to add the TLS_RSA_WITH_AES_256_CBC_SHA cipher that is supported by all browsers.

Have you experienced such issues too ? Do you have preferred resolutions ?

Provision AWS on-demand resources using Ansible roles

Context

Alien4cloud is an open-platform easing DevOps implementation in large and heterogeneous organizations.
Whenever possible and needed, Alien4Cloud provides the model and tools allowing to ensure applications portability across different infrastructures, leveraging the OASIS TOSCA standard whose goal is to ‘Enhance the portability and operational management of cloud applications and services across their entire lifecycle‘.
But, in order to be able to manage all automation and DevOps scenarios, it is important as well to be able to onboard easily applications that leverage any infrastructure resource, even those potentially not portable.

The objective of this post is to explain the concept of Custom on-demand resource which helps reaching that goal and opens the door to large number of possibilities such as the one to leverage easily resources offered by a Cloud provider (knowing that it might restrict portability of the application outside of this Cloud provider infrastructure).

In the end, for some users, it’s an interesting possibility as it allows to benefit from Alien4Cloud collaborative and productivity Devops features for the enterprise even if portability is not a prime concern at first.

Solution

We can now extend the capabilities of our orchestrator by providing custom on-demand resources. For example, this can be used to take the advantages of AWS services that are not managed natively by our orchestrator (such as Elastic Load Balancer, RDS Database and so on …). In combination with recently added Ansible support as implementation artifact, it’s now easy to leverage on extended IAAS services in your topologies.

Continue reading → Provision AWS on-demand resources using Ansible roles