Re: [jetty-users] ssl setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] ssl setup

From: Justin Sands <justin_sands2000@xxxxxxxxx>
Date: Tue, 18 Jan 2011 07:22:15 -0800 (PST)
Delivered-to: jetty-users@xxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=GK8WkxL/aSkPazvl4r/MGNQaH8vGK+XgHPKQ8wnQqJyoK7BVJLkdN9GZM6s6d7G9qDmUYvYIJcz5AIPsuqOcsSQMGViT+0CNcW4ivLKuqZn31IaSdoE6OEiXbdMcNNC05Q74peQKsg0wAkSf5BtbShXasgowhEt5YaUpe9XcfDw=;
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

In Java "KeyStore" and "TrustStore" are different concepts.
Your private keys should be in the "keystore", and certificates for your trusted authorities (CA's) should be in your "truststore".

From: Miten Mehta <Miten.Mehta@xxxxxxxxxxxxxxxxx>
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Sent: Tue, January 18, 2011 2:24:59 AM
Subject: Re: [jetty-users] ssl setup

Hi,

Without the jetty alias private key in keystore how will jetty decrypt ssl communication ? I assume the server certificate public key will be used to sign content send to server and server would need to use private key to decrypt.

Regards,

Miten

On Mon, Jan 17, 2011 at 8:47 PM, Justin Sands <justin_sands2000@xxxxxxxxx> wrote:

Most likely your client certificate is self signed. This won't work.

> javax.net.ssl.SSLException: Received fatal alert: unknown_ca
Your certificate authority (ca) must sign the client cert. The CA's certificate (not private key)
should be the only thing in your truststore.

From: Miten Mehta <Miten.Mehta@xxxxxxxxxxxxxxxxx>
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Sent: Mon, January 17, 2011 7:45:38 AM
Subject: [jetty-users] ssl setup

Hi,

I have c:\working\mykeystore\.jetty_keystore in which I created and imported certificate using openssl and commands from
http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
http://docs.codehaus.org/display/JETTY/How+to+configure+SSL

The keystore imported pkcs12 as entry with alias 1 so I changed it to alias jetty. I am trying clear text passwords but I am just doing things locally on pc.

The keystore is only keystore I have setup and I have jetty-ssl.xml as below:
<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
    <Set name="Port">8443</Set>
    <Set name="maxIdleTime">30000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="AcceptQueueSize">100</Set>
    <Set name="Keystore">C:/working/mykeystore/.jetty_keystore</Set>
    <Set name="Password">storePass123</Set>
    <Set name="KeyPassword">password</Set>
        <Set name="truststore">C:/working/mykeystore/.jetty_keystore</Set>
        <Set name="trustPassword">storePass123</Set>
      </New>
    </Arg>
</Call>

is it a problem that both keystore and truststore are same ?

I get below in jetty logs:

2011-01-17 17:57:54.500:INFO::Started SslSelectChannelConnector@0.0.0.0:8443
2011-01-17 17:57:54.500:DBUG::STARTED SslSelectChannelConnector@0.0.0.0:8443
org.eclipse.jetty.server.Server@9e5c73 STOPPED
+-DebugHandler@4fc156 started
    +-HandlerCollection@1a06e38 started
       +-ContextHandlerCollection@2200d5 started
       +-DefaultHandler@64ab4d started

2011-01-17 17:57:54.500:DBUG::STARTED org.eclipse.jetty.server.Server@9e5c73
2011-01-17 17:57:54.921:DBUG::loaded class org.eclipse.jetty.io.nio.SelectorManager$SelectSet$2 from ContextLoader@Test WebApp([file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/classes/, file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-client-7.1.4.v20100610.jar, file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-continuation-7.1.4.v20100610.jar, file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-http-7.1.4.v20100610.jar, file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-io-7.1.4.v20100610.jar, file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-servlets-7.1.4.v20100610.jar, file:/C:/Documents%20and%20Settings/mitenm/Local%20Settings/Temp/Jetty_0_0_0_0_8080_test.war____.hcx133/webapp/WEB-INF/lib/jetty-util-7.1.4.v20100610.jar]) / StartLoader[file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/com.sun.el_1.0.0.v201004190952.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/ecj-3.6RC4.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/javax.el_2.1.0.v201004190952.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/javax.servlet.jsp_2.1.0.v201004190952.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/javax.servlet.jsp.jstl_1.2.0.v201004190952.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/jetty-jsp-2.1-7.1.4.v20100610.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/org.apache.jasper.glassfish_2.1.0.v201004190952.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/lib/jsp/org.apache.taglibs.standard.glassfish_1.2.0.v201004190952.jar, file:/I%3a/learn/java/jetty-distribution-7.1.4.v20100610/resources/]
2011-01-17 18:00:17.908:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] channel=java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/127.0.0.1:2856]
2011-01-17 18:00:17.908:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 158
2011-01-17 18:00:17.908:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 0
2011-01-17 18:00:17.955:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap unwrap Status = OK HandshakeStatus = NEED_TASK|bytesConsumed = 158 bytesProduced = 0
2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] fill wrap Status = OK HandshakeStatus = NEED_UNWRAP|bytesConsumed = 0 bytesProduced = 1419
2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] Flushed 1419/1419
2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 0
2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 7
2011-01-17 18:00:18.048:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled -1
2011-01-17 18:00:18.095:WARN::javax.net.ssl.SSLException: Received fatal alert: unknown_ca
2011-01-17 18:00:18.095:INFO::EXCEPTION
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
    at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
    at java.lang.Thread.run(Thread.java:619)
2011-01-17 18:00:18.095:INFO::EXCEPTION
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
    at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
    at java.lang.Thread.run(Thread.java:619)
2011-01-17 18:00:18.095:DBUG::EOF org.eclipse.jetty.io.EofException
2011-01-17 18:00:55.096:DBUG::org.eclipse.jetty.io.nio.SelectorManager$SelectSet@bd09e8 JVM BUG(s) - cancelled keys 1 times
2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] channel=java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/127.0.0.1:2884]
2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 0
2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 158
2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 0
2011-01-17 18:05:24.818:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap unwrap Status = OK HandshakeStatus = NEED_TASK|bytesConsumed = 158 bytesProduced = 0
2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] fill wrap Status = OK HandshakeStatus = NEED_UNWRAP|bytesConsumed = 0 bytesProduced = 1419
2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] Flushed 1419/1419
2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 0
2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 7
2011-01-17 18:05:24.833:DBUG:org.eclipse.jetty.http.ssl:[Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled -1
2011-01-17 18:05:24.833:WARN::javax.net.ssl.SSLException: Received fatal alert: access_denied
2011-01-17 18:05:24.833:INFO::EXCEPTION
javax.net.ssl.SSLException: Received fatal alert: access_denied
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
    at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
    at java.lang.Thread.run(Thread.java:619)
2011-01-17 18:05:24.833:INFO::EXCEPTION
javax.net.ssl.SSLException: Received fatal alert: access_denied
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1401)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1369)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1535)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:995)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:815)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:691)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:684)
    at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:298)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:289)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
    at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
    at java.lang.Thread.run(Thread.java:619)
2011-01-17 18:05:24.833:DBUG::EOF org.eclipse.jetty.io.EofException

Regards,

Miten

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] ssl setup
  - From: Miten Mehta

References:
- [jetty-users] ssl setup
  - From: Miten Mehta
- Re: [jetty-users] ssl setup
  - From: Justin Sands
- Re: [jetty-users] ssl setup
  - From: Miten Mehta

Prev by Date: Re: [jetty-users] ssl setup
Next by Date: [jetty-users] CXFJettySslSocketConnector and SslSelectChannelEndPoint
Previous by thread: Re: [jetty-users] ssl setup
Next by thread: Re: [jetty-users] ssl setup
Index(es):
- Date
- Thread

Breadcrumbs