Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Sudden SSL problems
Gut reaction:  you are running an older JRE/JDK with known SSL/TLS bugs.

Be sure you have Java 1.6 update 30 (or newer), or Java 1.7 update 15 (or newer)

--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Developer advice, services and support
from the Jetty & CometD experts


On Thu, Apr 11, 2013 at 11:30 AM, Christian Grobmeier <grobmeier@xxxxxxxxx> wrote:
Hi list,

I have two jettys running on one box with different ports. Both were
7.4.4 so far but do not share anything in common. One is for testing,
one is for production.
Today I thought I would update jetty. I used the testing jetty and
upgrade to 7.6.10 at the afternoon.

It went fine and I wanted to wait a couple of days before I go with prod jetty.

A couple of hours later I got a message from my monitoring tool that
my non-ssl connector went down. I restartet and it went up ok. SSL
worked btw.

Checking my logfiles I saw a lot of these exceptions:

2013-04-11 18:19:49.267:WARN:oeji.nio:handle failed
java.lang.RuntimeException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1029)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:503)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1128)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1100)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460)
at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1040)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:636)


I never had them before. I then disabled the testing jetty, but the
exceptions kept going.
As both jettys used the same keystore, I considered it might be
problematic. So I went updating the prod jetty. Basically it was no
problem and everything looks well, but the exceptions
won't go away.

I found a known issuen on openjdk and followed this instructions:
http://shickys.blogspot.de/2012/11/addressing-openjdk-bug-with-ssl-on.html
(basically editing the pck12 providers).
But no luck.

I checked this:
keytool -list -keystore keystore -v
just in any case. It appears CN= matches my domain and so I think it
should be all well too.

Now I am puzzled and don't know where to search for the error.

Any ideas are highly appreciated.

Thanks,
Christian
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top