Re: [jetty-users] Jetty + SSLConnection engine alreay closed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Jetty + SSLConnection engine alreay closed

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Wed, 31 Aug 2016 06:10:09 -0700
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

You are using a rather old version of Jetty.

Just to express how old (here's a list of things that have happened since the release of 9.2.0.v20140526):

There's been over 900 commits in the 9.2.x branch alone
There have been 18 minor releases of jetty 9.2.x
Jetty 9.3.x was started
A major version update, Jetty 9.3.0 stable, was released
There have been over 3,200 commits to jetty 9.3.x
There have been 11 minor releases of jetty 9.3.x
Jetty 9.4.x was started
There have been over 4,000 commits to jetty 9.4.x
Jetty 9.4.0 has started with milestone (alpha quality) releases
Java 7 EOL (End of Life) was announced and officially entered EOL
Jetty 10.x has been started (for servlet 4.0)
Java 8 has addressed (according to its release notes) over 3 dozen SSL/TLS vulnerabilities
Java 8 has outright started to disable large swathes of SSL/TLS to address various vulnerabilities.

What happens if you use one of the latest stable releases? Jetty 9.3.11.v20160721 or 9.2.18.v20160721 ?

Also, since you are working with SSL/TLS, it is important (as in very important) that you stay up to date with your Java VM.

Respect the Java expiration dates that every release has.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Aug 31, 2016 at 5:47 AM, Christian Arens <ChristianA@xxxxxx> wrote:

Hello everbody,

i have wirtten a simple embeddedJettyServer-Application.

Then i connected to them via client doing a Handshake.

The session established correctly. Then an alert (bad_certificate) is sent to the server for testing.

I expected, that the server recv. the message and start to close the session and invalidate it.

A second Handshake should show, that a session resumption is not possible.

Instead of this behavior, the session isn't invalidated and a session resumption is possible.

SSL-Log of FirstHandshake at recv. Alert:

qtp1531448569-22, READ: TLSv1.2 Alert, length = 48
qtp1531448569-22, RECV TLSv1.2 ALERT: fatal, bad_certificate
qtp1531448569-22, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: bad_certificate
qtp1531448569-22, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: bad_certificate

Is that a jetty-bug?

Iam using jetty 9.2.0.v20140526

best regards

Christian

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

References:
- [jetty-users] Jetty + SSLConnection engine alreay closed
  - From: Christian Arens

Prev by Date: [jetty-users] Jetty + SSLConnection engine alreay closed
Next by Date: [jetty-users] Using jetty-quickstart when Jetty is embedded
Previous by thread: [jetty-users] Jetty + SSLConnection engine alreay closed
Next by thread: [jetty-users] Using jetty-quickstart when Jetty is embedded
Index(es):
- Date
- Thread

Breadcrumbs