Re: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after sta

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Fri, 8 Sep 2017 12:42:24 -0700
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Enable DEBUG logging on the named logger "org.eclipse.jetty.util.ssl.SslContextFactory" and look at the output it produces.

Use the techniques for your configured server logging framework.

It's likely that you have a set of SSL/TLS Protocols and Ciphers that have different Includes/Excludes then you expect.

Compare them with your your working instance.

Keep in mind that Java itself introduces excludes, and Jetty has an include/exclude system as well (note: excludes win over includes in jetty).

The debug output will tell you if a protocol or cipher is excluded, and all of the ways that specific entry was excluded.

Of extra note that the keystore/truststore minimum requirements are constantly evolving on Java and the Web in general.

What you used in the past might not be valid anymore (bitlength too low, use of deprecated certificate signing methods SHA1/MD5, etc)

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Fri, Sep 8, 2017 at 12:33 PM, _klk_ <karthik.l.kailash@xxxxxxxxx> wrote:

We have been using Jetty for a long time, with no problem. Today our service
started up and entered a weird state where it would serve requests just fine
on the HTTP port, but fail everything on the HTTPS port (example below):

bash-4.1# curl -vvv -k -i https://localhost:8181/foo
* About to connect() to localhost port 8181 (#0)
* Trying ::1... connected
* Connected to localhost (::1) port 8181 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -5990
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Bringing up a new instance of the service (same Jetty version) did not
exhibit the same behavior. I took a thread dump
(https://gist.github.com/anonymous/5a92c14825381a219604cf8fbeca8abc).
Nothing jumps out at me, I only notice that all acceptors are blocked while
all selectors are runnable. I don't know enough about Jetty's internals to
know if that means anything.

--
Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup
  - From: Karthik Kailash

References:
- [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup
  - From: _klk_

Prev by Date: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup
Next by Date: Re: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup
Previous by thread: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup
Next by thread: Re: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup
Index(es):
- Date
- Thread

Breadcrumbs