Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] jetty 9.2.19 - Not accepting SSL connections after startup
Hi Joakim,

Thanks for the reply.

I tried adding debug logs by updating the root logger to have DEBUG level in logback.xml, but this did not seem to have any affect.  No logs appeared when attempting to make a connection.

I am doubtful about the issue being the set of enabled protocols/ciphers because this service is deployed as a Docker container so it has the exact same setup as other, working instances.

Unfortunately further testing will be impossible since the container with the issue has since been blown away, so all we have left to try and diagnose is the thread dump.

Thanks,
Karthik

On Fri, Sep 8, 2017 at 12:42 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
Enable DEBUG logging on the named logger "org.eclipse.jetty.util.ssl.SslContextFactory" and look at the output it produces.
Use the techniques for your configured server logging framework.

It's likely that you have a set of SSL/TLS Protocols and Ciphers that have different Includes/Excludes then you expect.
Compare them with your your working instance.

Keep in mind that Java itself introduces excludes, and Jetty has an include/exclude system as well (note: excludes win over includes in jetty).
The debug output will tell you if a protocol or cipher is excluded, and all of the ways that specific entry was excluded.

Of extra note that the keystore/truststore minimum requirements are constantly evolving on Java and the Web in general.
What you used in the past might not be valid anymore (bitlength too low, use of deprecated certificate signing methods SHA1/MD5, etc)
 

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Fri, Sep 8, 2017 at 12:33 PM, _klk_ <karthik.l.kailash@xxxxxxxxx> wrote:
We have been using Jetty for a long time, with no problem.  Today our service
started up and entered a weird state where it would serve requests just fine
on the HTTP port, but fail everything on the HTTPS port (example below):

bash-4.1# curl -vvv -k -i https://localhost:8181/foo
* About to connect() to localhost port 8181 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 8181 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -5990
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Bringing up a new instance of the service (same Jetty version) did not
exhibit the same behavior.  I took a thread dump
(https://gist.github.com/anonymous/5a92c14825381a219604cf8fbeca8abc).
Nothing jumps out at me, I only notice that all acceptors are blocked while
all selectors are runnable. I don't know enough about Jetty's internals to
know if that means anything.




--
Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Karthik Kailash
Phone: (408) 768-7704

Back to the top