Re: [jetty-users] keystore

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] keystore

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Wed, 14 Mar 2018 09:44:46 -0500
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

If you enable the jetty startup dump you'll see the list of enabled cipher suites and protocols that Jetty is running with (including the reason why a specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=true

Example output:

| += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED

| | += SslContextFactory@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false

| | +- Protocol Selections

| | | +- Enabled (size=3)

| | | | +- TLSv1

| | | | +- TLSv1.1

| | | | +- TLSv1.2

| | | +- Disabled (size=2)

| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'

| | | +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'

| | +- Cipher Suite Selections

| | +- Enabled (size=29)

| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV

| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256

| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256

| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256

| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384

| | +- Disabled (size=53)

| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security

| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security

| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security

| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security

| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'

| | +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:

Still having (likely user error) issues with SSL. I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <gregw@xxxxxxxxxxx> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers

On 11 March 2018 at 06:48, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <john.foreign@xxxxxxxxx> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:

<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] keystore
  - From: Lou DeGenaro

References:
- [jetty-users] keystore
  - From: Lou DeGenaro
- Re: [jetty-users] keystore
  - From: John English
- Re: [jetty-users] keystore
  - From: Lou DeGenaro
- Re: [jetty-users] keystore
  - From: Greg Wilkins
- Re: [jetty-users] keystore
  - From: Lou DeGenaro

Prev by Date: Re: [jetty-users] keystore
Next by Date: Re: [jetty-users] keystore
Previous by thread: Re: [jetty-users] keystore
Next by thread: Re: [jetty-users] keystore
Index(es):
- Date
- Thread

Breadcrumbs