Re: [jetty-users] keystore

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] keystore

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Wed, 14 Mar 2018 10:23:48 -0500
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Your server has no handlers, none, completely empty.

Perhaps you missed the ...

server.setHandler(resourceHandler);

Better yet, use ...

HandlerList handlers = new HandlerList();

handlers.addHandler(resourceHandler);

handlers.addHandler(new DefaultHandler()); // always last

server.setHandler(handlers);

Also, add this before your server.start();

server.setDumpAfterStart(true);

server.start();

server.join();

That should produce the dump I mentioned in the prior email.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Mar 14, 2018 at 9:55 AM, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:

Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

> NO. I'm using vanilla jetty as shipped. Is there something else I need to do?

Code shown below.

Thanks.

Lou.

    private void server_main(String[] args) {
        try {
            // === jetty.xml ===

            // Setup Threadpool
            QueuedThreadPool threadPool = new QueuedThreadPool();
            threadPool.setMaxThreads(max_threads);

            // Server
            server = new Server(threadPool);

            // Scheduler
            server.addBean(new ScheduledExecutorScheduler());

            // === jetty-http.xml ===
            ServerConnector http = new ServerConnector(server, new HttpConnectionFactory());
            http.setPort(port_http);
            http.setIdleTimeout(idle_timeout);
            server.addConnector(http);

            // === jetty-https.xml ===
            // SSL Context Factory
            SslContextFactory sslContextFactory = new SslContextFactory();

            HttpConfiguration http_config = new HttpConfiguration();
             http_config.setSecureScheme("https");
             http_config.setSecurePort(port_https);

            HttpConfiguration https_config = new HttpConfiguration(http_config);
            https_config.addCustomizer(new SecureRequestCustomizer());

            ServerConnector https = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory,"http/1.1"),
                 new HttpConnectionFactory(https_config));

            https.setPort(port_https);
            sslContextFactory.setKeyStorePath(keystore);

            sslContextFactory.setKeyStorePassword(keystore_password);
            sslContextFactory.setKeyManagerPassword(keymanager_password);

            server.setConnectors(new Connector[] { http });
            server.addConnector(https);

            //
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(true);
            resourceHandler.setResourceBase(jetty_server_root);

            server.start();
            server.join();
        }
        catch(Exception e) {
            e.printStackTrace();
        }
    }

On Wed, Mar 14, 2018 at 10:44 AM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

If you enable the jetty startup dump you'll see the list of enabled cipher suites and protocols that Jetty is running with (including the reason why a specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=true

Example output:

| += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED
| | += SslContextFactory@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=29)
| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=53)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:
Still having (likely user error) issues with SSL. I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <gregw@xxxxxxxxxxx> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers

On 11 March 2018 at 06:48, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <john.foreign@xxxxxxxxx> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:

<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] keystore
  - From: Lou DeGenaro

References:
- [jetty-users] keystore
  - From: Lou DeGenaro
- Re: [jetty-users] keystore
  - From: John English
- Re: [jetty-users] keystore
  - From: Lou DeGenaro
- Re: [jetty-users] keystore
  - From: Greg Wilkins
- Re: [jetty-users] keystore
  - From: Lou DeGenaro
- Re: [jetty-users] keystore
  - From: Joakim Erdfelt
- Re: [jetty-users] keystore
  - From: Lou DeGenaro

Prev by Date: Re: [jetty-users] keystore
Next by Date: Re: [jetty-users] keystore
Previous by thread: Re: [jetty-users] keystore
Next by thread: Re: [jetty-users] keystore
Index(es):
- Date
- Thread

Breadcrumbs