0

I'm trying to get "embedded" Jetty working with https.

Java Info:

/opt/ducc/test/java/jdk-11.0.3+7/bin/java -version

openjdk version "11.0.3" 2019-04-16

Jetty Info:

ls

jetty-distribution-9.4.6.v20170531

Keystore Info:

[ducc@ducc-master-1 resource]$ keytool -list -keystore keystore Enter keystore password:

Keystore type: jks Keystore provider: IBMJCE

Your keystore contains 3 entries

root, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 66:7C:48:44:D0:B6:0B:EF:1A:F7:ED:D5:2D:C3:55:76:B0:1A:02:73 intermediate, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA1): F0:46:B4:00:B8:52:24:6E:A2:94:6B:17:CE:83:23:49:54:9A:3A:49 ducc-master-1.sl.cloud9.ibm.com, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA1): D9:0C:9D:A8:A5:C9:81:E9:04:AF:55:63:73:9B:E4:8D:3C:FF:12:C2

Jetty server code:

public static void main(String[] args) {
    try {
        Server server = new Server();

        server.setHandler(new HelloWorld());

        int portHttps = 57081;
        String pw = "xxxxxxxx";

        SslContextFactory sslContextFactory = new SslContextFactory();

        String keystore = "/opt/ducc/test/resource/keystore";

        HttpConfiguration http_config = new HttpConfiguration();
        http_config.setSecureScheme("https");
        http_config.setSecurePort(portHttps);

        HttpConfiguration https_config = new HttpConfiguration(http_config);
        https_config.addCustomizer(new SecureRequestCustomizer());

        ServerConnector https = new ServerConnector(server,
             new SslConnectionFactory(sslContextFactory,"http/1.1"),
             new HttpConnectionFactory(https_config));

        https.setPort(portHttps);
        sslContextFactory.setKeyStorePath(keystore);

        sslContextFactory.setKeyStorePassword(pw);    
        sslContextFactory.setKeyManagerPassword(pw);

        server.setConnectors(new Connector[] { https });
        server.addConnector(https);

        server.start();
        server.join();
    } 
    catch(Exception e) {
        e.printStackTrace();
    }
}

Jetty log file snippet, showing error:

2019-07-23 07:04:18.357:DBUG:oejis.SslConnection:qtp1008531893-35: filled b[0]= SslConnection@98e9b6f4{NEED_TASK,eio=0/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=2/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NEED_TASK,eio=0/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.357:DBUG:oejus.SslContextFactory:qtp1008531893-35: SNI matching for type=host_name (0), value=ducc-master-1.sl.cloud9.ibm.com 2019-07-23 07:04:18.357:DBUG:oejus.SslContextFactory:qtp1008531893-35: SNI matched ducc-master-1.sl.cloud9.ibm.com->null 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/EC on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/EC on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSASSA-PSS on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSASSA-PSS on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejis.SslConnection:qtp1008531893-35: shutdownOutput: oshut=false, ishut=true SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=5/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.360:DBUG:oejis.SslConnection:qtp1008531893-35: flush b[0]= SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=5/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oejis.SslConnection:qtp1008531893-35: wrap Status = CLOSED HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 0 bytesProduced = 7 sequenceNumber = 0 SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/7,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=6/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/7,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oeji.ChannelEndPoint:qtp1008531893-35: flushed 7 SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=6/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/0,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oeji.ChannelEndPoint:qtp1008531893-35: doClose SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,CLOSED,fill=-,flush=-,to=0/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oeji.WriteFlusher:qtp1008531893-35: ignored: WriteFlusher@95ef7348{IDLE}->null java.nio.channels.ClosedChannelException 2019-07-23 07:04:18.361:DBUG:oeji.FillInterest:qtp1008531893-35: FillInterest@f9b047db{false,null} onClose null 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-35: Queued change org.eclipse.jetty.io.ManagedSelector$$Lambda$83/0000000088041510@389822c0 on org.eclipse.jetty.io.ManagedSelector@4e9e4706 id=3 keys=1 selected=0 2019-07-23 07:04:18.361:DBUG:oeji.WriteFlusher:qtp1008531893-35: ignored: WriteFlusher@7a814014{IDLE}->null javax.net.ssl.SSLHandshakeException: no cipher suites in common 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-28: Selector loop woken up from select, 0/0 selected 2019-07-23 07:04:18.361:DBUG:oejuts.EatWhatYouKill:qtp1008531893-28: EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/1/1->IDLE/0/1 EPC! org.eclipse.jetty.io.ManagedSelector$$Lambda$83/0000000088041510@389822c0 2019-07-23 07:04:18.361:DBUG:oejut.QueuedThreadPool:qtp1008531893-28: queue EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 2019-07-23 07:04:18.361:DBUG:oejuts.EatWhatYouKill:qtp1008531893-32: EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 produce non-blocking 2019-07-23 07:04:18.361:DBUG:oejut.InvocableInvocableExecutor:qtp1008531893-28: org.eclipse.jetty.util.thread.Invocable$InvocableExecutor@9918488e invoke org.eclipse.jetty.io.ManagedSelector$$Lambda$83/0000000088041510@389822c0 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-32: Selector loop waiting on select 2019-07-23 07:04:18.361:DBUG:oejut.QueuedThreadPool:qtp1008531893-40: run EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 2019-07-23 07:04:18.361:DBUG:oejs.HttpConnection:qtp1008531893-35: javax.net.ssl.SSLHandshakeException: no cipher suites in common at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255) at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461) at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:294) at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1101) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) at java.base/java.security.AccessController.doPrivileged(AccessController.java:739) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:747) at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:322) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:231) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:289) at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:149) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128) at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:673) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:591) at java.base/java.lang.Thread.run(Thread.java:825) 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-28: Destroyed SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,CLOSED,fill=-,flush=-,to=0/30000}{io=0/0,kio=-1,kro=-1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oejuts.EatWhatYouKill:qtp1008531893-40: EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 run

Please suggest what I may be doing wrong. Consider me a newbie with respect to certificates+security.

=====

Switched to using OpenJdk keytool to create keystore.

[ducc@ducc-master-1 test]$ /opt/ducc/test/java/jdk-11.0.3+7/bin/keytool -list -keystore resource/keystore Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN

Your keystore contains 3 entries

ducc-master-1, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): 6C:C5:9F:CD:E6:DD:79:BE:46:72:7A:08:7E:73:0F:4F:01:C3:EA:9E:6D:37:62:99:32:0B:1B:EE:FC:A5:84:72 root, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): EC:8B:BD:C4:2A:9C:FD:AF:7D:02:94:11:50:16:C2:A8:2B:F7:3E:6B:4C:24:46:0E:75:EC:A9:FA:A6:A2:42:EB intermediate, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): F0:4E:33:1A:B5:4C:8D:F0:ED:E7:AB:1B:67:0B:ED:BB:D1:3C:6F:52:4B:D9:B4:09:F6:CA:03:AC:35:81:04:C8

No Improvement.

2019-07-23 08:37:18.146:DBUG:oeji.ManagedSelector:qtp-1083415165-41: Destroyed SocketChannelEndPoint@79c59b3e{/9.74.14.171:43406<->/9.59.193.91:57081,CLOSED,fill=-,flush=-,to=1/30000}{io=0/0,kio=-1,kro=-1}->SslConnection@a175c2a2{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@634a6259[p=HttpParser{s=START,0 of 0},g=HttpGenerator@2d97796{s=START}]=>HttpChannelOverHttp@a0ea7c17{r=0,c=false,a=IDLE,uri=null} 2019-07-23 08:37:18.145:DBUG:oejs.HttpConnection:qtp-1083415165-32: javax.net.ssl.SSLHandshakeException: no cipher suites in common at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ...

user2133121
  • 341
  • 1
  • 3
  • 12

1 Answers1

0

The IBMJCE based keystore is the first problem you'll need to address.

Since you are using the OpenJDK 11.0.3 JVM (not the IBM one) you'll need the various IBM JCE provider jars and then configure the standard java security Provider to use them.

Past answer on this: https://stackoverflow.com/a/18093554/775715

Also note that SslContextFactory.setProvider(String providerName) exists, and is Jetty specific for the SslContextFactory that the HTTPS and HTTP2 connectors use.

You might think it would be easier to use the IBM JVM instead, but be aware that you'll have even more work configuring things to get it working as the IBM JVM does not use the RFC standard names for the protocols and cipher suites.

See: https://github.com/eclipse/jetty.project/issues/2921

Honestly, the best thing you can do for yourself is to migrate those keys to a new keystore that is based on either PKCS12 (preferred) or JKS (supported out of the box) instead.

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
  • You point out that I have mixed metaphors. So I switched to using OpenJdk keytool to create keystore. No improvement. – user2133121 Jul 23 '19 at 13:42
  • See above. Used OpenJdk keytool to generate keystore, and OpenJdk JVM to run Jetty webserver. Still I seem to be doing something wrong... – user2133121 Jul 23 '19 at 15:24
  • No keystores in common usually points at an attempt to use a client that doesn't support TLSv1.2, but only supports the vulnerable (and disabled) protocols/cipher suites before TLSv1.2, such as TLSv1.1 or TLSv1.0 or even SSLv3. In order to allow vulnerable cipher suites, you'll have to configure the SslContextFactory (and Java itself in many cases) to allow vulnerable cipher suites and protocols. – Joakim Erdfelt Jul 23 '19 at 15:53
  • Are you saying that OpenJdk supports only vulnerable cipher suites? The client of the jetty server is Google Chrome Version 75.0.3770.100 (Official Build) (64-bit). – user2133121 Jul 23 '19 at 15:59
  • no, the opposite in fact - https://java.com/en/jre-jdk-cryptoroadmap.html - https://github.com/eclipse/jetty.project/blob/jetty-9.4.19.v20190610/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L133-L149 – Joakim Erdfelt Jul 23 '19 at 16:00
  • So then if Jetty is using non-vulnerable cipher suites, then Google Chrome is deficient? – user2133121 Jul 23 '19 at 16:04
  • Or your choice of certificates in your keystore. Eg: using a certificate with too small of a keysize, or using an algorithm that is banned. Both of which will result in java's own security.properties in banning that certificate from being used. – Joakim Erdfelt Jul 23 '19 at 16:12
  • Or your keystore contains an incomplete (or invalid) certificate chain. – Joakim Erdfelt Jul 23 '19 at 16:13
  • Same issue for both Chrome and also Firefox 60.7.2esr (64-bit). Something I need to add to OpenJdk to or Jetty config to enable? – user2133121 Jul 23 '19 at 16:13
  • Or your certificate signed is from a banned CA in both browsers (eg: symantec) – Joakim Erdfelt Jul 23 '19 at 16:14
  • I could believe that I have issues with my certificate or transformation into keystore and/or with intermediate and root certs. Not sure how to debug that... – user2133121 Jul 23 '19 at 16:16
  • [ducc@ducc-master-1 downloads]$ openssl verify -trusted CA.pem cert.pem cert.pem: OK – user2133121 Jul 23 '19 at 16:20
  • CA.pem contains cat of intermediate and root certs. I then converted all 3 of these certs into .der format and then put them into my keystore using using OpenJdk keytool. – user2133121 Jul 23 '19 at 16:22
  • And the OpenJdk generated keystore is now PKCS12 shown above, as suggested above. – user2133121 Jul 23 '19 at 16:26
  • Still stuck, hoping for suggestions on what else to try. I have a certificate that validates with the openssl command. I create a PKCS12 keystore using OpenJdk comprising the certificate itself as well as the same intermediate and root certificates used in the openssl verify command. I specify said keystore to Jetty. Error is "no cipher suites in common". – user2133121 Jul 23 '19 at 19:29