I'm trying to get "embedded" Jetty working with https.
Java Info:
/opt/ducc/test/java/jdk-11.0.3+7/bin/java -version
openjdk version "11.0.3" 2019-04-16
Jetty Info:
ls
jetty-distribution-9.4.6.v20170531
Keystore Info:
[ducc@ducc-master-1 resource]$ keytool -list -keystore keystore Enter keystore password:
Keystore type: jks Keystore provider: IBMJCE
Your keystore contains 3 entries
root, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 66:7C:48:44:D0:B6:0B:EF:1A:F7:ED:D5:2D:C3:55:76:B0:1A:02:73 intermediate, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA1): F0:46:B4:00:B8:52:24:6E:A2:94:6B:17:CE:83:23:49:54:9A:3A:49 ducc-master-1.sl.cloud9.ibm.com, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA1): D9:0C:9D:A8:A5:C9:81:E9:04:AF:55:63:73:9B:E4:8D:3C:FF:12:C2
Jetty server code:
public static void main(String[] args) {
try {
Server server = new Server();
server.setHandler(new HelloWorld());
int portHttps = 57081;
String pw = "xxxxxxxx";
SslContextFactory sslContextFactory = new SslContextFactory();
String keystore = "/opt/ducc/test/resource/keystore";
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(portHttps);
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(portHttps);
sslContextFactory.setKeyStorePath(keystore);
sslContextFactory.setKeyStorePassword(pw);
sslContextFactory.setKeyManagerPassword(pw);
server.setConnectors(new Connector[] { https });
server.addConnector(https);
server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}
Jetty log file snippet, showing error:
2019-07-23 07:04:18.357:DBUG:oejis.SslConnection:qtp1008531893-35: filled b[0]= SslConnection@98e9b6f4{NEED_TASK,eio=0/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=2/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NEED_TASK,eio=0/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.357:DBUG:oejus.SslContextFactory:qtp1008531893-35: SNI matching for type=host_name (0), value=ducc-master-1.sl.cloud9.ibm.com 2019-07-23 07:04:18.357:DBUG:oejus.SslContextFactory:qtp1008531893-35: SNI matched ducc-master-1.sl.cloud9.ibm.com->null 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/EC on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/EC on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSASSA-PSS on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSASSA-PSS on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejus.SniX509ExtendedKeyManager:qtp1008531893-35: Chose alias null/RSA on sun.security.ssl.SSLEngineImpl@58859874 2019-07-23 07:04:18.360:DBUG:oejis.SslConnection:qtp1008531893-35: shutdownOutput: oshut=false, ishut=true SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=5/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.360:DBUG:oejis.SslConnection:qtp1008531893-35: flush b[0]= SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=5/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NEED_WRAP,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oejis.SslConnection:qtp1008531893-35: wrap Status = CLOSED HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 0 bytesProduced = 7 sequenceNumber = 0 SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/7,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null}<-SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=6/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/7,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oeji.ChannelEndPoint:qtp1008531893-35: flushed 7 SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,OPEN,fill=-,flush=-,to=6/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/0,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oeji.ChannelEndPoint:qtp1008531893-35: doClose SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,CLOSED,fill=-,flush=-,to=0/30000}{io=0/0,kio=0,kro=1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oeji.WriteFlusher:qtp1008531893-35: ignored: WriteFlusher@95ef7348{IDLE}->null java.nio.channels.ClosedChannelException 2019-07-23 07:04:18.361:DBUG:oeji.FillInterest:qtp1008531893-35: FillInterest@f9b047db{false,null} onClose null 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-35: Queued change org.eclipse.jetty.io.ManagedSelector$$Lambda$83/0000000088041510@389822c0 on org.eclipse.jetty.io.ManagedSelector@4e9e4706 id=3 keys=1 selected=0 2019-07-23 07:04:18.361:DBUG:oeji.WriteFlusher:qtp1008531893-35: ignored: WriteFlusher@7a814014{IDLE}->null javax.net.ssl.SSLHandshakeException: no cipher suites in common 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-28: Selector loop woken up from select, 0/0 selected 2019-07-23 07:04:18.361:DBUG:oejuts.EatWhatYouKill:qtp1008531893-28: EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/1/1->IDLE/0/1 EPC! org.eclipse.jetty.io.ManagedSelector$$Lambda$83/0000000088041510@389822c0 2019-07-23 07:04:18.361:DBUG:oejut.QueuedThreadPool:qtp1008531893-28: queue EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 2019-07-23 07:04:18.361:DBUG:oejuts.EatWhatYouKill:qtp1008531893-32: EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 produce non-blocking 2019-07-23 07:04:18.361:DBUG:oejut.InvocableInvocableExecutor:qtp1008531893-28: org.eclipse.jetty.util.thread.Invocable$InvocableExecutor@9918488e invoke org.eclipse.jetty.io.ManagedSelector$$Lambda$83/0000000088041510@389822c0 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-32: Selector loop waiting on select 2019-07-23 07:04:18.361:DBUG:oejut.QueuedThreadPool:qtp1008531893-40: run EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 2019-07-23 07:04:18.361:DBUG:oejs.HttpConnection:qtp1008531893-35: javax.net.ssl.SSLHandshakeException: no cipher suites in common at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255) at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461) at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:294) at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1101) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) at java.base/java.security.AccessController.doPrivileged(AccessController.java:739) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:747) at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:322) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:231) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:289) at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:149) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128) at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:673) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:591) at java.base/java.lang.Thread.run(Thread.java:825) 2019-07-23 07:04:18.361:DBUG:oeji.ManagedSelector:qtp1008531893-28: Destroyed SocketChannelEndPoint@d118e56a{/9.74.14.171:41120<->/9.59.193.91:57081,CLOSED,fill=-,flush=-,to=0/30000}{io=0/0,kio=-1,kro=-1}->SslConnection@98e9b6f4{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@1fae4192[p=HttpParser{s=START,0 of 0},g=HttpGenerator@10260d78{s=START}]=>HttpChannelOverHttp@3a5da0e8{r=0,c=false,a=IDLE,uri=null} 2019-07-23 07:04:18.361:DBUG:oejuts.EatWhatYouKill:qtp1008531893-40: EatWhatYouKill@f9f67448/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@a52dbf0e/PRODUCING/0/1 run
Please suggest what I may be doing wrong. Consider me a newbie with respect to certificates+security.
=====
Switched to using OpenJdk keytool to create keystore.
[ducc@ducc-master-1 test]$ /opt/ducc/test/java/jdk-11.0.3+7/bin/keytool -list -keystore resource/keystore Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN
Your keystore contains 3 entries
ducc-master-1, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): 6C:C5:9F:CD:E6:DD:79:BE:46:72:7A:08:7E:73:0F:4F:01:C3:EA:9E:6D:37:62:99:32:0B:1B:EE:FC:A5:84:72 root, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): EC:8B:BD:C4:2A:9C:FD:AF:7D:02:94:11:50:16:C2:A8:2B:F7:3E:6B:4C:24:46:0E:75:EC:A9:FA:A6:A2:42:EB intermediate, Jul 23, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): F0:4E:33:1A:B5:4C:8D:F0:ED:E7:AB:1B:67:0B:ED:BB:D1:3C:6F:52:4B:D9:B4:09:F6:CA:03:AC:35:81:04:C8
No Improvement.
2019-07-23 08:37:18.146:DBUG:oeji.ManagedSelector:qtp-1083415165-41: Destroyed SocketChannelEndPoint@79c59b3e{/9.74.14.171:43406<->/9.59.193.91:57081,CLOSED,fill=-,flush=-,to=1/30000}{io=0/0,kio=-1,kro=-1}->SslConnection@a175c2a2{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@634a6259[p=HttpParser{s=START,0 of 0},g=HttpGenerator@2d97796{s=START}]=>HttpChannelOverHttp@a0ea7c17{r=0,c=false,a=IDLE,uri=null} 2019-07-23 08:37:18.145:DBUG:oejs.HttpConnection:qtp-1083415165-32: javax.net.ssl.SSLHandshakeException: no cipher suites in common at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ...
