Issue running embedded jetty on SSL

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Issue running embedded jetty on SSL

vickytaurus
This post has NOT been accepted by the mailing list yet.
0
down vote
favorite
I am trying to run SSL with embedded jetty latest version(9.4.x).Followed following steps: 1. created a jetty.xml with following contents

<Configure id="Server" class="org.eclipse.jetty.server.Server">

   
    <Get name="ThreadPool">
      <Set name="minThreads" type="int"><Property name="jetty.threadPool.minThreads" deprecated="threads.min" default="10"/></Set>
      <Set name="maxThreads" type="int"><Property name="jetty.threadPool.maxThreads" deprecated="threads.max" default="200"/></Set>
      <Set name="idleTimeout" type="int"><Property name="jetty.threadPool.idleTimeout" deprecated="threads.timeout" default="60000"/></Set>
      <Set name="detailedDump">false</Set>
    </Get>

   
   
   
    <Call name="addBean">
      <Arg>
        <New class="org.eclipse.jetty.util.thread.ScheduledExecutorScheduler"/>
      </Arg>
    </Call>

   
    <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
      <Set name="secureScheme"><Property name="jetty.httpConfig.secureScheme" default="https" /></Set>
      <Set name="securePort"><Property name="jetty.httpConfig.securePort" deprecated="jetty.secure.port" default="8443" />8447</Set>
      <Set name="outputBufferSize"><Property name="jetty.httpConfig.outputBufferSize" deprecated="jetty.output.buffer.size" default="32768" /></Set>
      <Set name="outputAggregationSize"><Property name="jetty.httpConfig.outputAggregationSize" deprecated="jetty.output.aggregation.size" default="8192" /></Set>
      <Set name="requestHeaderSize"><Property name="jetty.httpConfig.requestHeaderSize" deprecated="jetty.request.header.size" default="8192" /></Set>
      <Set name="responseHeaderSize"><Property name="jetty.httpConfig.responseHeaderSize" deprecated="jetty.response.header.size" default="8192" /></Set>
      <Set name="sendServerVersion"><Property name="jetty.httpConfig.sendServerVersion" deprecated="jetty.send.server.version" default="true" /></Set>
      <Set name="sendDateHeader"><Property name="jetty.httpConfig.sendDateHeader" deprecated="jetty.send.date.header" default="false" /></Set>
      <Set name="headerCacheSize"><Property name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
      <Set name="delayDispatchUntilContent"><Property name="jetty.httpConfig.delayDispatchUntilContent" deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
      <Set name="maxErrorDispatches"><Property name="jetty.httpConfig.maxErrorDispatches" default="10"/></Set>
      <Set name="blockingTimeout"><Property name="jetty.httpConfig.blockingTimeout" default="-1"/></Set>
      <Set name="persistentConnectionsEnabled"><Property name="jetty.httpConfig.persistentConnectionsEnabled" default="true"/></Set>
    </New>

   
    <Set name="handler">
      <New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
        <Set name="handlers">
         <Array type="org.eclipse.jetty.server.Handler">
           <Item>
             <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
           </Item>
           <Item>
             <New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"/>
           </Item>
         </Array>
        </Set>
      </New>
    </Set>

   
   
   
    <Set name="stopAtShutdown"><Property name="jetty.server.stopAtShutdown" default="true"/></Set>
    <Set name="stopTimeout"><Property name="jetty.server.stopTimeout" default="5000"/></Set>
    <Set name="dumpAfterStart"><Property name="jetty.server.dumpAfterStart" deprecated="jetty.dump.start" default="false"/></Set>
    <Set name="dumpBeforeStop"><Property name="jetty.server.dumpBeforeStop" deprecated="jetty.dump.stop" default="false"/></Set>

  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
    <Set name="KeyStorePath">trust.jks</Set>
    <Set name="KeyStorePassword">testpwd</Set>
    <Set name="KeyManagerPassword">testpwd</Set>
    <Set name="TrustStorePath">trust.jks</Set>
    <Set name="TrustStorePassword">testpwd</Set>
    <Set name="EndpointIdentificationAlgorithm"/>
        <Set name="keyStoreType">JKS</Set>
        <Set name="keyStoreProvider">SUN</Set>
        <Set name="trustStoreType">JKS</Set>

        <Set name="renegotiationAllowed">true</Set>
        <Set name="includeProtocols">
                <Array type="java.lang.String">
            <Item>SSLv2Hello</Item>
            <Item>SSLv3</Item>
                        <Item>TLSv1</Item>
                        <Item>TLSv1.1</Item>
                        <Item>TLSv1.2</Item>
          </Array>
        </Set>
             <Set name="IncludeCipherSuites">
          <Array type="java.lang.String">
                        <item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_RSA_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_RSA_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_RSA_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</item>
                        <item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</item>
                        <item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</item>
                        <item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</item>
                        <item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</item>
                        <item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</item>
                        <item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</item>
                        <item>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</item>
                        <item>TLS_DH_anon_WITH_AES_128_GCM_SHA256</item>
                        <item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</item>
                        <item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_DH_anon_WITH_AES_128_CBC_SHA</item>
                        <item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</item>
                        <item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</item>
                        <item>SSL_RSA_WITH_DES_CBC_SHA</item>
                        <item>SSL_DHE_RSA_WITH_DES_CBC_SHA</item>
                        <item>SSL_DHE_DSS_WITH_DES_CBC_SHA</item>
                        <item>SSL_DH_anon_WITH_DES_CBC_SHA</item>
                        <item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</item>
                        <item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</item>
                        <item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</item>
                        <item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</item>
                        <item>TLS_RSA_WITH_NULL_SHA256</item>
                        <item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</item>
                        <item>TLS_ECDHE_RSA_WITH_NULL_SHA</item>
                        <item>SSL_RSA_WITH_NULL_SHA</item>
                        <item>TLS_ECDH_ECDSA_WITH_NULL_SHA</item>
                        <item>TLS_ECDH_RSA_WITH_NULL_SHA</item>
                        <item>TLS_ECDH_anon_WITH_NULL_SHA</item>
                        <item>SSL_RSA_WITH_NULL_MD5</item>
                        <item>TLS_KRB5_WITH_3DES_EDE_CBC_SHA</item>
                        <item>TLS_KRB5_WITH_3DES_EDE_CBC_MD5</item>
                        <item>TLS_KRB5_WITH_DES_CBC_SHA</item>
                        <item>TLS_KRB5_WITH_DES_CBC_MD5</item>
                        <item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</item>
                        <item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</item>
          </Array>
        </Set>
</New>

  <Call name="addConnector">
    <Arg>
      <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecated="ssl.acceptors" default="-1"/></Arg>
        <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecated="ssl.selectors" default="-1"/></Arg>
        <Arg name="factories">
          <Array type="org.eclipse.jetty.server.ConnectionFactory">
           <Item>
                        <New class="org.eclipse.jetty.server.SslConnectionFactory">
                            <Arg name="next">http/1.1</Arg>
                            <Arg name="sslContextFactory">
                                <Ref refid="sslContextFactory"/>
                            </Arg>
                        </New>
                    </Item>
          </Array>
        </Arg>

        <Set name="host">192.168.10.129</Set>
        <Set name="port">8080</Set>
        <Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.timeout" default="30000"/></Set>
        <Set name="soLingerTime"><Property name="jetty.ssl.soLingerTime" deprecated="ssl.soLingerTime" default="-1"/></Set>
        <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
        <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize" default="0"/></Set>
               
      </New>
    </Arg>
  </Call>
</Configure>

2.created certificate with following commands:
keytool -genkey -alias jetty -keyalg RSA -keysize 1024 -validity 365 -keypass testpwd -keystore identity.jks -storepass testpwd
keytool -export -alias jetty -file root.cer -keystore identity.jks -storepass testpwd
keytool -import -alias jetty -file root.cer -keystore trust.jks -storepass testpwd
created jetty-runner jar using jetty-runner maven plugin
running jetty runner with following commad: java -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.debug=all -Djavax.net.debug=all:handshake:verbose -jar jetty-runner.jar --config jetty.xml my.war
Server is up as shown in the log file on the specified port and SSL, but when trying to open on browser or any http client is throwing handshake error. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake. Caused by: java.io.EOFException: SSL peer shut down incorrectly.

Please help. Thanks