[jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Michele Rossi
hi all,

I have recently upgraded our system to the latest Jetty - 9.4.2 - finding that it's no longer possible to connect from an iPhone.
That happens with Safari, Chrome and Firefox (all on their respective latest versions).

From the error message I could tell that the problem is the negotiation of available SSL ciphers.

What has changed in 9.4.X in that area?

And how do I find Jetty changelogs? I have clicked around a while but I had no luck (sorry).

My ssl-tweak file looks like this:

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>.*NULL.*</Item>
<Item>.*anon.*</Item>
</Array>
</Set>

<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSL</Item>
<Item>SSLv3</Item>
<Item>SSLv2</Item>
</Array>
</Set>
</Configure>


thanks,
Michele

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Michele Rossi
hi,

this seems to be caused by HTTP2:

09:42:54.256|INFO |gotiatingServerConnection||ALPNServerConnection@4d98f14<-DecryptedEndPoint@1bb2cfdd{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=19/30000}->ALPNServerConnection@4d98f14->SocketChannelEndPoint@3e5d77ff{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=0/30000}{io=0/0,kio=0,kro=1}->SslConnection@2b58cd0d{NEED_UNWRAP,eio=-1/-1,di=-1}=>ALPNServerConnection@4d98f14 application selected protocol 'h2-16', but no correspondent org.eclipse.jetty.server.ConnectionFactory has been configured

On my start.ini I have this:

jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1

Any ideas?

thanks,
Michele

On 6 March 2017 at 09:37, Michele Rossi <[hidden email]> wrote:
hi all,

I have recently upgraded our system to the latest Jetty - 9.4.2 - finding that it's no longer possible to connect from an iPhone.
That happens with Safari, Chrome and Firefox (all on their respective latest versions).

From the error message I could tell that the problem is the negotiation of available SSL ciphers.

What has changed in 9.4.X in that area?

And how do I find Jetty changelogs? I have clicked around a while but I had no luck (sorry).

My ssl-tweak file looks like this:

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>.*NULL.*</Item>
<Item>.*anon.*</Item>
</Array>
</Set>

<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSL</Item>
<Item>SSLv3</Item>
<Item>SSLv2</Item>
</Array>
</Set>
</Configure>


thanks,
Michele


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Simone Bordet-3
Hi,

On Mon, Mar 6, 2017 at 9:44 AM, Michele Rossi <[hidden email]> wrote:

> hi,
>
> this seems to be caused by HTTP2:
>
> 09:42:54.256|INFO
> |gotiatingServerConnection||ALPNServerConnection@4d98f14<-DecryptedEndPoint@1bb2cfdd{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=19/30000}->ALPNServerConnection@4d98f14->SocketChannelEndPoint@3e5d77ff{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=0/30000}{io=0/0,kio=0,kro=1}->SslConnection@2b58cd0d{NEED_UNWRAP,eio=-1/-1,di=-1}=>ALPNServerConnection@4d98f14
> application selected protocol 'h2-16', but no correspondent
> org.eclipse.jetty.server.ConnectionFactory has been configured
>
> On my start.ini I have this:
>
> jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1
>
> Any ideas?

In 9.4.x we switched to only providing "h2" because most browsers have
picked it up (HTTP/2 is now 2 years old) and draft versions are not
used (much) anymore.

Apparently, iPhone does not keep the pace with others.

What you can do is to specify in jetty-http2.xml the second parameter
to HTTP2ServerConnectionFactory, and reintroduce support for draft
versions.

Right now it is:

<New class="org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory">
  <Arg name="config"><Ref refid="sslHttpConfig"/></Arg>
  ...

You want it to be:

<New class="org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory">
  <Arg name="config"><Ref refid="sslHttpConfig"/></Arg>
  <Arg>
    <Array type="String">
      <Item>h2</Item>
      <Item>h2-16</Item>
    </Array>
  </Arg>
  ...


--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Michele Rossi
thanks a lot Simone.

If I simply remove the line 

jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1

from my start.ini then everything works well again.

I am no longer sure why I had that line there in the first place.


thanks,
Michele





On 6 March 2017 at 12:08, Simone Bordet <[hidden email]> wrote:
Hi,

On Mon, Mar 6, 2017 at 9:44 AM, Michele Rossi <[hidden email]> wrote:
> hi,
>
> this seems to be caused by HTTP2:
>
> 09:42:54.256|INFO
> |gotiatingServerConnection||ALPNServerConnection@4d98f14<-DecryptedEndPoint@1bb2cfdd{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=19/30000}->ALPNServerConnection@4d98f14->SocketChannelEndPoint@3e5d77ff{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=0/30000}{io=0/0,kio=0,kro=1}->SslConnection@2b58cd0d{NEED_UNWRAP,eio=-1/-1,di=-1}=>ALPNServerConnection@4d98f14
> application selected protocol 'h2-16', but no correspondent
> org.eclipse.jetty.server.ConnectionFactory has been configured
>
> On my start.ini I have this:
>
> jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1
>
> Any ideas?

In 9.4.x we switched to only providing "h2" because most browsers have
picked it up (HTTP/2 is now 2 years old) and draft versions are not
used (much) anymore.

Apparently, iPhone does not keep the pace with others.

What you can do is to specify in jetty-http2.xml the second parameter
to HTTP2ServerConnectionFactory, and reintroduce support for draft
versions.

Right now it is:

<New class="org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory">
  <Arg name="config"><Ref refid="sslHttpConfig"/></Arg>
  ...

You want it to be:

<New class="org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory">
  <Arg name="config"><Ref refid="sslHttpConfig"/></Arg>
  <Arg>
    <Array type="String">
      <Item>h2</Item>
      <Item>h2-16</Item>
    </Array>
  </Arg>
  ...


--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Michele Rossi
hi Simone,
I was wrong, without the line 

jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1 

in my start.ini everything was working correctly but using http/1.1 instead of http 2.

I have tried the workaround you suggest but something goes wrong with the instantiation of HTTP2ServerConnectionFactory:




java.security.PrivilegedActionException: null
        at java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1437)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.eclipse.jetty.start.Main.invokeMain(Main.java:222)
        at org.eclipse.jetty.start.Main.start(Main.java:486)
        at org.eclipse.jetty.start.Main.main(Main.java:79)
Caused by: java.lang.reflect.InvocationTargetException: null
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at org.eclipse.jetty.util.TypeUtil.construct(TypeUtil.java:663)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:784)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.itemValue(XmlConfiguration.java:1235)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.value(XmlConfiguration.java:1140)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.access$500(XmlConfiguration.java:274)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$AttrOrElementNode.getList(XmlConfiguration.java:1368)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$AttrOrElementNode.getList(XmlConfiguration.java:1343)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:706)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:417)
        at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:358)
        at org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:259)
        at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1499)
        at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1438)
        ... 9 common frames omitted
Caused by: java.lang.NullPointerException: null
        at org.eclipse.jetty.server.AbstractConnectionFactory.<init>(AbstractConnectionFactory.java:62)
        at org.eclipse.jetty.http2.server.AbstractHTTP2ServerConnectionFactory.<init>(AbstractHTTP2ServerConnectionFactory.java:59)
        at org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory.<init>(HTTP2ServerConnectionFactory.java:58)
        ... 26 common frames omitted





My config looks like this:

<Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
  <Call name="addConnectionFactory">
    <Arg>
      <New class="org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory">
        <Arg name="config"><Ref refid="sslHttpConfig"/></Arg>
        <Arg>
                        <Array type="String">
                        <Item>h2</Item>
                        <Item>h2-17</Item>
                        <Item>h2-16</Item>
                        <Item>h2-15</Item>
                        <Item>h2-14</Item>
                </Array>
                </Arg>
        <Set name="maxConcurrentStreams"><Property name="jetty.http2.maxConcurrentStreams" deprecated="http2.maxConcurrentStreams" default="1024"/></Set>
        <Set name="initialStreamRecvWindow"><Property name="jetty.http2.initialStreamRecvWindow" default="65535"/></Set>
      </New>
    </Arg>
  </Call>

  <Ref refid="sslContextFactory">
    <Set name="CipherComparator">
      <Get class="org.eclipse.jetty.http2.HTTP2Cipher" name="COMPARATOR"/>
    </Set>
    <Set name="useCipherSuitesOrder">true</Set>
  </Ref>

</Configure>




Could it be that the problem is supporting constructors with varargs?

 public HTTP2ServerConnectionFactory(@Name("config") HttpConfiguration httpConfiguration,String... protocols)



thanks,
Michele








On 6 March 2017 at 12:33, Michele Rossi <[hidden email]> wrote:
thanks a lot Simone.

If I simply remove the line 

jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1

from my start.ini then everything works well again.

I am no longer sure why I had that line there in the first place.


thanks,
Michele





On 6 March 2017 at 12:08, Simone Bordet <[hidden email]> wrote:
Hi,

On Mon, Mar 6, 2017 at 9:44 AM, Michele Rossi <[hidden email]> wrote:
> hi,
>
> this seems to be caused by HTTP2:
>
> 09:42:54.256|INFO
> |gotiatingServerConnection||ALPNServerConnection@4d98f14<-DecryptedEndPoint@1bb2cfdd{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=19/30000}->ALPNServerConnection@4d98f14->SocketChannelEndPoint@3e5d77ff{/5.170.107.125:3791<->/10.100.216.60:9443,OPEN,fill=-,flush=-,to=0/30000}{io=0/0,kio=0,kro=1}->SslConnection@2b58cd0d{NEED_UNWRAP,eio=-1/-1,di=-1}=>ALPNServerConnection@4d98f14
> application selected protocol 'h2-16', but no correspondent
> org.eclipse.jetty.server.ConnectionFactory has been configured
>
> On my start.ini I have this:
>
> jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1
>
> Any ideas?

In 9.4.x we switched to only providing "h2" because most browsers have
picked it up (HTTP/2 is now 2 years old) and draft versions are not
used (much) anymore.

Apparently, iPhone does not keep the pace with others.

What you can do is to specify in jetty-http2.xml the second parameter
to HTTP2ServerConnectionFactory, and reintroduce support for draft
versions.

Right now it is:

<New class="org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory">
  <Arg name="config"><Ref refid="sslHttpConfig"/></Arg>
  ...

You want it to be:

<New class="org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory">
  <Arg name="config"><Ref refid="sslHttpConfig"/></Arg>
  <Arg>
    <Array type="String">
      <Item>h2</Item>
      <Item>h2-16</Item>
    </Array>
  </Arg>
  ...


--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev



_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Simone Bordet-3
Hi,

On Thu, Mar 16, 2017 at 2:31 PM, Michele Rossi <[hidden email]> wrote:

> hi Simone,
> I was wrong, without the line
>
> jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1
>
> in my start.ini everything was working correctly but using http/1.1 instead
> of http 2.
>
> I have tried the workaround you suggest but something goes wrong with the
> instantiation of HTTP2ServerConnectionFactory:

I see the same, looks like an issue in handling varargs arguments.
Can you please file an issue ?

Thanks !

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Michele Rossi
In reply to this post by Michele Rossi
+ putting back the subject which had been lost




On 16 March 2017 at 15:41, Michele Rossi <[hidden email]> wrote:
hi Simone,

I tried to open a bug using my eclipse account [hidden email] on https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Jetty but I got an error message, 

"Sorry, entering a bug into the product Jetty has been disabled."

See attached screenshot too.

Is this the old way to file bugs?

If so can you give me some references on how to do it?

thanks,
Michele


Inline images 1

On 16 March 2017 at 15:34, Simone Bordet <[hidden email]> wrote:
Hi,

On Thu, Mar 16, 2017 at 2:31 PM, Michele Rossi <[hidden email]> wrote:
> hi Simone,
> I was wrong, without the line
>
> jetty.alpn.protocols=h2-17,h2-16,h2-15,h2-14,h2,http/1.1
>
> in my start.ini everything was working correctly but using http/1.1 instead
> of http 2.
>
> I have tried the workaround you suggest but something goes wrong with the
> instantiation of HTTP2ServerConnectionFactory:

I see the same, looks like an issue in handling varargs arguments.
Can you please file an issue ?

Thanks !

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] server with jetty 9.4.2 no longer accessible from iPhone

Simone Bordet-3
Hi,

On Thu, Mar 16, 2017 at 3:43 PM, Michele Rossi <[hidden email]> wrote:
+ putting back the subject which had been lost




On 16 March 2017 at 15:41, Michele Rossi <[hidden email]> wrote:
hi Simone,

I tried to open a bug using my eclipse account [hidden email] on https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Jetty but I got an error message, 

"Sorry, entering a bug into the product Jetty has been disabled."

See attached screenshot too.

Is this the old way to file bugs?

If so can you give me some references on how to do it?
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev