keystore

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

keystore

Lou Degenaro
I've downloaded jetty 9.2.13 (yes, we will move on to something better soon).

I made one small change to jetty-https.xml replacing 433 with 8443 for the secure port.  I create a small test webapp:

webapps/test/index.html
<html>
Hello World!
</html>

I launch this vanilla and otherwise unadulterated jetty thus:

> java -jar start.jar -Dorg.eclipse.jetty.LEVEL=DEBUG

Using my FF browser I visit https://myhost:8443/test/ and after adding an exception for an "Insecure Connection" I see: Hello World!

Great.

Now comes the part I don't understand (somewhat naive ssl user here). 

I have a keystore and password that is working fine for an embedded jetty (also 9.2.13) in another application.  Works fine for https with the same "Insecure Connection" due to self-signed cert.

I take the keystore from my application and put in into /etc of the vanilla jetty 9.2.13. And I take the password from my application and put in into jetty-ssl.xml thus:

<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

When I launch the jetty server the same way:

> java -jar start.jar -Dorg.eclipse.jetty.LEVEL=DEBUG

I get:

2018-03-10 09:12:19.794:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@2a3046da(/home/degenaro/test/jetty-distribution-9.2.13.v20150730/etc/keystore,/home/degenaro/test/jetty-distribution-9.2.13.v20150730/etc/keystore): java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
    at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
    at java.security.KeyStore.load(KeyStore.java:1445)

Certainly user error, but what have I done wrong??

Thanks.

Lou.

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

John English
On 10/03/2018 16:15, Lou DeGenaro wrote:
> <Set name="KeyStorePassword"><Property name="jetty.keystore.password"
> default="my-password"/></Set>
> <Set name="TrustStorePassword"><Property
> name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are
you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lou Degenaro
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Greg Wilkins
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers


On 11 March 2018 at 06:48, Lou DeGenaro <[hidden email]> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lou Degenaro
Still having (likely user error) issues with SSL.  I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <[hidden email]> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers


On 11 March 2018 at 06:48, Lou DeGenaro <[hidden email]> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Joakim Erdfelt-8
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

If you enable the jetty startup dump you'll see the list of enabled cipher suites and protocols that Jetty is running with (including the reason why a specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=true

Example output:

 |   += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <[hidden email]> wrote:
Still having (likely user error) issues with SSL.  I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <[hidden email]> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers


On 11 March 2018 at 06:48, Lou DeGenaro <[hidden email]> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lou Degenaro
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

> NO.  I'm using vanilla jetty as shipped.  Is there something else I need to do?

Code shown below.

Thanks.

Lou.
   
    private void server_main(String[] args) {
        try {
            // === jetty.xml ===                                                                                                                                      

            // Setup Threadpool                                                                                                                                       
            QueuedThreadPool threadPool = new QueuedThreadPool();
            threadPool.setMaxThreads(max_threads);

            // Server                                                                                                                                                         
            server = new Server(threadPool);
           
            // Scheduler                                                                                                                                                      
            server.addBean(new ScheduledExecutorScheduler());

            // === jetty-http.xml ===                                                                                                                                         
            ServerConnector http = new ServerConnector(server, new HttpConnectionFactory());
            http.setPort(port_http);
            http.setIdleTimeout(idle_timeout);
            server.addConnector(http);

            // === jetty-https.xml ===                                                                                                                                        
            // SSL Context Factory                                                                                                                                            
            SslContextFactory sslContextFactory = new SslContextFactory();
           
            HttpConfiguration http_config = new HttpConfiguration();
             http_config.setSecureScheme("https");
             http_config.setSecurePort(port_https);
            
            HttpConfiguration https_config = new HttpConfiguration(http_config);
            https_config.addCustomizer(new SecureRequestCustomizer());
            
            ServerConnector https = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory,"http/1.1"),
                 new HttpConnectionFactory(https_config));

            https.setPort(port_https);
            sslContextFactory.setKeyStorePath(keystore);
           
            sslContextFactory.setKeyStorePassword(keystore_password);   
            sslContextFactory.setKeyManagerPassword(keymanager_password);
           
            server.setConnectors(new Connector[] { http });
            server.addConnector(https);
           
            //
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(true);
            resourceHandler.setResourceBase(jetty_server_root);
           
            server.start();
            server.join();
        }
        catch(Exception e) {
            e.printStackTrace();
        }
    }

On Wed, Mar 14, 2018 at 10:44 AM, Joakim Erdfelt <[hidden email]> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

If you enable the jetty startup dump you'll see the list of enabled cipher suites and protocols that Jetty is running with (including the reason why a specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=true

Example output:

 |   += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <[hidden email]> wrote:
Still having (likely user error) issues with SSL.  I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <[hidden email]> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers


On 11 March 2018 at 06:48, Lou DeGenaro <[hidden email]> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Joakim Erdfelt-8
Your server has no handlers, none, completely empty.

Perhaps you missed the ...

server.setHandler(resourceHandler);

Better yet, use ...

HandlerList handlers = new HandlerList();
handlers.addHandler(resourceHandler);
handlers.addHandler(new DefaultHandler()); // always last
server.setHandler(handlers);

Also, add this before your server.start();

server.setDumpAfterStart(true);
server.start();
server.join();

That should produce the dump I mentioned in the prior email.


Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 9:55 AM, Lou DeGenaro <[hidden email]> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

> NO.  I'm using vanilla jetty as shipped.  Is there something else I need to do?

Code shown below.

Thanks.

Lou.
   
    private void server_main(String[] args) {
        try {
            // === jetty.xml ===                                                                                                                                      

            // Setup Threadpool                                                                                                                                       
            QueuedThreadPool threadPool = new QueuedThreadPool();
            threadPool.setMaxThreads(max_threads);

            // Server                                                                                                                                                         
            server = new Server(threadPool);
           
            // Scheduler                                                                                                                                                      
            server.addBean(new ScheduledExecutorScheduler());

            // === jetty-http.xml ===                                                                                                                                         
            ServerConnector http = new ServerConnector(server, new HttpConnectionFactory());
            http.setPort(port_http);
            http.setIdleTimeout(idle_timeout);
            server.addConnector(http);

            // === jetty-https.xml ===                                                                                                                                        
            // SSL Context Factory                                                                                                                                            
            SslContextFactory sslContextFactory = new SslContextFactory();
           
            HttpConfiguration http_config = new HttpConfiguration();
             http_config.setSecureScheme("https");
             http_config.setSecurePort(port_https);
            
            HttpConfiguration https_config = new HttpConfiguration(http_config);
            https_config.addCustomizer(new SecureRequestCustomizer());
            
            ServerConnector https = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory,"http/1.1"),
                 new HttpConnectionFactory(https_config));

            https.setPort(port_https);
            sslContextFactory.setKeyStorePath(keystore);
           
            sslContextFactory.setKeyStorePassword(keystore_password);   
            sslContextFactory.setKeyManagerPassword(keymanager_password);
           
            server.setConnectors(new Connector[] { http });
            server.addConnector(https);
           
            //
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(true);
            resourceHandler.setResourceBase(jetty_server_root);
           
            server.start();
            server.join();
        }
        catch(Exception e) {
            e.printStackTrace();
        }
    }

On Wed, Mar 14, 2018 at 10:44 AM, Joakim Erdfelt <[hidden email]> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

If you enable the jetty startup dump you'll see the list of enabled cipher suites and protocols that Jetty is running with (including the reason why a specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=true

Example output:

 |   += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <[hidden email]> wrote:
Still having (likely user error) issues with SSL.  I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <[hidden email]> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers


On 11 March 2018 at 06:48, Lou DeGenaro <[hidden email]> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lou Degenaro
No improvement.  Revised code and console shown below.

Thanks.

Lou.

-----

    private void server_main(String[] args) {
        try {
            // === jetty.xml ===                                                                                                                                      

            // Setup Threadpool                                                                                                                                       
            QueuedThreadPool threadPool = new QueuedThreadPool();
            threadPool.setMaxThreads(max_threads);

            // Server                                                                                                                                                         
            server = new Server(threadPool);
           
            // Scheduler                                                                                                                                                      
            server.addBean(new ScheduledExecutorScheduler());

            // === jetty-http.xml ===                                                                                                                                         
            ServerConnector http = new ServerConnector(server, new HttpConnectionFactory());
            http.setPort(port_http);
            http.setIdleTimeout(idle_timeout);
            server.addConnector(http);

            // === jetty-https.xml ===                                                                                                                                        
            // SSL Context Factory                                                                                                                                            
            SslContextFactory sslContextFactory = new SslContextFactory();
           
            HttpConfiguration http_config = new HttpConfiguration();
             http_config.setSecureScheme("https");
             http_config.setSecurePort(port_https);
            
            HttpConfiguration https_config = new HttpConfiguration(http_config);
            https_config.addCustomizer(new SecureRequestCustomizer());
            
            ServerConnector https = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory,"http/1.1"),
                 new HttpConnectionFactory(https_config));

            https.setPort(port_https);
            sslContextFactory.setKeyStorePath(keystore);
           
            sslContextFactory.setKeyStorePassword(keystore_password);   
            sslContextFactory.setKeyManagerPassword(keymanager_password);
           
            server.setConnectors(new Connector[] { http });
            server.addConnector(https);
           
            //
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(true);
            resourceHandler.setResourceBase(jetty_server_root);
           
            HandlerList handlers = new HandlerList();
            handlers.addHandler(resourceHandler);
            handlers.addHandler(new DefaultHandler()); // always last
            server.setHandler(handlers);
           
            server.setDumpAfterStart(true);
           
            server.start();
            server.join();
        }
        catch(Exception e) {
            e.printStackTrace();
        }
    }

-----
2018-03-14 11:37:45.625:INFO::main: Logging initialized @351ms to org.eclipse.jetty.util.log.StdErrLog
2018-03-14 11:37:45.825:INFO:oejs.Server:main: jetty-9.4.8.v20171121, build timestamp: 2017-11-21T16:27:37-05:00, git hash: 82b8fb23f757335bb3329d540ce37a2a2615f0a8
2018-03-14 11:37:45.922:INFO:oejs.AbstractConnector:main: Started ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set to TRUE or default
IBMJSSEProvider2 Build-Level: -20170331
2018-03-14 11:37:46.281:INFO:oejus.SslContextFactory:main: x509=X509@5e446688(jetty,h=[org.apache.uima.ducc],w=[]) for SslContextFactory@1d40ef6d[provider=null,keyStore=file:///home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/keystore,trustStore=null]
***
found key for : jetty
chain [0] = [
[
  Version: V3
  Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  IBMJCE RSA Public Key:
modulus:
26444069295037038267670300696763620220086855168010647941062481660899879479809803884294058174186734453624045301378960846171682857107027427250597312076248642649356771721145682344245878191309320890723575777460786702390358243322791249076850090693381733056591593174654468012583689613231816006119017233929860434582650065276576272281165144214678026119356221396436764713993593922893984567339081233071416154536460768358828849217850772778328033506197393729977576558944097787316741634679425927443562707477678127192646659210557046525097591671498428801608743933890349308048211506320417826611620098375345539572734782479701163777463
public exponent:
65537

  Validity: [From: Wed Mar 07 15:56:33 EST 2018,
               To: Sun Jul 23 16:56:33 EDT 2045]
  Issuer: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  SerialNumber: [1372056716]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: d5 93 ce ef 56 40 f2 e8  54 f0 02 22 ed 77 36 fd  ....V...T....w6.
0010: 4c 3f bb 73                                        L..s
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 96 5b c7 88 51 51 68 ce  eb d6 61 dc ca b1 41 62  ....QQh...a...Ab
0010: b0 62 51 e2 ed de 88 8a  bf 83 eb ef be 4d 13 32  .bQ..........M.2
0020: b9 82 64 2e 8a c8 bf 99  b2 a6 a2 cb fe 1b ba 88  ..d.............
0030: 13 12 36 67 1d 26 e6 e9  97 ae df 33 51 cd bd 1b  ..6g.......3Q...
0040: 05 5b f5 62 db c5 a1 84  d0 b3 a0 1a f1 00 b7 74  ...b...........t
0050: f7 0d e1 3f e7 ab 36 59  9f d8 35 fa 3d bc c9 dd  ......6Y..5.....
0060: 7c 13 3f f9 a3 b3 e8 e2  3b 2f 8b dd d4 39 0e 1d  .............9..
0070: a9 ed 2c c9 d2 e5 e9 c9  99 84 62 4c fb a7 28 89  ..........bL....
0080: bf a3 c6 55 6e 13 09 63  e4 37 40 a5 c2 0d d7 4b  ...Un..c.7.....K
0090: 1e b5 a3 02 31 5a 9d 84  c2 e1 b9 90 1d 0f 49 8a  ....1Z........I.
00a0: d1 b8 d1 d1 4b bc a3 18  55 f7 de a2 6f 90 29 f2  ....K...U...o...
00b0: 99 7d 87 06 25 25 f1 8a  83 79 7b 52 9e 45 b2 ca  .........y.R.E..
00c0: 0d 85 fa e2 7d b7 4c 9d  ca 13 ab fd bc e1 6d c8  ......L.......m.
00d0: f1 4b 01 d2 1e 96 8f 50  68 24 ba e5 c4 f1 90 70  .K.....Ph......p
00e0: d9 00 36 fa 39 7e 34 4d  13 14 28 1d 43 e7 16 16  ..6.9.4M....C...
00f0: 2d a6 32 d5 57 19 08 a4  05 f6 f9 35 2b bc 8b 4d  ..2.W......5...M

]
***
adding as trusted cert:
  Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  Issuer:  CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  Algorithm: RSA; Serial number: 0x51c7ec8c
  Valid from Wed Mar 07 15:56:33 EST 2018 until Sun Jul 23 16:56:33 EDT 2045

Installed Providers =
    IBMJSSE2
    IBMJCE
    IBMJGSSProvider
    IBMCertPath
    IBMSASL
    IBMXMLCRYPTO
    IBMXMLEnc
    IBMSPNEGO
    SUN
SSLContextImpl:  Using X509ExtendedKeyManager org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager
SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.aB
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
JsseJCE:  Using signature SHA1withECDSA from provider TBD via init
JsseJCE:  Using signature NONEwithECDSA from provider TBD via init
JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.8
JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.8
JsseJCE:  Using KeyPairGenerator EC from provider TBD via init
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
IBMJSSE2 will enable CBC protection
Using SSLEngineImpl.
2018-03-14 11:37:47.170:INFO:oejs.AbstractConnector:main: Started ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
org.eclipse.jetty.server.Server@74696830[9.4.8.v20171121] - STARTING
 += QueuedThreadPool@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
 |   +- 21 qtp-149401960-21-acceptor-0@6793ecf3-ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} ACCEPTING RUNNABLE @ sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) prio=3
 |   +- 25 qtp-149401960-25 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- 26 qtp-149401960-26 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- 22 qtp-149401960-22 SELECTING RUNNABLE @ sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
 |   +- 23 qtp-149401960-23-acceptor-0@b20be6a6-ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} ACCEPTING RUNNABLE @ sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) prio=3
 |   +- 24 qtp-149401960-24 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- 20 qtp-149401960-20 SELECTING RUNNABLE @ sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
 |   +- 27 qtp-149401960-27 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- jobs
 += org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@fed832b4 - STARTED
 += ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   +~ org.eclipse.jetty.server.Server@74696830[9.4.8.v20171121] - STARTING
 |   +~ QueuedThreadPool@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
 |   +~ org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@fed832b4 - STARTED
 |   +- org.eclipse.jetty.io.ArrayByteBufferPool@133cfd8a
 |   += HttpConnectionFactory@378c4a8b[HTTP/1.1] - STARTED
 |   |   +- HttpConfiguration@83e8c34f{32768/8192,8192/8192,https://:0,[]}
 |   += SelectorManager@ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   |   += ReservedThreadExecutor@d9a5f14a{s=0/1,p=0}@SelectorManager@ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   |   += org.eclipse.jetty.io.ManagedSelector@19be75b2 id=0 keys=0 selected=0 actions=0 - STARTED
 |   |       += EatWhatYouKill@44d241bf/SelectorProducer@f642edac/PRODUCING/ReservedThreadExecutor@d9a5f14a{s=0/1,p=0}@SelectorManager@ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   |           +- SelectorProducer@f642edac
 |   |       +- keys
 |   |       |   +- sun.nio.ch.EPollSelectorImpl@9292aa36 keys=0
 |   |       +- actions
 |   +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8080]
 |   +- qtp-149401960-21-acceptor-0@6793ecf3-ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
 += ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   +~ org.eclipse.jetty.server.Server@74696830[9.4.8.v20171121] - STARTING
 |   +~ QueuedThreadPool@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
 |   +~ org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@fed832b4 - STARTED
 |   +- org.eclipse.jetty.io.ArrayByteBufferPool@8d6ecdb
 |   += SslConnectionFactory@7f664c55{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@1d40ef6d[provider=null,keyStore=file:///home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/keystore,trustStore=null] trustAll=false
keyStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
keyStore type is: jks
keyStore provider is:
init keystore
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
init keymanager of type IbmX509
trustStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:
init truststore
adding as trusted cert:
  Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xd9083fbba967ca1a
  Valid from Wed Dec 07 06:28:07 EST 2011 until Sat Jul 31 07:28:07 EDT 2038

adding as trusted cert:
  Subject: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  Issuer:  OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Sep 30 00:20:49 EDT 2003 until Sat Sep 30 00:20:49 EDT 2023

adding as trusted cert:
  Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
  Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x445734245b81899b35f2ceb82b3b5ba726f07528
  Valid from Thu Jan 12 13:59:32 EST 2012 until Sun Jan 12 13:59:32 EST 2042

adding as trusted cert:
  Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0x4
  Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer:  EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 20:19:54 EDT 1999 until Tue Jun 25 20:19:54 EDT 2019

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
  Valid from Sun Nov 26 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
  Issuer:  OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
  Algorithm: RSA; Serial number: 0x0
  Valid from Fri May 29 01:00:39 EDT 2009 until Tue May 29 01:00:39 EDT 2029

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
  Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
  Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020

adding as trusted cert:
  Subject: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
  Issuer:  OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
  Algorithm: RSA; Serial number: 0x15c8bd65475cafb897005ee406d2bc9d
  Valid from Sun Dec 19 21:31:27 EST 2004 until Tue Dec 19 21:31:27 EST 2034

adding as trusted cert:
  Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Commercial, O=AffirmTrust, C=US
  Algorithm: RSA; Serial number: 0x7777062726a9b17c
  Valid from Fri Jan 29 09:06:06 EST 2010 until Tue Dec 31 09:06:06 EST 2030

adding as trusted cert:
  Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Issuer:  CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Algorithm: RSA; Serial number: 0x444c0
  Valid from Wed Oct 22 08:07:37 EDT 2008 until Mon Dec 31 07:07:37 EST 2029

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
  Issuer:  CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
  Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
  Valid from Thu Jan 12 09:38:43 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
  Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
  Issuer:  CN=Sonera Class2 CA, O=Sonera, C=FI
  Algorithm: RSA; Serial number: 0x1d
  Valid from Fri Apr 06 03:29:40 EDT 2001 until Tue Apr 06 03:29:40 EDT 2021

adding as trusted cert:
  Subject: CN=America Online Root Certification Authority 1, O=America Online Inc., C=US
  Issuer:  CN=America Online Root Certification Authority 1, O=America Online Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 28 02:00:00 EDT 2002 until Thu Nov 19 15:43:00 EST 2037

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Algorithm: EC; Serial number: 0x3cb2f4480a00e2feeb243b5e603ec36b
  Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Issuer:  OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Algorithm: RSA; Serial number: 0x35def4cf
  Valid from Sat Aug 22 12:41:51 EDT 1998 until Wed Aug 22 12:41:51 EDT 2018

adding as trusted cert:
  Subject: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0x2ac5c266a0b409b8f0b79f2ae462577
  Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
  Subject: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Thu Mar 04 00:00:00 EST 2004 until Sun Mar 04 00:00:00 EST 2029

adding as trusted cert:
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Issuer:  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Algorithm: RSA; Serial number: 0x4000000000121585308a2
  Valid from Wed Mar 18 06:00:00 EDT 2009 until Sun Mar 18 06:00:00 EDT 2029

adding as trusted cert:
  Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  Issuer:  CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  Algorithm: RSA; Serial number: 0x20000b9
  Valid from Fri May 12 14:46:00 EDT 2000 until Mon May 12 19:59:00 EDT 2025

adding as trusted cert:
  Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
  Issuer:  OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Jun 29 13:39:16 EDT 2004 until Thu Jun 29 13:39:16 EDT 2034

adding as trusted cert:
  Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
  Issuer:  CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Dec 31 19:00:00 EST 2003 until Sun Dec 31 18:59:59 EST 2028

adding as trusted cert:
  Subject: CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x7
  Valid from Tue May 03 03:00:00 EDT 2011 until Sat May 03 03:00:00 EDT 2031

adding as trusted cert:
  Subject: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362afe650afd
  Valid from Fri Jul 09 14:10:42 EDT 1999 until Tue Jul 09 14:19:22 EDT 2019

adding as trusted cert:
  Subject: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
  Issuer:  CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Sep 30 12:13:43 EDT 2003 until Wed Sep 30 12:13:44 EDT 2037

adding as trusted cert:
  Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
  Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
  Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
  Issuer:  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
  Algorithm: RSA; Serial number: 0x40000000001154b5ac394
  Valid from Tue Sep 01 08:00:00 EDT 1998 until Fri Jan 28 07:00:00 EST 2028

adding as trusted cert:
  Subject: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362de0b35f1b
  Valid from Fri Jul 09 14:31:20 EDT 1999 until Tue Jul 09 14:40:36 EDT 2019

adding as trusted cert:
  Subject: CN=AffirmTrust Networking, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Networking, O=AffirmTrust, C=US
  Algorithm: RSA; Serial number: 0x7c4f04391cd4992d
  Valid from Fri Jan 29 09:08:24 EST 2010 until Tue Dec 31 09:08:24 EST 2030

adding as trusted cert:
  Subject: CN=AffirmTrust Premium, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Premium, O=AffirmTrust, C=US
  Algorithm: RSA; Serial number: 0x6d8c1446b1a60aee
  Valid from Fri Jan 29 09:10:36 EST 2010 until Mon Dec 31 09:10:36 EST 2040

adding as trusted cert:
  Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
  Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC TrustCenter GmbH, C=DE
  Issuer:  CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC TrustCenter GmbH, C=DE
  Algorithm: RSA; Serial number: 0x5c00001000241d0060a4dce7510
  Valid from Thu Mar 23 09:10:23 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
  Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  Issuer:  CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  Algorithm: RSA; Serial number: 0x20000bf
  Valid from Wed May 17 10:01:00 EDT 2000 until Sat May 17 19:59:00 EDT 2025

adding as trusted cert:
  Subject: CN=America Online Root Certification Authority 2, O=America Online Inc., C=US
  Issuer:  CN=America Online Root Certification Authority 2, O=America Online Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 28 02:00:00 EDT 2002 until Tue Sep 29 10:08:00 EDT 2037

adding as trusted cert:
  Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xae8219053f5e8271
  Valid from Wed Dec 07 06:29:21 EST 2011 until Sat Jul 31 07:29:21 EDT 2038

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x15ac6e9419b2794b41f627a9c3180f1f
  Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xa3da427ea4b1aeda
  Valid from Fri Aug 01 08:29:50 EDT 2008 until Sat Jul 31 08:29:50 EDT 2038

adding as trusted cert:
  Subject: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0x4f1bd42f54bb2f4b
  Valid from Wed Oct 25 04:32:46 EDT 2006 until Sat Oct 25 04:32:46 EDT 2036

adding as trusted cert:
  Subject: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
  Issuer:  CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
  Algorithm: RSA; Serial number: 0x4a538c28
  Valid from Tue Jul 07 13:25:54 EDT 2009 until Sat Dec 07 12:55:54 EST 2030

adding as trusted cert:
  Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039
  Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Issuer:  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Jun 29 13:06:20 EDT 2004 until Thu Jun 29 13:06:20 EDT 2034

adding as trusted cert:
  Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
  Issuer:  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 30 06:48:38 EDT 2000 until Sat May 30 06:48:38 EDT 2020

adding as trusted cert:
  Subject: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
  Issuer:  CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Oct 01 06:29:56 EDT 2008 until Sat Oct 01 19:59:59 EDT 2033

adding as trusted cert:
  Subject: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500024b411d336252567c989
  Valid from Fri Jul 09 13:28:50 EDT 1999 until Tue Jul 09 13:36:58 EDT 2019

adding as trusted cert:
  Subject: CN=Class 2 Primary CA, O=Certplus, C=FR
  Issuer:  CN=Class 2 Primary CA, O=Certplus, C=FR
  Algorithm: RSA; Serial number: 0x85bd4bf3d8dae369f694d75fc3a54423
  Valid from Wed Jul 07 13:05:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x23456
  Valid from Tue May 21 00:00:00 EDT 2002 until Sat May 21 00:00:00 EDT 2022

adding as trusted cert:
  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0x4eb200670c035d4f
  Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036

adding as trusted cert:
  Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
  Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
  Issuer:  CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
  Algorithm: RSA; Serial number: 0x3863def8
  Valid from Fri Dec 24 12:50:51 EST 1999 until Tue Jul 24 10:15:12 EDT 2029

adding as trusted cert:
  Subject: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Issuer:  CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Algorithm: RSA; Serial number: 0x344ed55720d5edec49f42fce37db2b6d
  Valid from Thu Nov 16 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
  Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x123df0e7da2a2247a43889e08aeec967
  Valid from Sun Dec 31 19:00:00 EST 1995 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: EC; Serial number: 0x2f80fe238c0e220f486712289187acb3
  Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
  Subject: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
  Issuer:  CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
  Algorithm: RSA; Serial number: 0x456b5054
  Valid from Mon Nov 27 15:23:42 EST 2006 until Fri Nov 27 15:53:42 EST 2026

adding as trusted cert:
  Subject: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, O=TC TrustCenter GmbH, C=DE
  Issuer:  CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, O=TC TrustCenter GmbH, C=DE
  Algorithm: RSA; Serial number: 0x1da200010002ecb76080788db606
  Valid from Wed Mar 22 10:54:28 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
  Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  Issuer:  CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  Algorithm: RSA; Serial number: 0x10020
  Valid from Tue Jun 11 06:46:39 EDT 2002 until Fri Jun 11 06:46:39 EDT 2027

adding as trusted cert:
  Subject: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Issuer:  CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 30 06:44:50 EDT 2000 until Sat May 30 06:44:50 EDT 2020

adding as trusted cert:
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
  Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
  Issuer:  CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
  Algorithm: RSA; Serial number: 0x2
  Valid from Tue Oct 26 04:38:03 EDT 2010 until Fri Oct 26 04:38:03 EDT 2040

adding as trusted cert:
  Subject: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0xbb401c43f55e4fb0
  Valid from Wed Oct 25 04:30:35 EDT 2006 until Sat Oct 25 04:30:35 EDT 2036

adding as trusted cert:
  Subject: CN=Certum Trusted Network CA 2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Issuer:  CN=Certum Trusted Network CA 2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Algorithm: RSA; Serial number: 0xb85914713f57df8f31c0333dd2d6197a2317b4eb
  Valid from Thu Oct 06 04:39:56 EDT 2011 until Sat Oct 06 04:39:56 EDT 2046

adding as trusted cert:
  Subject: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500021b411d32a6806a9ad69
  Valid from Thu Jun 24 14:57:21 EDT 1999 until Mon Jun 24 15:06:30 EDT 2019

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x509
  Valid from Fri Nov 24 13:27:00 EST 2006 until Mon Nov 24 13:23:33 EST 2031

adding as trusted cert:
  Subject: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
  Issuer:  CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
  Algorithm: RSA; Serial number: 0x26
  Valid from Fri Jul 09 08:11:00 EDT 1999 until Tue Jul 09 19:59:00 EDT 2019

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x78585f2ead2c194be3370735341328b596d46593
  Valid from Thu Jan 12 12:27:44 EST 2012 until Sun Jan 12 12:27:44 EST 2042

adding as trusted cert:
  Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x3f691e819cf09a4af373ffb948a2e4dd
  Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x6ecc7aa5a7032009b8cebcf4e952d491
  Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
  Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x18dad19e267de8bb4a2158cdcc6b3b4a
  Valid from Tue Nov 07 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
  Issuer:  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
  Algorithm: RSA; Serial number: 0x400000000010f8626e60d
  Valid from Fri Dec 15 03:00:00 EST 2006 until Wed Dec 15 03:00:00 EST 2021

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x5c6
  Valid from Fri Nov 24 14:11:23 EST 2006 until Mon Nov 24 14:06:44 EST 2031

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x2ef59b0228a7db7affd5a3a9eebd03a0cf126a1d
  Valid from Thu Jan 12 15:26:32 EST 2012 until Sun Jan 12 15:26:32 EST 2042

adding as trusted cert:
  Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
  Issuer:  OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
  Algorithm: RSA; Serial number: 0x3770cfb5
  Valid from Wed Jun 23 08:14:45 EDT 1999 until Sun Jun 23 08:14:45 EDT 2019

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x34a4fff630af4ca53c331742a1946675
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
  Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x3ab6508b
  Valid from Mon Mar 19 13:33:33 EST 2001 until Wed Mar 17 14:33:33 EDT 2021

adding as trusted cert:
  Subject: CN=Class 3P Primary CA, O=Certplus, C=FR
  Issuer:  CN=Class 3P Primary CA, O=Certplus, C=FR
  Algorithm: RSA; Serial number: 0xbf5cdbb6f21c6ec04deb7a023b36e879
  Valid from Wed Jul 07 13:10:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
  Issuer:  CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
  Algorithm: RSA; Serial number: 0x2
  Valid from Tue Oct 26 04:28:58 EDT 2010 until Fri Oct 26 04:28:58 EDT 2040

adding as trusted cert:
  Subject: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
  Issuer:  OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Jun 05 22:12:32 EDT 2007 until Fri Jun 05 22:12:32 EDT 2037

adding as trusted cert:
  Subject: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
  Issuer:  CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
  Algorithm: EC; Serial number: 0x35fc265cd9844fc93d263d579baed756
  Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x401ac46421b31321030ebbe4121ac51d
  Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Issuer:  CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 30 06:38:31 EDT 2000 until Sat May 30 06:38:31 EDT 2020

adding as trusted cert:
  Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
  Issuer:  CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Dec 31 19:00:00 EST 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xc9cdd3e9d57d23ce
  Valid from Fri Aug 01 08:31:40 EDT 2008 until Sat Jul 31 08:31:40 EDT 2038

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer:  EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 18:23:48 EDT 1999 until Tue Jun 25 18:23:48 EDT 2019

adding as trusted cert:
  Subject: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Issuer:  CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Algorithm: RSA; Serial number: 0x600197b746a7eab4b49ad64b2ff790fb
  Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Issuer:  CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Algorithm: RSA; Serial number: 0x1a5
  Valid from Wed Aug 12 20:29:00 EDT 1998 until Mon Aug 13 19:59:00 EDT 2018

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x36122296c5e338a520a1d25f4cd70954
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
  Subject: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
  Algorithm: EC; Serial number: 0x7497258ac73f7a54
  Valid from Fri Jan 29 09:20:24 EST 2010 until Mon Dec 31 09:20:24 EST 2040

adding as trusted cert:
  Subject: CN=Sonera Class1 CA, O=Sonera, C=FI
  Issuer:  CN=Sonera Class1 CA, O=Sonera, C=FI
  Algorithm: RSA; Serial number: 0x24
  Valid from Fri Apr 06 06:49:13 EDT 2001 until Tue Apr 06 06:49:13 EDT 2021

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
  Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
  Issuer:  CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
  Algorithm: RSA; Serial number: 0x1121bc276c5547af584eefd4ced629b2a285
  Valid from Mon May 25 20:00:00 EDT 2009 until Mon May 25 20:00:00 EDT 2020

adding as trusted cert:
  Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
  Issuer:  CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
  Algorithm: RSA; Serial number: 0x374ad243
  Valid from Tue May 25 12:09:40 EDT 1999 until Sat May 25 12:39:40 EDT 2019

adding as trusted cert:
  Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
  Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.jsse2.ax
SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.aB
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
SSLv3 protocol was requested but was not enabled
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=0)
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=15)
 |   |           |   +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           +- Disabled (size=31)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_FIPS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA256 - JreDisabled:java.security
 |   += HttpConnectionFactory@a8cd160a[HTTP/1.1] - STARTED
 |   |   +- HttpConfiguration@12228f86{32768/8192,8192/8192,https://:8443,[SecureRequestCustomizer@6b7b18a5]}
 |   += SelectorManager@ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   |   += ReservedThreadExecutor@c1103942{s=0/1,p=0}@SelectorManager@ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   |   += org.eclipse.jetty.io.ManagedSelector@5a5e403b id=0 keys=0 selected=0 actions=0 - STARTED
 |   |       += EatWhatYouKill@d8752858/SelectorProducer@a0c05928/PRODUCING/ReservedThreadExecutor@c1103942{s=0/1,p=0}@SelectorManager@ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   |           +- SelectorProducer@a0c05928
 |   |       +- keys
 |   |       |   +- sun.nio.ch.EPollSelectorImpl@b35b5262 keys=0
 |   |       +- actions
 |   +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8443]
 |   +- qtp-149401960-23-acceptor-0@b20be6a6-ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
 += org.eclipse.jetty.server.handler.HandlerList@d7f449c5[org.eclipse.jetty.server.handler.ResourceHandler@90e16429, org.eclipse.jetty.server.handler.DefaultHandler@603dc6d8] - STARTED
 |   += org.eclipse.jetty.server.handler.ResourceHandler@90e16429 - STARTED
 |   += org.eclipse.jetty.server.handler.DefaultHandler@603dc6d8 - STARTED
 += org.eclipse.jetty.server.handler.ErrorHandler@e3a93338 - STARTED
 +> sun.misc.Launcher$AppClassLoader@404d29ca
     +- file:/home/degenaro/eclipse-workspace.oxygen/jetty-test-9-4-8/bin/
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/alpn-api-1.1.3.v20160715.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-2-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-core-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-servlet-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-conscrypt-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-java-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-openjdk8-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-annotations-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-client-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-continuation-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-deploy-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-gcloud-session-manager-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-hazelcast-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-http-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-infinispan-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-io-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jaas-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jaspi-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jmx-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jndi-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-memcached-sessions-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-nosql-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-plus-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-proxy-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-quickstart-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-rewrite-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-schemas-3.1.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-security-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-servlet-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-servlets-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-unixsocket-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-util-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-webapp-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-xml-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/servlet-api-3.1.jar
     +- sun.misc.Launcher$ExtClassLoader@cf86cb9f
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj-interface.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/localedata.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/IBMSecureRandom.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/traceformat.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmjcefips.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jverbs.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmcmsprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dnsns.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfjview.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/nashorn.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/zipfs.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/cldrdata.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/xmlencfw.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmpkcs11impl.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmldsigprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/gskikm.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/CmpCrmf.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jaccess.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/healthcenter.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmsaslprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmkeycert.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmlcrypto.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmlencprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmjceprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj.jar
2018-03-14 11:37:47.846:INFO:oejs.Server:main: Started @2577ms
Using SSLEngineImpl.
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default

Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[Raw read]: length = 5
0000: 16 03 01 00 9d                                     .....

[Raw read]: length = 157
0000: 01 00 00 99 03 03 05 85  07 79 1b 58 d2 ef e6 25  .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f  c2 70 21 52 84 eb 82 1f  .........p.R....
0020: 4c a0 64 48 c3 ba 00 00  1e c0 2c c0 0a c0 2b cc  L.dH............
0030: a9 c0 09 c0 30 c0 14 c0  2f cc a8 c0 13 00 39 00  ....0.........9.
0040: 33 00 35 00 2f 00 0a 01  00 00 52 00 17 00 00 ff  3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a  00 08 00 1d 00 17 00 18  ................
0060: 00 19 00 0b 00 02 01 00  00 23 00 00 00 10 00 0e  ................
0070: 00 0c 02 68 32 08 68 74  74 70 2f 31 2e 31 00 05  ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00  0d 00 12 00 10 04 03 05  ................
0090: 03 06 03 04 01 05 01 06  01 02 03 02 01           .............

qtp-149401960-22, READ: TLSv1 Handshake, length = 157
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 75827065 bytes = { 27, 88, 210, 239, 230, 37, 47, 176, 21, 185, 138, 214, 21, 95, 194, 112, 33, 82, 132, 235, 130, 31, 76, 160, 100, 72, 195, 186 }
Session ID:  {}
Cipher Suites: [SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Unsupported extension type_23, data:
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Extension signature_algorithms, signature_algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA1withRSA
***
[read] MD5 and SHA1 hashes:  len = 157
0000: 01 00 00 99 03 03 05 85  07 79 1b 58 d2 ef e6 25  .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f  c2 70 21 52 84 eb 82 1f  .........p.R....
0020: 4c a0 64 48 c3 ba 00 00  1e c0 2c c0 0a c0 2b cc  L.dH............
0030: a9 c0 09 c0 30 c0 14 c0  2f cc a8 c0 13 00 39 00  ....0.........9.
0040: 33 00 35 00 2f 00 0a 01  00 00 52 00 17 00 00 ff  3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a  00 08 00 1d 00 17 00 18  ................
0060: 00 19 00 0b 00 02 01 00  00 23 00 00 00 10 00 0e  ................
0070: 00 0c 02 68 32 08 68 74  74 70 2f 31 2e 31 00 05  ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00  0d 00 12 00 10 04 03 05  ................
0090: 03 06 03 04 01 05 01 06  01 02 03 02 01           .............


JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.8
JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.8
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, SEND TLSv1 ALERT:  fatal, description = handshake_failure
qtp-149401960-22, WRITE: TLSv1 Alert, length = 2
qtp-149401960-22, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp-149401960-22, called closeOutbound()
qtp-149401960-22, closeOutboundInternal()
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28                               ......

On Wed, Mar 14, 2018 at 11:23 AM, Joakim Erdfelt <[hidden email]> wrote:
Your server has no handlers, none, completely empty.

Perhaps you missed the ...

server.setHandler(resourceHandler);

Better yet, use ...

HandlerList handlers = new HandlerList();
handlers.addHandler(resourceHandler);
handlers.addHandler(new DefaultHandler()); // always last
server.setHandler(handlers);

Also, add this before your server.start();

server.setDumpAfterStart(true);
server.start();
server.join();

That should produce the dump I mentioned in the prior email.


Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 9:55 AM, Lou DeGenaro <[hidden email]> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

> NO.  I'm using vanilla jetty as shipped.  Is there something else I need to do?

Code shown below.

Thanks.

Lou.
   
    private void server_main(String[] args) {
        try {
            // === jetty.xml ===                                                                                                                                      

            // Setup Threadpool                                                                                                                                       
            QueuedThreadPool threadPool = new QueuedThreadPool();
            threadPool.setMaxThreads(max_threads);

            // Server                                                                                                                                                         
            server = new Server(threadPool);
           
            // Scheduler                                                                                                                                                      
            server.addBean(new ScheduledExecutorScheduler());

            // === jetty-http.xml ===                                                                                                                                         
            ServerConnector http = new ServerConnector(server, new HttpConnectionFactory());
            http.setPort(port_http);
            http.setIdleTimeout(idle_timeout);
            server.addConnector(http);

            // === jetty-https.xml ===                                                                                                                                        
            // SSL Context Factory                                                                                                                                            
            SslContextFactory sslContextFactory = new SslContextFactory();
           
            HttpConfiguration http_config = new HttpConfiguration();
             http_config.setSecureScheme("https");
             http_config.setSecurePort(port_https);
            
            HttpConfiguration https_config = new HttpConfiguration(http_config);
            https_config.addCustomizer(new SecureRequestCustomizer());
            
            ServerConnector https = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory,"http/1.1"),
                 new HttpConnectionFactory(https_config));

            https.setPort(port_https);
            sslContextFactory.setKeyStorePath(keystore);
           
            sslContextFactory.setKeyStorePassword(keystore_password);   
            sslContextFactory.setKeyManagerPassword(keymanager_password);
           
            server.setConnectors(new Connector[] { http });
            server.addConnector(https);
           
            //
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(true);
            resourceHandler.setResourceBase(jetty_server_root);
           
            server.start();
            server.join();
        }
        catch(Exception e) {
            e.printStackTrace();
        }
    }

On Wed, Mar 14, 2018 at 10:44 AM, Joakim Erdfelt <[hidden email]> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

If you enable the jetty startup dump you'll see the list of enabled cipher suites and protocols that Jetty is running with (including the reason why a specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=true

Example output:

 |   += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <[hidden email]> wrote:
Still having (likely user error) issues with SSL.  I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <[hidden email]> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers


On 11 March 2018 at 06:48, Lou DeGenaro <[hidden email]> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Joakim Erdfelt-8
Don't use the IBM JVM, use the Oracle or OpenJDK JVM and try again.

If it works for you then you can be sure of a few things ...

* The keystore is sane, its not your problem anymore.
* The IBM JVM is not sane, look into its cipher suites and protocols.

A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Note: that the IBM JVM has a non-standard TLS configuration.

Also Note: If you plan on using HTTP/2 you cannot use IBM JVM (not supported), you must use the Oracle or OpenJDK JVMs.


Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 10:43 AM, Lou DeGenaro <[hidden email]> wrote:
No improvement.  Revised code and console shown below.

Thanks.

Lou.

-----

    private void server_main(String[] args) {
        try {
            // === jetty.xml ===                                                                                                                                      

            // Setup Threadpool                                                                                                                                       
            QueuedThreadPool threadPool = new QueuedThreadPool();
            threadPool.setMaxThreads(max_threads);

            // Server                                                                                                                                                         
            server = new Server(threadPool);
           
            // Scheduler                                                                                                                                                      
            server.addBean(new ScheduledExecutorScheduler());

            // === jetty-http.xml ===                                                                                                                                         
            ServerConnector http = new ServerConnector(server, new HttpConnectionFactory());
            http.setPort(port_http);
            http.setIdleTimeout(idle_timeout);
            server.addConnector(http);

            // === jetty-https.xml ===                                                                                                                                        
            // SSL Context Factory                                                                                                                                            
            SslContextFactory sslContextFactory = new SslContextFactory();
           
            HttpConfiguration http_config = new HttpConfiguration();
             http_config.setSecureScheme("https");
             http_config.setSecurePort(port_https);
            
            HttpConfiguration https_config = new HttpConfiguration(http_config);
            https_config.addCustomizer(new SecureRequestCustomizer());
            
            ServerConnector https = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory,"http/1.1"),
                 new HttpConnectionFactory(https_config));

            https.setPort(port_https);
            sslContextFactory.setKeyStorePath(keystore);
           
            sslContextFactory.setKeyStorePassword(keystore_password);   
            sslContextFactory.setKeyManagerPassword(keymanager_password);
           
            server.setConnectors(new Connector[] { http });
            server.addConnector(https);
           
            //
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(true);
            resourceHandler.setResourceBase(jetty_server_root);
           
            HandlerList handlers = new HandlerList();
            handlers.addHandler(resourceHandler);
            handlers.addHandler(new DefaultHandler()); // always last
            server.setHandler(handlers);
           
            server.setDumpAfterStart(true);
           
            server.start();
            server.join();
        }
        catch(Exception e) {
            e.printStackTrace();
        }
    }

-----
2018-03-14 11:37:45.625:INFO::main: Logging initialized @351ms to org.eclipse.jetty.util.log.StdErrLog
2018-03-14 11:37:45.825:INFO:oejs.Server:main: jetty-9.4.8.v20171121, build timestamp: 2017-11-21T16:27:37-05:00, git hash: 82b8fb23f757335bb3329d540ce37a2a2615f0a8
2018-03-14 11:37:45.922:INFO:oejs.AbstractConnector:main: Started ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set to TRUE or default
IBMJSSEProvider2 Build-Level: -20170331
2018-03-14 11:37:46.281:INFO:oejus.SslContextFactory:main: x509=X509@5e446688(jetty,h=[org.apache.uima.ducc],w=[]) for SslContextFactory@1d40ef6d[provider=null,keyStore=file:///home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/keystore,trustStore=null]
***
found key for : jetty
chain [0] = [
[
  Version: V3
  Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  IBMJCE RSA Public Key:
modulus:
26444069295037038267670300696763620220086855168010647941062481660899879479809803884294058174186734453624045301378960846171682857107027427250597312076248642649356771721145682344245878191309320890723575777460786702390358243322791249076850090693381733056591593174654468012583689613231816006119017233929860434582650065276576272281165144214678026119356221396436764713993593922893984567339081233071416154536460768358828849217850772778328033506197393729977576558944097787316741634679425927443562707477678127192646659210557046525097591671498428801608743933890349308048211506320417826611620098375345539572734782479701163777463
public exponent:
65537

  Validity: [From: Wed Mar 07 15:56:33 EST 2018,
               To: Sun Jul 23 16:56:33 EDT 2045]
  Issuer: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  SerialNumber: [1372056716]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: d5 93 ce ef 56 40 f2 e8  54 f0 02 22 ed 77 36 fd  ....V...T....w6.
0010: 4c 3f bb 73                                        L..s
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 96 5b c7 88 51 51 68 ce  eb d6 61 dc ca b1 41 62  ....QQh...a...Ab
0010: b0 62 51 e2 ed de 88 8a  bf 83 eb ef be 4d 13 32  .bQ..........M.2
0020: b9 82 64 2e 8a c8 bf 99  b2 a6 a2 cb fe 1b ba 88  ..d.............
0030: 13 12 36 67 1d 26 e6 e9  97 ae df 33 51 cd bd 1b  ..6g.......3Q...
0040: 05 5b f5 62 db c5 a1 84  d0 b3 a0 1a f1 00 b7 74  ...b...........t
0050: f7 0d e1 3f e7 ab 36 59  9f d8 35 fa 3d bc c9 dd  ......6Y..5.....
0060: 7c 13 3f f9 a3 b3 e8 e2  3b 2f 8b dd d4 39 0e 1d  .............9..
0070: a9 ed 2c c9 d2 e5 e9 c9  99 84 62 4c fb a7 28 89  ..........bL....
0080: bf a3 c6 55 6e 13 09 63  e4 37 40 a5 c2 0d d7 4b  ...Un..c.7.....K
0090: 1e b5 a3 02 31 5a 9d 84  c2 e1 b9 90 1d 0f 49 8a  ....1Z........I.
00a0: d1 b8 d1 d1 4b bc a3 18  55 f7 de a2 6f 90 29 f2  ....K...U...o...
00b0: 99 7d 87 06 25 25 f1 8a  83 79 7b 52 9e 45 b2 ca  .........y.R.E..
00c0: 0d 85 fa e2 7d b7 4c 9d  ca 13 ab fd bc e1 6d c8  ......L.......m.
00d0: f1 4b 01 d2 1e 96 8f 50  68 24 ba e5 c4 f1 90 70  .K.....Ph......p
00e0: d9 00 36 fa 39 7e 34 4d  13 14 28 1d 43 e7 16 16  ..6.9.4M....C...
00f0: 2d a6 32 d5 57 19 08 a4  05 f6 f9 35 2b bc 8b 4d  ..2.W......5...M

]
***
adding as trusted cert:
  Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  Issuer:  CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington, ST=Delaware, C=USA
  Algorithm: RSA; Serial number: 0x51c7ec8c
  Valid from Wed Mar 07 15:56:33 EST 2018 until Sun Jul 23 16:56:33 EDT 2045

Installed Providers =
    IBMJSSE2
    IBMJCE
    IBMJGSSProvider
    IBMCertPath
    IBMSASL
    IBMXMLCRYPTO
    IBMXMLEnc
    IBMSPNEGO
    SUN
SSLContextImpl:  Using X509ExtendedKeyManager org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager
SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.aB
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
JsseJCE:  Using signature SHA1withECDSA from provider TBD via init
JsseJCE:  Using signature NONEwithECDSA from provider TBD via init
JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.8
JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.8
JsseJCE:  Using KeyPairGenerator EC from provider TBD via init
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
IBMJSSE2 will enable CBC protection
Using SSLEngineImpl.
2018-03-14 11:37:47.170:INFO:oejs.AbstractConnector:main: Started ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
org.eclipse.jetty.server.Server@74696830[9.4.8.v20171121] - STARTING
 += QueuedThreadPool@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
 |   +- 21 qtp-149401960-21-acceptor-0@6793ecf3-ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} ACCEPTING RUNNABLE @ sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) prio=3
 |   +- 25 qtp-149401960-25 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- 26 qtp-149401960-26 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- 22 qtp-149401960-22 SELECTING RUNNABLE @ sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
 |   +- 23 qtp-149401960-23-acceptor-0@b20be6a6-ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} ACCEPTING RUNNABLE @ sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) prio=3
 |   +- 24 qtp-149401960-24 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- 20 qtp-149401960-20 SELECTING RUNNABLE @ sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
 |   +- 27 qtp-149401960-27 IDLE TIMED_WAITING @ sun.misc.Unsafe.park(Native Method)
 |   +- jobs
 += org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@fed832b4 - STARTED
 += ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   +~ org.eclipse.jetty.server.Server@74696830[9.4.8.v20171121] - STARTING
 |   +~ QueuedThreadPool@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
 |   +~ org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@fed832b4 - STARTED
 |   +- org.eclipse.jetty.io.ArrayByteBufferPool@133cfd8a
 |   += HttpConnectionFactory@378c4a8b[HTTP/1.1] - STARTED
 |   |   +- HttpConfiguration@83e8c34f{32768/8192,8192/8192,https://:0,[]}
 |   += SelectorManager@ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   |   += ReservedThreadExecutor@d9a5f14a{s=0/1,p=0}@SelectorManager@ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   |   += org.eclipse.jetty.io.ManagedSelector@19be75b2 id=0 keys=0 selected=0 actions=0 - STARTED
 |   |       += EatWhatYouKill@44d241bf/SelectorProducer@f642edac/PRODUCING/ReservedThreadExecutor@d9a5f14a{s=0/1,p=0}@SelectorManager@ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
 |   |           +- SelectorProducer@f642edac
 |   |       +- keys
 |   |       |   +- sun.nio.ch.EPollSelectorImpl@9292aa36 keys=0
 |   |       +- actions
 |   +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8080]
 |   +- qtp-149401960-21-acceptor-0@6793ecf3-ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
 += ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   +~ org.eclipse.jetty.server.Server@74696830[9.4.8.v20171121] - STARTING
 |   +~ QueuedThreadPool@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
 |   +~ org.eclipse.jetty.util.thread.ScheduledExecutorScheduler@fed832b4 - STARTED
 |   +- org.eclipse.jetty.io.ArrayByteBufferPool@8d6ecdb
 |   += SslConnectionFactory@7f664c55{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@1d40ef6d[provider=null,keyStore=file:///home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/keystore,trustStore=null] trustAll=false
keyStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
keyStore type is: jks
keyStore provider is:
init keystore
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
init keymanager of type IbmX509
trustStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:
init truststore
adding as trusted cert:
  Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xd9083fbba967ca1a
  Valid from Wed Dec 07 06:28:07 EST 2011 until Sat Jul 31 07:28:07 EDT 2038

adding as trusted cert:
  Subject: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  Issuer:  OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Sep 30 00:20:49 EDT 2003 until Sat Sep 30 00:20:49 EDT 2023

adding as trusted cert:
  Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
  Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x445734245b81899b35f2ceb82b3b5ba726f07528
  Valid from Thu Jan 12 13:59:32 EST 2012 until Sun Jan 12 13:59:32 EST 2042

adding as trusted cert:
  Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0x4
  Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer:  EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 20:19:54 EDT 1999 until Tue Jun 25 20:19:54 EDT 2019

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
  Valid from Sun Nov 26 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
  Issuer:  OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
  Algorithm: RSA; Serial number: 0x0
  Valid from Fri May 29 01:00:39 EDT 2009 until Tue May 29 01:00:39 EDT 2029

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
  Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
  Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020

adding as trusted cert:
  Subject: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
  Issuer:  OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
  Algorithm: RSA; Serial number: 0x15c8bd65475cafb897005ee406d2bc9d
  Valid from Sun Dec 19 21:31:27 EST 2004 until Tue Dec 19 21:31:27 EST 2034

adding as trusted cert:
  Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Commercial, O=AffirmTrust, C=US
  Algorithm: RSA; Serial number: 0x7777062726a9b17c
  Valid from Fri Jan 29 09:06:06 EST 2010 until Tue Dec 31 09:06:06 EST 2030

adding as trusted cert:
  Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Issuer:  CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Algorithm: RSA; Serial number: 0x444c0
  Valid from Wed Oct 22 08:07:37 EDT 2008 until Mon Dec 31 07:07:37 EST 2029

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
  Issuer:  CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
  Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
  Valid from Thu Jan 12 09:38:43 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
  Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
  Issuer:  CN=Sonera Class2 CA, O=Sonera, C=FI
  Algorithm: RSA; Serial number: 0x1d
  Valid from Fri Apr 06 03:29:40 EDT 2001 until Tue Apr 06 03:29:40 EDT 2021

adding as trusted cert:
  Subject: CN=America Online Root Certification Authority 1, O=America Online Inc., C=US
  Issuer:  CN=America Online Root Certification Authority 1, O=America Online Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 28 02:00:00 EDT 2002 until Thu Nov 19 15:43:00 EST 2037

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Algorithm: EC; Serial number: 0x3cb2f4480a00e2feeb243b5e603ec36b
  Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Issuer:  OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Algorithm: RSA; Serial number: 0x35def4cf
  Valid from Sat Aug 22 12:41:51 EDT 1998 until Wed Aug 22 12:41:51 EDT 2018

adding as trusted cert:
  Subject: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0x2ac5c266a0b409b8f0b79f2ae462577
  Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
  Subject: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Thu Mar 04 00:00:00 EST 2004 until Sun Mar 04 00:00:00 EST 2029

adding as trusted cert:
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Issuer:  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Algorithm: RSA; Serial number: 0x4000000000121585308a2
  Valid from Wed Mar 18 06:00:00 EDT 2009 until Sun Mar 18 06:00:00 EDT 2029

adding as trusted cert:
  Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  Issuer:  CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  Algorithm: RSA; Serial number: 0x20000b9
  Valid from Fri May 12 14:46:00 EDT 2000 until Mon May 12 19:59:00 EDT 2025

adding as trusted cert:
  Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
  Issuer:  OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Jun 29 13:39:16 EDT 2004 until Thu Jun 29 13:39:16 EDT 2034

adding as trusted cert:
  Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
  Issuer:  CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Dec 31 19:00:00 EST 2003 until Sun Dec 31 18:59:59 EST 2028

adding as trusted cert:
  Subject: CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x7
  Valid from Tue May 03 03:00:00 EDT 2011 until Sat May 03 03:00:00 EDT 2031

adding as trusted cert:
  Subject: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362afe650afd
  Valid from Fri Jul 09 14:10:42 EDT 1999 until Tue Jul 09 14:19:22 EDT 2019

adding as trusted cert:
  Subject: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
  Issuer:  CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Sep 30 12:13:43 EDT 2003 until Wed Sep 30 12:13:44 EDT 2037

adding as trusted cert:
  Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
  Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
  Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
  Issuer:  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
  Algorithm: RSA; Serial number: 0x40000000001154b5ac394
  Valid from Tue Sep 01 08:00:00 EDT 1998 until Fri Jan 28 07:00:00 EST 2028

adding as trusted cert:
  Subject: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362de0b35f1b
  Valid from Fri Jul 09 14:31:20 EDT 1999 until Tue Jul 09 14:40:36 EDT 2019

adding as trusted cert:
  Subject: CN=AffirmTrust Networking, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Networking, O=AffirmTrust, C=US
  Algorithm: RSA; Serial number: 0x7c4f04391cd4992d
  Valid from Fri Jan 29 09:08:24 EST 2010 until Tue Dec 31 09:08:24 EST 2030

adding as trusted cert:
  Subject: CN=AffirmTrust Premium, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Premium, O=AffirmTrust, C=US
  Algorithm: RSA; Serial number: 0x6d8c1446b1a60aee
  Valid from Fri Jan 29 09:10:36 EST 2010 until Mon Dec 31 09:10:36 EST 2040

adding as trusted cert:
  Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
  Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC TrustCenter GmbH, C=DE
  Issuer:  CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC TrustCenter GmbH, C=DE
  Algorithm: RSA; Serial number: 0x5c00001000241d0060a4dce7510
  Valid from Thu Mar 23 09:10:23 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
  Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  Issuer:  CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  Algorithm: RSA; Serial number: 0x20000bf
  Valid from Wed May 17 10:01:00 EDT 2000 until Sat May 17 19:59:00 EDT 2025

adding as trusted cert:
  Subject: CN=America Online Root Certification Authority 2, O=America Online Inc., C=US
  Issuer:  CN=America Online Root Certification Authority 2, O=America Online Inc., C=US
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 28 02:00:00 EDT 2002 until Tue Sep 29 10:08:00 EDT 2037

adding as trusted cert:
  Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xae8219053f5e8271
  Valid from Wed Dec 07 06:29:21 EST 2011 until Sat Jul 31 07:29:21 EDT 2038

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x15ac6e9419b2794b41f627a9c3180f1f
  Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xa3da427ea4b1aeda
  Valid from Fri Aug 01 08:29:50 EDT 2008 until Sat Jul 31 08:29:50 EDT 2038

adding as trusted cert:
  Subject: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0x4f1bd42f54bb2f4b
  Valid from Wed Oct 25 04:32:46 EDT 2006 until Sat Oct 25 04:32:46 EDT 2036

adding as trusted cert:
  Subject: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
  Issuer:  CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
  Algorithm: RSA; Serial number: 0x4a538c28
  Valid from Tue Jul 07 13:25:54 EDT 2009 until Sat Dec 07 12:55:54 EST 2030

adding as trusted cert:
  Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039
  Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Issuer:  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Jun 29 13:06:20 EDT 2004 until Thu Jun 29 13:06:20 EDT 2034

adding as trusted cert:
  Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
  Issuer:  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 30 06:48:38 EDT 2000 until Sat May 30 06:48:38 EDT 2020

adding as trusted cert:
  Subject: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
  Issuer:  CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Oct 01 06:29:56 EDT 2008 until Sat Oct 01 19:59:59 EDT 2033

adding as trusted cert:
  Subject: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500024b411d336252567c989
  Valid from Fri Jul 09 13:28:50 EDT 1999 until Tue Jul 09 13:36:58 EDT 2019

adding as trusted cert:
  Subject: CN=Class 2 Primary CA, O=Certplus, C=FR
  Issuer:  CN=Class 2 Primary CA, O=Certplus, C=FR
  Algorithm: RSA; Serial number: 0x85bd4bf3d8dae369f694d75fc3a54423
  Valid from Wed Jul 07 13:05:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x23456
  Valid from Tue May 21 00:00:00 EDT 2002 until Sat May 21 00:00:00 EDT 2022

adding as trusted cert:
  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0x4eb200670c035d4f
  Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036

adding as trusted cert:
  Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
  Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
  Issuer:  CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
  Algorithm: RSA; Serial number: 0x3863def8
  Valid from Fri Dec 24 12:50:51 EST 1999 until Tue Jul 24 10:15:12 EDT 2029

adding as trusted cert:
  Subject: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Issuer:  CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Algorithm: RSA; Serial number: 0x344ed55720d5edec49f42fce37db2b6d
  Valid from Thu Nov 16 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
  Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x123df0e7da2a2247a43889e08aeec967
  Valid from Sun Dec 31 19:00:00 EST 1995 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: EC; Serial number: 0x2f80fe238c0e220f486712289187acb3
  Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
  Subject: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
  Issuer:  CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
  Algorithm: RSA; Serial number: 0x456b5054
  Valid from Mon Nov 27 15:23:42 EST 2006 until Fri Nov 27 15:53:42 EST 2026

adding as trusted cert:
  Subject: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, O=TC TrustCenter GmbH, C=DE
  Issuer:  CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, O=TC TrustCenter GmbH, C=DE
  Algorithm: RSA; Serial number: 0x1da200010002ecb76080788db606
  Valid from Wed Mar 22 10:54:28 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
  Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  Issuer:  CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  Algorithm: RSA; Serial number: 0x10020
  Valid from Tue Jun 11 06:46:39 EDT 2002 until Fri Jun 11 06:46:39 EDT 2027

adding as trusted cert:
  Subject: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Issuer:  CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 30 06:44:50 EDT 2000 until Sat May 30 06:44:50 EDT 2020

adding as trusted cert:
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
  Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
  Issuer:  CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
  Algorithm: RSA; Serial number: 0x2
  Valid from Tue Oct 26 04:38:03 EDT 2010 until Fri Oct 26 04:38:03 EDT 2040

adding as trusted cert:
  Subject: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0xbb401c43f55e4fb0
  Valid from Wed Oct 25 04:30:35 EDT 2006 until Sat Oct 25 04:30:35 EDT 2036

adding as trusted cert:
  Subject: CN=Certum Trusted Network CA 2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Issuer:  CN=Certum Trusted Network CA 2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Algorithm: RSA; Serial number: 0xb85914713f57df8f31c0333dd2d6197a2317b4eb
  Valid from Thu Oct 06 04:39:56 EDT 2011 until Sat Oct 06 04:39:56 EDT 2046

adding as trusted cert:
  Subject: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Issuer:  CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  Algorithm: RSA; Serial number: 0x44be0c8b500021b411d32a6806a9ad69
  Valid from Thu Jun 24 14:57:21 EDT 1999 until Mon Jun 24 15:06:30 EDT 2019

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x509
  Valid from Fri Nov 24 13:27:00 EST 2006 until Mon Nov 24 13:23:33 EST 2031

adding as trusted cert:
  Subject: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
  Issuer:  CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
  Algorithm: RSA; Serial number: 0x26
  Valid from Fri Jul 09 08:11:00 EDT 1999 until Tue Jul 09 19:59:00 EDT 2019

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x78585f2ead2c194be3370735341328b596d46593
  Valid from Thu Jan 12 12:27:44 EST 2012 until Sun Jan 12 12:27:44 EST 2042

adding as trusted cert:
  Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x3f691e819cf09a4af373ffb948a2e4dd
  Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x6ecc7aa5a7032009b8cebcf4e952d491
  Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
  Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x18dad19e267de8bb4a2158cdcc6b3b4a
  Valid from Tue Nov 07 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
  Issuer:  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
  Algorithm: RSA; Serial number: 0x400000000010f8626e60d
  Valid from Fri Dec 15 03:00:00 EST 2006 until Wed Dec 15 03:00:00 EST 2021

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x5c6
  Valid from Fri Nov 24 14:11:23 EST 2006 until Mon Nov 24 14:06:44 EST 2031

adding as trusted cert:
  Subject: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x2ef59b0228a7db7affd5a3a9eebd03a0cf126a1d
  Valid from Thu Jan 12 15:26:32 EST 2012 until Sun Jan 12 15:26:32 EST 2042

adding as trusted cert:
  Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
  Issuer:  OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
  Algorithm: RSA; Serial number: 0x3770cfb5
  Valid from Wed Jun 23 08:14:45 EDT 1999 until Sun Jun 23 08:14:45 EDT 2019

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x34a4fff630af4ca53c331742a1946675
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
  Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
  Issuer:  CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
  Algorithm: RSA; Serial number: 0x3ab6508b
  Valid from Mon Mar 19 13:33:33 EST 2001 until Wed Mar 17 14:33:33 EDT 2021

adding as trusted cert:
  Subject: CN=Class 3P Primary CA, O=Certplus, C=FR
  Issuer:  CN=Class 3P Primary CA, O=Certplus, C=FR
  Algorithm: RSA; Serial number: 0xbf5cdbb6f21c6ec04deb7a023b36e879
  Valid from Wed Jul 07 13:10:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
  Issuer:  CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
  Algorithm: RSA; Serial number: 0x2
  Valid from Tue Oct 26 04:28:58 EDT 2010 until Fri Oct 26 04:28:58 EDT 2040

adding as trusted cert:
  Subject: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
  Issuer:  OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Jun 05 22:12:32 EDT 2007 until Fri Jun 05 22:12:32 EDT 2037

adding as trusted cert:
  Subject: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
  Issuer:  CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
  Algorithm: EC; Serial number: 0x35fc265cd9844fc93d263d579baed756
  Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x401ac46421b31321030ebbe4121ac51d
  Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Issuer:  CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  Algorithm: RSA; Serial number: 0x1
  Valid from Tue May 30 06:38:31 EDT 2000 until Sat May 30 06:38:31 EDT 2020

adding as trusted cert:
  Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
  Issuer:  CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Dec 31 19:00:00 EST 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
  Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Issuer:  CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  Algorithm: RSA; Serial number: 0xc9cdd3e9d57d23ce
  Valid from Fri Aug 01 08:31:40 EDT 2008 until Sat Jul 31 08:31:40 EDT 2038

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer:  EMAILADDRESS=[hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 18:23:48 EDT 1999 until Tue Jun 25 18:23:48 EDT 2019

adding as trusted cert:
  Subject: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Issuer:  CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Algorithm: RSA; Serial number: 0x600197b746a7eab4b49ad64b2ff790fb
  Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
  Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Issuer:  CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Algorithm: RSA; Serial number: 0x1a5
  Valid from Wed Aug 12 20:29:00 EDT 1998 until Mon Aug 13 19:59:00 EDT 2018

adding as trusted cert:
  Subject: EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=[hidden email], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x36122296c5e338a520a1d25f4cd70954
  Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
  Subject: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
  Issuer:  CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
  Algorithm: EC; Serial number: 0x7497258ac73f7a54
  Valid from Fri Jan 29 09:20:24 EST 2010 until Mon Dec 31 09:20:24 EST 2040

adding as trusted cert:
  Subject: CN=Sonera Class1 CA, O=Sonera, C=FI
  Issuer:  CN=Sonera Class1 CA, O=Sonera, C=FI
  Algorithm: RSA; Serial number: 0x24
  Valid from Fri Apr 06 06:49:13 EDT 2001 until Tue Apr 06 06:49:13 EDT 2021

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
  Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
  Subject: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
  Issuer:  CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
  Algorithm: RSA; Serial number: 0x1121bc276c5547af584eefd4ced629b2a285
  Valid from Mon May 25 20:00:00 EDT 2009 until Mon May 25 20:00:00 EDT 2020

adding as trusted cert:
  Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
  Issuer:  CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
  Algorithm: RSA; Serial number: 0x374ad243
  Valid from Tue May 25 12:09:40 EDT 1999 until Sat May 25 12:39:40 EDT 2019

adding as trusted cert:
  Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  Issuer:  CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
  Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.jsse2.ax
SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.aB
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
SSLv3 protocol was requested but was not enabled
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=0)
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=15)
 |   |           |   +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- SSL_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- SSL_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           +- Disabled (size=31)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_FIPS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA256 - JreDisabled:java.security
 |   += HttpConnectionFactory@a8cd160a[HTTP/1.1] - STARTED
 |   |   +- HttpConfiguration@12228f86{32768/8192,8192/8192,https://:8443,[SecureRequestCustomizer@6b7b18a5]}
 |   += SelectorManager@ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   |   += ReservedThreadExecutor@c1103942{s=0/1,p=0}@SelectorManager@ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   |   += org.eclipse.jetty.io.ManagedSelector@5a5e403b id=0 keys=0 selected=0 actions=0 - STARTED
 |   |       += EatWhatYouKill@d8752858/SelectorProducer@a0c05928/PRODUCING/ReservedThreadExecutor@c1103942{s=0/1,p=0}@SelectorManager@ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
 |   |           +- SelectorProducer@a0c05928
 |   |       +- keys
 |   |       |   +- sun.nio.ch.EPollSelectorImpl@b35b5262 keys=0
 |   |       +- actions
 |   +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8443]
 |   +- qtp-149401960-23-acceptor-0@b20be6a6-ServerConnector@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
 += org.eclipse.jetty.server.handler.HandlerList@d7f449c5[org.eclipse.jetty.server.handler.ResourceHandler@90e16429, org.eclipse.jetty.server.handler.DefaultHandler@603dc6d8] - STARTED
 |   += org.eclipse.jetty.server.handler.ResourceHandler@90e16429 - STARTED
 |   += org.eclipse.jetty.server.handler.DefaultHandler@603dc6d8 - STARTED
 += org.eclipse.jetty.server.handler.ErrorHandler@e3a93338 - STARTED
 +> sun.misc.Launcher$AppClassLoader@404d29ca
     +- file:/home/degenaro/eclipse-workspace.oxygen/jetty-test-9-4-8/bin/
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/alpn-api-1.1.3.v20160715.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-2-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-core-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-servlet-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-conscrypt-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-java-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-openjdk8-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-annotations-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-client-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-continuation-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-deploy-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-gcloud-session-manager-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-hazelcast-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-http-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-infinispan-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-io-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jaas-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jaspi-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jmx-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jndi-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-memcached-sessions-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-nosql-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-plus-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-proxy-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-quickstart-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-rewrite-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-schemas-3.1.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-security-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-server-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-servlet-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-servlets-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-unixsocket-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-util-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-webapp-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-xml-9.4.8.v20171121.jar
     +- file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/servlet-api-3.1.jar
     +- sun.misc.Launcher$ExtClassLoader@cf86cb9f
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj-interface.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/localedata.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/IBMSecureRandom.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/traceformat.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmjcefips.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jverbs.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmcmsprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dnsns.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfjview.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/nashorn.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/zipfs.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/cldrdata.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/xmlencfw.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmpkcs11impl.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmldsigprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/gskikm.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/CmpCrmf.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jaccess.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/healthcenter.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmsaslprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmkeycert.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmlcrypto.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmlencprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmjceprovider.jar
         +- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj.jar
2018-03-14 11:37:47.846:INFO:oejs.Server:main: Started @2577ms
Using SSLEngineImpl.
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default

Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[Raw read]: length = 5
0000: 16 03 01 00 9d                                     .....

[Raw read]: length = 157
0000: 01 00 00 99 03 03 05 85  07 79 1b 58 d2 ef e6 25  .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f  c2 70 21 52 84 eb 82 1f  .........p.R....
0020: 4c a0 64 48 c3 ba 00 00  1e c0 2c c0 0a c0 2b cc  L.dH............
0030: a9 c0 09 c0 30 c0 14 c0  2f cc a8 c0 13 00 39 00  ....0.........9.
0040: 33 00 35 00 2f 00 0a 01  00 00 52 00 17 00 00 ff  3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a  00 08 00 1d 00 17 00 18  ................
0060: 00 19 00 0b 00 02 01 00  00 23 00 00 00 10 00 0e  ................
0070: 00 0c 02 68 32 08 68 74  74 70 2f 31 2e 31 00 05  ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00  0d 00 12 00 10 04 03 05  ................
0090: 03 06 03 04 01 05 01 06  01 02 03 02 01           .............

qtp-149401960-22, READ: TLSv1 Handshake, length = 157
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 75827065 bytes = { 27, 88, 210, 239, 230, 37, 47, 176, 21, 185, 138, 214, 21, 95, 194, 112, 33, 82, 132, 235, 130, 31, 76, 160, 100, 72, 195, 186 }
Session ID:  {}
Cipher Suites: [SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Unsupported extension type_23, data:
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Extension signature_algorithms, signature_algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA1withRSA
***
[read] MD5 and SHA1 hashes:  len = 157
0000: 01 00 00 99 03 03 05 85  07 79 1b 58 d2 ef e6 25  .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f  c2 70 21 52 84 eb 82 1f  .........p.R....
0020: 4c a0 64 48 c3 ba 00 00  1e c0 2c c0 0a c0 2b cc  L.dH............
0030: a9 c0 09 c0 30 c0 14 c0  2f cc a8 c0 13 00 39 00  ....0.........9.
0040: 33 00 35 00 2f 00 0a 01  00 00 52 00 17 00 00 ff  3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a  00 08 00 1d 00 17 00 18  ................
0060: 00 19 00 0b 00 02 01 00  00 23 00 00 00 10 00 0e  ................
0070: 00 0c 02 68 32 08 68 74  74 70 2f 31 2e 31 00 05  ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00  0d 00 12 00 10 04 03 05  ................
0090: 03 06 03 04 01 05 01 06  01 02 03 02 01           .............


JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.8
JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.8
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, SEND TLSv1 ALERT:  fatal, description = handshake_failure
qtp-149401960-22, WRITE: TLSv1 Alert, length = 2
qtp-149401960-22, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp-149401960-22, called closeOutbound()
qtp-149401960-22, closeOutboundInternal()
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28                               ......

On Wed, Mar 14, 2018 at 11:23 AM, Joakim Erdfelt <[hidden email]> wrote:
Your server has no handlers, none, completely empty.

Perhaps you missed the ...

server.setHandler(resourceHandler);

Better yet, use ...

HandlerList handlers = new HandlerList();
handlers.addHandler(resourceHandler);
handlers.addHandler(new DefaultHandler()); // always last
server.setHandler(handlers);

Also, add this before your server.start();

server.setDumpAfterStart(true);
server.start();
server.join();

That should produce the dump I mentioned in the prior email.


Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 9:55 AM, Lou DeGenaro <[hidden email]> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

> NO.  I'm using vanilla jetty as shipped.  Is there something else I need to do?

Code shown below.

Thanks.

Lou.
   
    private void server_main(String[] args) {
        try {
            // === jetty.xml ===                                                                                                                                      

            // Setup Threadpool                                                                                                                                       
            QueuedThreadPool threadPool = new QueuedThreadPool();
            threadPool.setMaxThreads(max_threads);

            // Server                                                                                                                                                         
            server = new Server(threadPool);
           
            // Scheduler                                                                                                                                                      
            server.addBean(new ScheduledExecutorScheduler());

            // === jetty-http.xml ===                                                                                                                                         
            ServerConnector http = new ServerConnector(server, new HttpConnectionFactory());
            http.setPort(port_http);
            http.setIdleTimeout(idle_timeout);
            server.addConnector(http);

            // === jetty-https.xml ===                                                                                                                                        
            // SSL Context Factory                                                                                                                                            
            SslContextFactory sslContextFactory = new SslContextFactory();
           
            HttpConfiguration http_config = new HttpConfiguration();
             http_config.setSecureScheme("https");
             http_config.setSecurePort(port_https);
            
            HttpConfiguration https_config = new HttpConfiguration(http_config);
            https_config.addCustomizer(new SecureRequestCustomizer());
            
            ServerConnector https = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory,"http/1.1"),
                 new HttpConnectionFactory(https_config));

            https.setPort(port_https);
            sslContextFactory.setKeyStorePath(keystore);
           
            sslContextFactory.setKeyStorePassword(keystore_password);   
            sslContextFactory.setKeyManagerPassword(keymanager_password);
           
            server.setConnectors(new Connector[] { http });
            server.addConnector(https);
           
            //
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(true);
            resourceHandler.setResourceBase(jetty_server_root);
           
            server.start();
            server.join();
        }
        catch(Exception e) {
            e.printStackTrace();
        }
    }

On Wed, Mar 14, 2018 at 10:44 AM, Joakim Erdfelt <[hidden email]> wrote:
Have you attempted to configure the SSL Cipher Suites on the Jetty server side?

If you enable the jetty startup dump you'll see the list of enabled cipher suites and protocols that Jetty is running with (including the reason why a specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=true

Example output:

 |   += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <[hidden email]> wrote:
Still having (likely user error) issues with SSL.  I generate my keystore thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <[hidden email]> wrote:
Any jetty.keystore.password is not set anywhere? if it is set, is it set to your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers


On 11 March 2018 at 06:48, Lou DeGenaro <[hidden email]> wrote:
yep.

On Sat, Mar 10, 2018 at 12:59 PM, John English <[hidden email]> wrote:
On 10/03/2018 16:15, Lou DeGenaro wrote:
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you sure?

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lothar Kimmeringer
Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

> * The IBM JVM is not sane, look into its cipher suites and protocols.
>
> A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_RSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
  SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
  SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Joakim Erdfelt-8
Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The stated reason from Firefox for that error is that you lack the required cipher suites for the updated TLS configuration present since FireFox 50.x


Your IBM JVM reports 14 selected Cipher Suites (31 disabled) by default.
Oracle JVM reports 29 selected Cipher Suites (53 disabled) by default.

Conclusion: You have a cipher suite issue.

Try MSIE or FireFox 45 (suggestions made in the mozilla support forum).  If those work, then you have a Cipher Suite issue with your IBM JVM.


Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 11:36 AM, Lothar Kimmeringer <[hidden email]> wrote:
Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

* The IBM JVM is not sane, look into its cipher suites and protocols.

A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 SSL_RSA_WITH_AES_256_CBC_SHA256,
 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
 SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
 SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 SSL_RSA_WITH_AES_256_CBC_SHA,
 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
 SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
 SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
 SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 SSL_RSA_WITH_AES_128_CBC_SHA256,
 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 SSL_RSA_WITH_AES_128_CBC_SHA,
 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
 SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
 SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 SSL_RSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 SSL_RSA_WITH_AES_128_GCM_SHA256,
 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lothar Kimmeringer
Hi,

Am 14.03.2018 um 17:47 schrieb Joakim Erdfelt:

> Conclusion: You have a cipher suite issue.

I don't have any issues (I just added my 2 cents to this thread). My point is
if we have a similar effect here than with JVMs on iSeries that the JVM
reports ciphers "SSL_-something" and jetty is configured to only enable
ciphers "TLS_-something", the server might filter out all the "good ones"
leading to the situation that server and client don't share any ciphers
leading to this error.

The fix in that case would be to change the jetty-configuration of
enabled ciphers to the corresponding textual representations of these
ciphers on that particular system (replace TLS_ by SSL_ that is)


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Silvio Bierman
In reply to this post by Lothar Kimmeringer
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...



Sent from my Samsung Galaxy smartphone.

-------- Original message --------
From: Lothar Kimmeringer <[hidden email]>
Date: 3/14/18 17:36 (GMT+01:00)
Subject: Re: [jetty-users] keystore

Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

> * The IBM JVM is not sane, look into its cipher suites and protocols.
>
> A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_RSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
  SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
  SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Joakim Erdfelt-8
Also, read and understand the linked to issue at the IBM side for TLS (from the prior message)


The IBM JVM does not apparently follow the OpenJDK standard naming of things (which dozens of other alternate JVMs do), that article tells you how to correct the startup of your IBM JVM to address that as well.



Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman <[hidden email]> wrote:
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...



Sent from my Samsung Galaxy smartphone.

-------- Original message --------
From: Lothar Kimmeringer <[hidden email]>
Date: 3/14/18 17:36 (GMT+01:00)
Subject: Re: [jetty-users] keystore

Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

> * The IBM JVM is not sane, look into its cipher suites and protocols.
>
> A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_RSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
  SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
  SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Joakim Erdfelt-8
Also, with the IBM JVM you might have to configure the following on the Jetty side ...

SslContextFactory ...

.setProtocol(String protocol) - this defaults to "TLS" (the openjdk official name), yours is likely different (based on my reading of the IBM JVM documentation).
.setProvider(String provider) - this defaults to "" (unset) as we use the default provider, but your IBM JVM seems to want to do things "the IBM way", not "the standard way".

As a last resort, you might need to create the javax.net.ssl.SSLContext manually, the IBM way, and give it to the jetty side SslContextFactory.setSslContext(SSLContext context)


Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 12:04 PM, Joakim Erdfelt <[hidden email]> wrote:
Also, read and understand the linked to issue at the IBM side for TLS (from the prior message)


The IBM JVM does not apparently follow the OpenJDK standard naming of things (which dozens of other alternate JVMs do), that article tells you how to correct the startup of your IBM JVM to address that as well.



Joakim Erdfelt / [hidden email]

On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman <[hidden email]> wrote:
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...



Sent from my Samsung Galaxy smartphone.

-------- Original message --------
From: Lothar Kimmeringer <[hidden email]>
Date: 3/14/18 17:36 (GMT+01:00)
Subject: Re: [jetty-users] keystore

Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

> * The IBM JVM is not sane, look into its cipher suites and protocols.
>
> A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_RSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
  SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
  SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lothar Kimmeringer
In reply to this post by Silvio Bierman


Am 14.03.2018 um 17:53 schrieb Silvio Bierman:
> Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

I'm not defending IBM here for their decision to follow the NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
handshake:

OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27, 62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14, 181, 116, 137, 40 }
Session ID:  {}
Cipher Suites:
[...]

The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lou Degenaro
I added -Dcom.ibm.jsse2.overrideDefaultTLS=true to the launch of my Jetty server and much joy resulted.

Lou.

On Wed, Mar 14, 2018 at 2:45 PM, Lothar Kimmeringer <[hidden email]> wrote:


Am 14.03.2018 um 17:53 schrieb Silvio Bierman:
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

I'm not defending IBM here for their decision to follow the NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
handshake:

OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27, 62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14, 181, 116, 137, 40 }
Session ID:  {}
Cipher Suites:
[...]

The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.



Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Jesse McConnell
That is an interesting nugget Lou, any chance you can report results from here: https://www.ssllabs.com/ssltest/ ?



--
jesse mcconnell
[hidden email]

On Wed, Mar 14, 2018 at 1:53 PM, Lou DeGenaro <[hidden email]> wrote:
I added -Dcom.ibm.jsse2.overrideDefaultTLS=true to the launch of my Jetty server and much joy resulted.

Lou.

On Wed, Mar 14, 2018 at 2:45 PM, Lothar Kimmeringer <[hidden email]> wrote:


Am 14.03.2018 um 17:53 schrieb Silvio Bierman:
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

I'm not defending IBM here for their decision to follow the NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
handshake:

OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27, 62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14, 181, 116, 137, 40 }
Session ID:  {}
Cipher Suites:
[...]

The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.



Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: keystore

Lou Degenaro
Unfortunately no.  I could only supply an IP address (which it seems is not allowed) and is only accessible internally anyway.

Lou.

On Wed, Mar 14, 2018 at 3:04 PM, Jesse McConnell <[hidden email]> wrote:
That is an interesting nugget Lou, any chance you can report results from here: https://www.ssllabs.com/ssltest/ ?



--
jesse mcconnell
[hidden email]

On Wed, Mar 14, 2018 at 1:53 PM, Lou DeGenaro <[hidden email]> wrote:
I added -Dcom.ibm.jsse2.overrideDefaultTLS=true to the launch of my Jetty server and much joy resulted.

Lou.

On Wed, Mar 14, 2018 at 2:45 PM, Lothar Kimmeringer <[hidden email]> wrote:


Am 14.03.2018 um 17:53 schrieb Silvio Bierman:
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

I'm not defending IBM here for their decision to follow the NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
handshake:

OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27, 62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14, 181, 116, 137, 40 }
Session ID:  {}
Cipher Suites:
[...]

The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.



Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
12