Have you attempted to configure the SSL Cipher Suites on the Jetty server
side?
> NO. I'm using vanilla jetty as shipped. Is there something else I need
to do?
Code shown below.
Thanks.
Lou.
private void server_main(String[] args) {
try {
// === jetty.xml
===
// Setup
Threadpool
QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMaxThreads(max_threads);
//
Server
server = new Server(threadPool);
//
Scheduler
server.addBean(new ScheduledExecutorScheduler());
// === jetty-http.xml
===
ServerConnector http = new ServerConnector(server, new
HttpConnectionFactory());
http.setPort(port_http);
http.setIdleTimeout(idle_timeout);
server.addConnector(http);
// === jetty-https.xml
===
// SSL Context
Factory
SslContextFactory sslContextFactory = new SslContextFactory();
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(port_https);
HttpConfiguration https_config = new
HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(port_https);
sslContextFactory.setKeyStorePath(keystore);
sslContextFactory.setKeyStorePassword(keystore_password);
sslContextFactory.setKeyManagerPassword(keymanager_password);
server.setConnectors(new Connector[] { http });
server.addConnector(https);
//
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase(jetty_server_root);
server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}
On Wed, Mar 14, 2018 at 10:44 AM, Joakim Erdfelt <[email protected]> wrote:
> Have you attempted to configure the SSL Cipher Suites on the Jetty server
> side?
>
> If you enable the jetty startup dump you'll see the list of enabled cipher
> suites and protocols that Jetty is running with (including the reason why a
> specific available protocol or cipher suite is disabled).
>
> $ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=
> true
>
> Example output:
>
> | += SslConnectionFactory@51c668e3{SSL->http/1.1} - STARTED
> | | += SslContextFactory@19f040ba[provider=null,keyStore=file://
> /mnt/c/code/jetty/distros/jetty-distribution-9.4.8.
> v20171121/demo-base/etc/keystore,trustStore=file:///
> mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore]
> trustAll=false
> | | +- Protocol Selections
> | | | +- Enabled (size=3)
> | | | | +- TLSv1
> | | | | +- TLSv1.1
> | | | | +- TLSv1.2
> | | | +- Disabled (size=2)
> | | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
> | | | +- SSLv3 - JreDisabled:java.security,
> ConfigExcluded:'SSLv3'
> | | +- Cipher Suite Selections
> | | +- Enabled (size=29)
> | | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> | | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
> | | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> | | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
> | | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> | | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> | | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> | | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> | | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> | | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> | | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> | | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> | | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> | | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> | | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> | | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> | | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> | | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> | | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> | | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> | | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> | | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
> | | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> | | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
> | | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
> | | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
> | | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
> | | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
> | | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
> | | +- Disabled (size=53)
> | | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_DH_anon_WITH_DES_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_RSA_WITH_DES_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security,
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security,
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_DH_anon_WITH_AES_128_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 -
> JreDisabled:java.security
> | | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 -
> JreDisabled:java.security
> | | +- TLS_DH_anon_WITH_AES_256_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 -
> JreDisabled:java.security
> | | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 -
> JreDisabled:java.security
> | | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDHE_RSA_WITH_NULL_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_ECDSA_WITH_NULL_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_RSA_WITH_NULL_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_ECDH_anon_WITH_NULL_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_KRB5_WITH_DES_CBC_MD5 -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_KRB5_WITH_DES_CBC_SHA -
> JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_RSA_WITH_AES_128_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_RSA_WITH_AES_256_CBC_SHA -
> ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
> | | +- TLS_RSA_WITH_NULL_SHA256 -
> JreDisabled:java.security
>
> Joakim Erdfelt / [email protected]
>
> On Wed, Mar 14, 2018 at 8:43 AM, Lou DeGenaro <[email protected]>
> wrote:
>
>> Still having (likely user error) issues with SSL. I generate my keystore
>> thus:
>>
>> /share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn,
>> OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg
>> SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore
>> -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh
>>
>> I run jetty 9.4.8 with java 1.8 and the keystore.
>>
>> I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows
>> displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP
>>
>> Thanks for your advise.
>>
>> Lou.
>>
>> On Mon, Mar 12, 2018 at 2:03 AM, Greg Wilkins <[email protected]> wrote:
>>
>>> Any jetty.keystore.password is not set anywhere? if it is set, is it set
>>> to your password?
>>> Try hard coding it in the XML to debug before playing with parameters.
>>>
>>> cheers
>>>
>>>
>>> On 11 March 2018 at 06:48, Lou DeGenaro <[email protected]> wrote:
>>>
>>>> yep.
>>>>
>>>> On Sat, Mar 10, 2018 at 12:59 PM, John English <[email protected]>
>>>> wrote:
>>>>
>>>>> On 10/03/2018 16:15, Lou DeGenaro wrote:
>>>>>
>>>>>> <Set name="KeyStorePassword"><Property
>>>>>> name="jetty.keystore.password" default="my-password"/></Set>
>>>>>> <Set name="TrustStorePassword"><Property
>>>>>> name="jetty.truststore.password" default="my-password"/></Set>
>>>>>>
>>>>>
>>>>> The keystore password and truststore password are really the same? Are
>>>>> you sure?
>>>>>
>>>>> --
>>>>> John English
>>>>> _______________________________________________
>>>>> jetty-users mailing list
>>>>> [email protected]
>>>>> To change your delivery options, retrieve your password, or
>>>>> unsubscribe from this list, visit
>>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> jetty-users mailing list
>>>> [email protected]
>>>> To change your delivery options, retrieve your password, or unsubscribe
>>>> from this list, visit
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>
>>>
>>>
>>>
>>> --
>>> Greg Wilkins <[email protected]> CTO http://webtide.com
>>>
>>> _______________________________________________
>>> jetty-users mailing list
>>> [email protected]
>>> To change your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>>
>>
>> _______________________________________________
>> jetty-users mailing list
>> [email protected]
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>
>
> _______________________________________________
> jetty-users mailing list
> [email protected]
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
