2016-01-29 2 views
1

Я потратил большую часть дня на это и до сих пор не смог настроить Jetty 9 на правильную работу через HTTPS. Это только для целей разработки, поэтому я создал файл хранилища ключей, который я пытаюсь использовать с Jetty.Нет общих комплектов шифров в Jetty 9 Конфигурация SSL

Я генерации сертификата, как это:

keytool -keystore keystore -alias jetty -genkey -keyalg RSA 

Это из инструкции Jetty на https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html.

Выход из mvn -X jetty:run когда я запускаю сервер с указанием шифров:

[DEBUG] STARTED @7821ms [email protected]677b8e13 
[DEBUG] starting [email protected]{SSL->http/1.1} 
[DEBUG] run [email protected] id=3 keys=0 selected=0 
[DEBUG] EPR Idle/[email protected] execute 
[DEBUG] EPR Prod/[email protected] produce enter 
[DEBUG] EPR Prod/[email protected] producing 
[DEBUG] Selector loop waiting on select 
[DEBUG] starting [email protected](null,null) 
[DEBUG] Selected Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] 
[DEBUG] Selected Ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] of [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5] 

Выход из mvn -X jetty:run с момента, когда я пытаюсь сделать запрос на https://localhost:8443:

[DEBUG] Selector loop woken up from select, 0/0 selected 
[DEBUG] EPR Prod/[email protected] produced [email protected] 
[DEBUG] EPR Pend/[email protected] dispatch 
[DEBUG] queue EPR Pend/[email protected] 
[DEBUG] EPR Pend/[email protected] run [email protected]7ed55f41 
[DEBUG] run EPR Pend/[email protected] 
javax.net.ssl.SSLHandshakeException: no cipher suites in common 
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) 
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) 
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) 
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) 
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) 
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:509) 
    at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:313) 
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:223) 
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) 
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) 
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:192) 
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) 
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) 
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75) 
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213) 
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147) 
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654) 
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572) 
    at java.lang.Thread.run(Thread.java:745) 
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common 
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) 
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) 
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292) 
    at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1014) 
    at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:731) 
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213) 
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) 
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) 
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) 
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:613) 
    ... 13 more 

Вот соответствующий раздел от моего pom.xml:

... 
<plugin> 
    <groupId>org.eclipse.jetty</groupId> 
    <artifactId>jetty-maven-plugin</artifactId> 
    <version>9.3.6.v20151106</version> 
    <configuration>      
     <jettyXml>src/main/resources/jetty.xml,src/main/resources/jetty- 
      ssl.xml,src/main/resources/jetty-https.xml,src/main/resources/jetty-ssl-context.xml</jettyXml> 
    </configuration> 
</plugin> 
... 

Вот мой jetty.xml:

<?xml version="1.0"?> 
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> 

<Configure id="Server" class="org.eclipse.jetty.server.Server"> 

    <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> 
     <Set name="secureScheme">https</Set> 
     <Set name="securePort"><Property name="jetty.secure.port" default="8443" /></Set> 
     <Set name="outputBufferSize">32768</Set> 
     <Set name="requestHeaderSize">8192</Set> 
     <Set name="responseHeaderSize">8192</Set> 
     <Set name="sendServerVersion">true</Set> 
     <Set name="sendDateHeader">false</Set> 
     <Set name="headerCacheSize">512</Set> 
    </New> 
</Configure> 

jetty-ssl.xml

<?xml version="1.0"?> 
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> 

<!-- ============================================================= --> 
<!-- Base SSL configuration          --> 
<!-- This configuration needs to be used together with 1 or more --> 
<!-- of jetty-https.xml or jetty-http2.xml       --> 
<!-- ============================================================= --> 
<Configure id="Server" class="org.eclipse.jetty.server.Server"> 

    <!-- =========================================================== --> 
    <!-- Add a SSL Connector with no protocol factories    --> 
    <!-- =========================================================== --> 
    <Call name="addConnector"> 
     <Arg> 
      <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"> 
       <Arg name="server"><Ref refid="Server" /></Arg> 
       <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecated="ssl.acceptors" default="-1"/></Arg> 
       <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecated="ssl.selectors" default="-1"/></Arg> 
       <Arg name="factories"> 
        <Array type="org.eclipse.jetty.server.ConnectionFactory"> 
         <!-- uncomment to support proxy protocol 
         <Item> 
          <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/> 
         </Item>--> 
        </Array> 
       </Arg> 

       <Set name="host"><Property name="jetty.ssl.host" deprecated="jetty.host" /></Set> 
       <Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="8443" /></Set> 

       <Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.timeout" default="30000"/></Set> 
       <Set name="soLingerTime"><Property name="jetty.ssl.soLingerTime" deprecated="ssl.soLingerTime" default="-1"/></Set> 
       <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set> 
       <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize" default="0"/></Set> 
      </New> 
     </Arg> 
    </Call> 

    <!-- =========================================================== --> 
    <!-- Create a TLS specific HttpConfiguration based on the  --> 
    <!-- common HttpConfiguration defined in jetty.xml    --> 
    <!-- Add a SecureRequestCustomizer to extract certificate and --> 
    <!-- session information           --> 
    <!-- =========================================================== --> 
    <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> 
     <Arg><Ref refid="httpConfig"/></Arg> 
     <Call name="addCustomizer"> 
      <Arg> 
       <New class="org.eclipse.jetty.server.SecureRequestCustomizer"> 
        <Arg type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg> 
       </New> 
      </Arg> 
     </Call> 
    </New> 
</Configure> 

jetty-https.xml

<?xml version="1.0"?> 
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> 

<!-- ============================================================= --> 
<!-- Configure a HTTPS connector.         --> 
<!-- This configuration must be used in conjunction with jetty.xml --> 
<!-- and jetty-ssl.xml.           --> 
<!-- ============================================================= --> 
<Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"> 

    <Call name="addIfAbsentConnectionFactory"> 
     <Arg> 

      <New class="org.eclipse.jetty.server.SslConnectionFactory"> 
       <Arg name="next">http/1.1</Arg> 
       <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg> 
      </New> 
     </Arg> 
    </Call> 

    <Call name="addConnectionFactory"> 
     <Arg> 
      <New class="org.eclipse.jetty.server.HttpConnectionFactory"> 
       <Arg name="config"><Ref refid="sslHttpConfig" /></Arg> 
      </New> 
     </Arg> 
    </Call> 
</Configure> 

jetty-ssl-context.xml

<?xml version="1.0"?> 
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> 

<!-- ============================================================= --> 
<!-- SSL ContextFactory configuration        --> 
<!-- ============================================================= --> 
<Configure id="Server" class="org.eclipse.jetty.server.Server"> 
    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> 
     <Set name="KeyStorePath"><Property name="jetty.home" default="." />/src/main/resources/keystore</Set> 
     <Set name="KeyStorePassword">password</Set> 
     <Set name="KeyManagerPassword">password</Set> 
     <Set name="TrustStorePath"><Property name="jetty.home" default="." />/src/main/resources/keystore</Set> 
     <Set name="TrustStorePassword">password</Set> 

     <Set name="IncludeCipherSuites"> 
     <Array type="String"> 
      <Item>TLS_DHE_RSA.*</Item> 
      <Item>TLS_ECDHE.*</Item> 
     </Array> 
    </Set> 

    <Set name="ExcludeCipherSuites"> 
     <Array type="String"> 
      <Item>.*NULL.*</Item> 
      <Item>.*RC4.*</Item> 
      <Item>.*MD5.*</Item> 
      <Item>.*DES.*</Item> 
      <Item>.*DSS.*</Item> 
     </Array> 
    </Set> 
    </New> 
</Configure> 
+0

Какой клиент вы используете? – JJF

+0

Такое же исключение в Chrome, а также в Firefox. Я думаю, что это связано с сертификатом, но я даже не уверен, что я ищу. Так много противоречивых объяснений и примеров там для Jetty. – Casey

+0

'' не отменяет исключение. Исключаемые алгоритмы, шифры и протоколы все еще присутствуют в списке запрещенных приложений Jetty 'SslContextFactory' и Java. –

ответ

2

изменить следующим образом:

<plugin> 
<groupId>org.eclipse.jetty</groupId> 
<artifactId>jetty-maven-plugin</artifactId> 
<version>9.3.6.v20151106</version> 
<configuration>      
    <jettyXml>src/main/resources/jetty.xml,src/main/resources/jetty- 
     ssl.xml,src/main/resources/jetty-https.xml,src/main/resources/jetty-ssl-context.xml</jettyXml> 
</configuration> 

к этому:

<plugin> 
<groupId>org.eclipse.jetty</groupId> 
<artifactId>jetty-maven-plugin</artifactId> 
<version>9.3.6.v20151106</version> 
<configuration>      
    <jettyXml>src/main/resources/jetty.xml,src/main/resources/jetty- 
     ssl.xml,src/main/resources/jetty-ssl-context.xml,src/main/resources/jetty-https.xml</jettyXml> 
</configuration> 

(обратный порядок причал-https.xml и причал-SSL-context.xml).

Вы создаете ssl-коннектор в jetty-https с по умолчанию SslContextFactory (<Ref refid="sslContextFactory"/> - null), а затем создайте новый SslContextFactory, который вы настраиваете, но он нигде не используется.

+0

Это решило мою проблему. Благодарю. – chrome

 Смежные вопросы

  • Нет связанных вопросов^_^