From f.van.vollenhoven at gmail.com Thu Dec 1 01:09:21 2016 From: f.van.vollenhoven at gmail.com (Friso van Vollenhoven) Date: Thu, 1 Dec 2016 07:09:21 +0100 Subject: [undertow-dev] start listener on random port In-Reply-To: References: <647E77CD-9236-481A-92CE-AB52EBCB5F58@bitkid.com> Message-ID: Hi, For what it's worth, we had the same issue. We worked around it by opening a server socket ourselves, check the port that it grabbed and immediately closing the socket and then assign that port to Undertow. This is very unlikely to go into a race, as the kernel always assigns incrementing port numbers. It's a bit of a hack, but works for us. Friso On Wed, Nov 30, 2016 at 10:24 PM, Stuart Douglas wrote: > We don't support this at the moment, but it would be something that is > nice to have. > > Stuart > > On Wed, Nov 30, 2016 at 12:03 AM, Sascha Sadat-Guscheh > wrote: > > hello undertow developers! > > > > is there a way to start a http listener on a random free port? i have a > test suite that runs multithreaded so each untertow server uses a random > port, that i get like this: > > > > new ServerSocket(0).getLocalPort() > > > > sometimes i run into a race condition when a different process grabs the > port before undertow listens on it. so a possible solution would be to > just let undertow assign the port, and then ask it what port its listening > on. (or pass the socket instead of the port number to undertow) > > > > is that a worthwile feature? should i try to submit a pr that does that? > or is it already possible? > > > > thanks! > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161201/669aefe9/attachment.html From ferrerabertran at gmail.com Thu Dec 1 04:37:51 2016 From: ferrerabertran at gmail.com (Pere Ferrera) Date: Thu, 1 Dec 2016 10:37:51 +0100 Subject: [undertow-dev] two questions In-Reply-To: References: Message-ID: Hi Stuart, Thanks for the prompt reply. I am developing a critical high-performance web server and I am unsure whether I could hit the issue of many connections sitting in TIME_WAIT state or not (I came across it through a wrongly designed benchmark), I know this could happen under different obscure scenarios but it mostly doesn't if things are more or less correct... I just wanted to be on the safe side to be able to set SO_LINGER to 0 if I ever need to. For 2), I gave it a try and it seems to work, I see the semantics are similar to those of DoSFilter in Jetty: it rate-limits the number of requests per active connection, not overall. Except that there is a "pending" queue. What I like from the DoSFilter in Jetty is that it can also kill active requests if they take more than a certain number of milliseconds, is there something in Undertow like that or how would you implement it? Thanks, On Wed, Nov 30, 2016 at 10:23 PM, Stuart Douglas wrote: > 1) Why do you need to set this? In general Undertow won't close the > socket until all messages have been sent anyway. > > 2) Do you mean limit the number of active requests, or limit the > number of bytes per second that can be sent? > > io.undertow.server.handlers.RequestLimitingHandler can limit the > number of active requests, while > io.undertow.server.handlers.ResponseRateLimitingHandler can be used to > limit the rate data is sent on a connection. > > Stuart > > On Wed, Nov 30, 2016 at 9:53 PM, Pere Ferrera > wrote: > > Hi there, > > I have two questions: 1) How can I configure the underlying socket > parameter > > SO_LINGER using the Undertow API ? and 2) Is there something that I can > use > > to rate-limit requests issued to an Undertow server ? (something similar > to > > the DoS Filter in Jetty) > > > > Thanks, > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161201/e86c6a86/attachment-0001.html From sdouglas at redhat.com Thu Dec 1 17:39:32 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Fri, 2 Dec 2016 09:39:32 +1100 Subject: [undertow-dev] two questions In-Reply-To: References: Message-ID: On Thu, Dec 1, 2016 at 8:37 PM, Pere Ferrera wrote: > Hi Stuart, > > Thanks for the prompt reply. I am developing a critical high-performance web > server and I am unsure whether I could hit the issue of many connections > sitting in TIME_WAIT state or not (I came across it through a wrongly > designed benchmark), I know this could happen under different obscure > scenarios but it mostly doesn't if things are more or less correct... I just > wanted to be on the safe side to be able to set SO_LINGER to 0 if I ever > need to. It looks like SO_LINGER support is not implemented in XNIO, so it is not possible to set at the moment. It would be easy to add though. > > For 2), I gave it a try and it seems to work, I see the semantics are > similar to those of DoSFilter in Jetty: it rate-limits the number of > requests per active connection, not overall. Except that there is a > "pending" queue. What I like from the DoSFilter in Jetty is that it can also > kill active requests if they take more than a certain number of > milliseconds, is there something in Undertow like that or how would you > implement it? > It is a global rate limit, not a per connection one. If you are using HTTP/2 and have multiple requests per connection you can use the MAX_CONCURRENT_STREAMS option to limit the number of requests per connection. Looks like there is a bug in the implementation in terms of the queue, it should support a queue size of zero which means no queuing, however this is interpreted as an unbounded queue instead. For now you could set the size to 1. Killing requests that take more that X ms is somewhat more problematic. You can close the socket easily enough, but that is no guarentee the thread will stop what it is doing (you can interrupt the thread, but if you are doing anything async that is very problematic, as the thread may no longer be associated with the request. A simple implementation might look like: @Override public void handleRequest(final HttpServerExchange exchange) throws Exception { exchange.getIoThread().executeAfter(new Runnable() { @Override public void run() { if(!exchange.isComplete()) { IoUtils.safeClose(exchange.getConnection()); } } }, 1000, TimeUnit.MILLISECONDS); next.handleRequest(exchange); } >From a performance point of view this is not great, as timers can be relatively expensive. A better approach may be to have a task that executes every X/10 ms, and just add all the requests to a queue (along with start time). The timer thread can then poll the queue and kill any that have gone to long. Stuart > Thanks, > > On Wed, Nov 30, 2016 at 10:23 PM, Stuart Douglas > wrote: >> >> 1) Why do you need to set this? In general Undertow won't close the >> socket until all messages have been sent anyway. >> >> 2) Do you mean limit the number of active requests, or limit the >> number of bytes per second that can be sent? >> >> io.undertow.server.handlers.RequestLimitingHandler can limit the >> number of active requests, while >> io.undertow.server.handlers.ResponseRateLimitingHandler can be used to >> limit the rate data is sent on a connection. >> >> Stuart >> >> On Wed, Nov 30, 2016 at 9:53 PM, Pere Ferrera >> wrote: >> > Hi there, >> > I have two questions: 1) How can I configure the underlying socket >> > parameter >> > SO_LINGER using the Undertow API ? and 2) Is there something that I can >> > use >> > to rate-limit requests issued to an Undertow server ? (something similar >> > to >> > the DoS Filter in Jetty) >> > >> > Thanks, >> > >> > _______________________________________________ >> > undertow-dev mailing list >> > undertow-dev at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/undertow-dev > > From devl.development at gmail.com Fri Dec 2 09:17:40 2016 From: devl.development at gmail.com (Devl Devel) Date: Fri, 02 Dec 2016 14:17:40 +0000 Subject: [undertow-dev] Websocket Data In-Reply-To: References: Message-ID: Thanks for the advice Stuart. Having tried a few approaches I didn't get very far with starting a new Thread. Please could you help sketch out some pseudo code to get and use the XnioIoThread particularly in relation to the ChatServer example? Using the WorkerThread requires WorkerThread(final NioXnioWorker worker, final Selector selector, final String name, final ThreadGroup group, final long stackSize, final int number) { super(worker, number, group, name, stackSize); this.selector = selector; } Do I need to create new NioXnioWorker workers, selectors etc? If you have any examples in git you can point me to that would be appreciated. Thanks for your help. On Tue, Nov 29, 2016 at 8:25 PM Stuart Douglas wrote: > You can use > > XnioIoThread.executeAtInterval > > One thing to be careful of though is that you need to make sure the > messages are actually being sent. If the messages are very large and > the client is very slow you can eventually run out of memory due to > messages being buffered. > > Stuart > > On Wed, Nov 30, 2016 at 2:33 AM, Devl Devel > wrote: > > Hi Guys > > > > I managed to implement a websocket server as per > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/chat/ChatServer.java > > > > Question is whats the best way to get the websocket to send data every 1 > or > > x second(x) irrespective of whether it got a message via > onFullTextMessage? > > > > Any pointers would be appreciated. > > Thanks > > > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161202/1d8e81e7/attachment.html From sdouglas at redhat.com Sun Dec 4 17:28:35 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Mon, 5 Dec 2016 09:28:35 +1100 Subject: [undertow-dev] Websocket Data In-Reply-To: References: Message-ID: You don't create one, you use the one returned by channel.getIoThread(). Stuart On Sat, Dec 3, 2016 at 1:17 AM, Devl Devel wrote: > Thanks for the advice Stuart. Having tried a few approaches I didn't get > very far with starting a new Thread. Please could you help sketch out some > pseudo code to get and use the XnioIoThread particularly in relation to the > ChatServer example? > > Using the WorkerThread requires > > WorkerThread(final NioXnioWorker worker, final Selector selector, final > String name, final ThreadGroup group, final long stackSize, final int > number) { > super(worker, number, group, name, stackSize); > this.selector = selector; > } > > Do I need to create new NioXnioWorker workers, selectors etc? > > If you have any examples in git you can point me to that would be > appreciated. Thanks for your help. > > > > > > On Tue, Nov 29, 2016 at 8:25 PM Stuart Douglas wrote: >> >> You can use >> >> XnioIoThread.executeAtInterval >> >> One thing to be careful of though is that you need to make sure the >> messages are actually being sent. If the messages are very large and >> the client is very slow you can eventually run out of memory due to >> messages being buffered. >> >> Stuart >> >> On Wed, Nov 30, 2016 at 2:33 AM, Devl Devel >> wrote: >> > Hi Guys >> > >> > I managed to implement a websocket server as per >> > >> > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/chat/ChatServer.java >> > >> > Question is whats the best way to get the websocket to send data every 1 >> > or >> > x second(x) irrespective of whether it got a message via >> > onFullTextMessage? >> > >> > Any pointers would be appreciated. >> > Thanks >> > >> > >> > _______________________________________________ >> > undertow-dev mailing list >> > undertow-dev at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/undertow-dev From matt at matthicks.com Wed Dec 7 15:17:43 2016 From: matt at matthicks.com (Hicks, Matt) Date: Wed, 07 Dec 2016 20:17:43 +0000 Subject: [undertow-dev] Sender not flushing? In-Reply-To: References: Message-ID: I've got a fairly simplistic scenario (using 1.4.6.Final) where I'm building an HTML String and then sending it to my exchange: exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) exchange.getResponseHeaders.put(Headers.CONTENT_TYPE, "text/html") exchange.getResponseSender.send(html) However, very often the last one to three characters don't seem to be received by the browser. I've logged the HTML before outputting so I know that I'm adding the "" at the end, but in order to get everything properly to the browser I have to append a few spaces to the end of my HTML so it doesn't get clipped. Is there something I'm missing that needs to be done to make sure the content is flushed appropriately? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161207/643df0ac/attachment.html From bill at dartalley.com Wed Dec 7 15:31:36 2016 From: bill at dartalley.com (Bill O'Neil) Date: Wed, 7 Dec 2016 15:31:36 -0500 Subject: [undertow-dev] Sender not flushing? In-Reply-To: References: Message-ID: It might have something to do with character encoding. You should not need to pass the content length when using the send(String) method it should set it for you. Try removing the line exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) On Wed, Dec 7, 2016 at 3:17 PM, Hicks, Matt wrote: > I've got a fairly simplistic scenario (using 1.4.6.Final) where I'm > building an HTML String and then sending it to my exchange: > > exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) > exchange.getResponseHeaders.put(Headers.CONTENT_TYPE, "text/html") > exchange.getResponseSender.send(html) > > However, very often the last one to three characters don't seem to be > received by the browser. I've logged the HTML before outputting so I know > that I'm adding the "" at the end, but in order to get everything > properly to the browser I have to append a few spaces to the end of my HTML > so it doesn't get clipped. Is there something I'm missing that needs to be > done to make sure the content is flushed appropriately? > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161207/31f19abc/attachment-0001.html From bill at dartalley.com Wed Dec 7 15:33:15 2016 From: bill at dartalley.com (Bill O'Neil) Date: Wed, 7 Dec 2016 15:33:15 -0500 Subject: [undertow-dev] Sender not flushing? In-Reply-To: References: Message-ID: Or if you are sending bytes try. exchange.getResponseSender().send(ByteBuffer.wrap(byteArray)); On Wed, Dec 7, 2016 at 3:31 PM, Bill O'Neil wrote: > It might have something to do with character encoding. You should not need > to pass the content length when using the send(String) method it should set > it for you. > > Try removing the line exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, > html.length) > > On Wed, Dec 7, 2016 at 3:17 PM, Hicks, Matt wrote: > >> I've got a fairly simplistic scenario (using 1.4.6.Final) where I'm >> building an HTML String and then sending it to my exchange: >> >> exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) >> exchange.getResponseHeaders.put(Headers.CONTENT_TYPE, "text/html") >> exchange.getResponseSender.send(html) >> >> However, very often the last one to three characters don't seem to be >> received by the browser. I've logged the HTML before outputting so I know >> that I'm adding the "" at the end, but in order to get everything >> properly to the browser I have to append a few spaces to the end of my HTML >> so it doesn't get clipped. Is there something I'm missing that needs to be >> done to make sure the content is flushed appropriately? >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161207/e22456fa/attachment.html From matt at matthicks.com Wed Dec 7 16:17:13 2016 From: matt at matthicks.com (Hicks, Matt) Date: Wed, 07 Dec 2016 21:17:13 +0000 Subject: [undertow-dev] Sender not flushing? In-Reply-To: References: Message-ID: Strangely enough, removing the CONTENT_LENGTH header fixed it! On Wed, Dec 7, 2016 at 2:33 PM Bill O'Neil wrote: > Or if you are sending bytes try. > > exchange.getResponseSender().send(ByteBuffer.wrap(byteArray)); > > On Wed, Dec 7, 2016 at 3:31 PM, Bill O'Neil wrote: > > It might have something to do with character encoding. You should not need > to pass the content length when using the send(String) method it should set > it for you. > > Try removing the line exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, > html.length) > > On Wed, Dec 7, 2016 at 3:17 PM, Hicks, Matt wrote: > > I've got a fairly simplistic scenario (using 1.4.6.Final) where I'm > building an HTML String and then sending it to my exchange: > > exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) > exchange.getResponseHeaders.put(Headers.CONTENT_TYPE, "text/html") > exchange.getResponseSender.send(html) > > However, very often the last one to three characters don't seem to be > received by the browser. I've logged the HTML before outputting so I know > that I'm adding the "" at the end, but in order to get everything > properly to the browser I have to append a few spaces to the end of my HTML > so it doesn't get clipped. Is there something I'm missing that needs to be > done to make sure the content is flushed appropriately? > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161207/5e0be174/attachment.html From stevehu at gmail.com Wed Dec 7 16:48:11 2016 From: stevehu at gmail.com (Steve Hu) Date: Wed, 7 Dec 2016 16:48:11 -0500 Subject: [undertow-dev] Sender not flushing? In-Reply-To: References: Message-ID: If you don't put content_length, the server will calculate it. The calculation is based on the byte[] not string so your calculation is not correct. My understanding is you only need to set content_length if you are working on streams. On Wed, Dec 7, 2016 at 4:17 PM, Hicks, Matt wrote: > Strangely enough, removing the CONTENT_LENGTH header fixed it! > > On Wed, Dec 7, 2016 at 2:33 PM Bill O'Neil wrote: > >> Or if you are sending bytes try. >> >> exchange.getResponseSender().send(ByteBuffer.wrap(byteArray)); >> >> On Wed, Dec 7, 2016 at 3:31 PM, Bill O'Neil wrote: >> >> It might have something to do with character encoding. You should not >> need to pass the content length when using the send(String) method it >> should set it for you. >> >> Try removing the line exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, >> html.length) >> >> On Wed, Dec 7, 2016 at 3:17 PM, Hicks, Matt wrote: >> >> I've got a fairly simplistic scenario (using 1.4.6.Final) where I'm >> building an HTML String and then sending it to my exchange: >> >> exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) >> exchange.getResponseHeaders.put(Headers.CONTENT_TYPE, "text/html") >> exchange.getResponseSender.send(html) >> >> However, very often the last one to three characters don't seem to be >> received by the browser. I've logged the HTML before outputting so I know >> that I'm adding the "" at the end, but in order to get everything >> properly to the browser I have to append a few spaces to the end of my HTML >> so it doesn't get clipped. Is there something I'm missing that needs to be >> done to make sure the content is flushed appropriately? >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> >> >> > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161207/f58a9d42/attachment-0001.html From sdouglas at redhat.com Wed Dec 7 18:50:53 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Thu, 8 Dec 2016 10:50:53 +1100 Subject: [undertow-dev] Sender not flushing? In-Reply-To: References: Message-ID: I should probably make this an error (attempting to send more than the remaining content length). Stuart On Thu, Dec 8, 2016 at 8:48 AM, Steve Hu wrote: > If you don't put content_length, the server will calculate it. The > calculation is based on the byte[] not string so your calculation is not > correct. My understanding is you only need to set content_length if you are > working on streams. > > On Wed, Dec 7, 2016 at 4:17 PM, Hicks, Matt wrote: >> >> Strangely enough, removing the CONTENT_LENGTH header fixed it! >> >> On Wed, Dec 7, 2016 at 2:33 PM Bill O'Neil wrote: >>> >>> Or if you are sending bytes try. >>> >>> exchange.getResponseSender().send(ByteBuffer.wrap(byteArray)); >>> >>> On Wed, Dec 7, 2016 at 3:31 PM, Bill O'Neil wrote: >>>> >>>> It might have something to do with character encoding. You should not >>>> need to pass the content length when using the send(String) method it should >>>> set it for you. >>>> >>>> Try removing the line >>>> exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) >>>> >>>> On Wed, Dec 7, 2016 at 3:17 PM, Hicks, Matt wrote: >>>>> >>>>> I've got a fairly simplistic scenario (using 1.4.6.Final) where I'm >>>>> building an HTML String and then sending it to my exchange: >>>>> >>>>> exchange.getResponseHeaders.put(Headers.CONTENT_LENGTH, html.length) >>>>> exchange.getResponseHeaders.put(Headers.CONTENT_TYPE, "text/html") >>>>> exchange.getResponseSender.send(html) >>>>> >>>>> However, very often the last one to three characters don't seem to be >>>>> received by the browser. I've logged the HTML before outputting so I know >>>>> that I'm adding the "" at the end, but in order to get everything >>>>> properly to the browser I have to append a few spaces to the end of my HTML >>>>> so it doesn't get clipped. Is there something I'm missing that needs to be >>>>> done to make sure the content is flushed appropriately? >>>>> >>>>> _______________________________________________ >>>>> undertow-dev mailing list >>>>> undertow-dev at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>> >>>> >>> >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev > > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev From matt at matthicks.com Thu Dec 8 11:53:38 2016 From: matt at matthicks.com (Hicks, Matt) Date: Thu, 08 Dec 2016 16:53:38 +0000 Subject: [undertow-dev] SSL Documentation Message-ID: Is there any documentation for configuring SSL on my server? I was looking through the online docs and found nothing (apart from "Assembling a Server Manually"). Any assistance would be appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161208/35788737/attachment.html From matt at matthicks.com Thu Dec 8 20:06:52 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 01:06:52 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: I've made some progress. After adding the following to the builder: val password = config.https.password.get.toCharArray val keyStore = KeyStore.getInstance("JKS") val keyStoreFile = config.https.keyStoreLocation.get assert(keyStoreFile.exists(), s"No keystore file was found at the location: ${keyStoreFile.getAbsolutePath}") val keyStoreInput = new FileInputStream(keyStoreFile) keyStore.load(keyStoreInput, password) val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) keyManagerFactory.init(keyStore, password) val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) trustManagerFactory.init(keyStore) val sslContext = SSLContext.getInstance("TLS") sslContext.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, new SecureRandom) builder.addHttpsListener(config.https.port.get, config.https.host.get, sslContext) Everything starts as expected, no errors, but when I hit localhost:8443 with the browser it says "localhost didn't send any data". Should it use what I've set with "builder.setHandler" for HTTPS as well? On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt wrote: Is there any documentation for configuring SSL on my server? I was looking through the online docs and found nothing (apart from "Assembling a Server Manually"). Any assistance would be appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/df2fd34b/attachment.html From bill at dartalley.com Thu Dec 8 20:12:30 2016 From: bill at dartalley.com (Bill O'Neil) Date: Thu, 8 Dec 2016 20:12:30 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Try the constructor with 4 args where you also pass a handler. public Builder addHttpsListener(int port, String host, SSLContext sslContext, HttpHandler rootHandler) { On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt wrote: > I've made some progress. After adding the following to the builder: > > val password = config.https.password.get.toCharArray > val keyStore = KeyStore.getInstance("JKS") > val keyStoreFile = config.https.keyStoreLocation.get > assert(keyStoreFile.exists(), s"No keystore file was found at the > location: ${keyStoreFile.getAbsolutePath}") > val keyStoreInput = new FileInputStream(keyStoreFile) > keyStore.load(keyStoreInput, password) > val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory. > getDefaultAlgorithm) > keyManagerFactory.init(keyStore, password) > val trustManagerFactory = TrustManagerFactory.getInstance( > TrustManagerFactory.getDefaultAlgorithm) > trustManagerFactory.init(keyStore) > val sslContext = SSLContext.getInstance("TLS") > sslContext.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, > new SecureRandom) > builder.addHttpsListener(config.https.port.get, config.https.host.get, > sslContext) > > Everything starts as expected, no errors, but when I hit localhost:8443 > with the browser it says "localhost didn't send any data". > > Should it use what I've set with "builder.setHandler" for HTTPS as well? > > On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt wrote: > > Is there any documentation for configuring SSL on my server? I was > looking through the online docs and found nothing (apart from "Assembling a > Server Manually"). > > Any assistance would be appreciated. > > Thanks > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161208/fe7eba1f/attachment.html From matt at matthicks.com Thu Dec 8 20:14:44 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 01:14:44 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: It was worth a try, but no change. Thanks for the suggestion though. On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil wrote: > Try the constructor with 4 args where you also pass a handler. > > public Builder addHttpsListener(int port, String host, SSLContext > sslContext, HttpHandler rootHandler) { > > > > On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt wrote: > > I've made some progress. After adding the following to the builder: > > val password = config.https.password.get.toCharArray > val keyStore = KeyStore.getInstance("JKS") > val keyStoreFile = config.https.keyStoreLocation.get > assert(keyStoreFile.exists(), s"No keystore file was found at the > location: ${keyStoreFile.getAbsolutePath}") > val keyStoreInput = new FileInputStream(keyStoreFile) > keyStore.load(keyStoreInput, password) > val keyManagerFactory = > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > keyManagerFactory.init(keyStore, password) > val trustManagerFactory = > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > trustManagerFactory.init(keyStore) > val sslContext = SSLContext.getInstance("TLS") > sslContext.init(keyManagerFactory.getKeyManagers, > trustManagerFactory.getTrustManagers, new SecureRandom) > builder.addHttpsListener(config.https.port.get, config.https.host.get, > sslContext) > > Everything starts as expected, no errors, but when I hit localhost:8443 > with the browser it says "localhost didn't send any data". > > Should it use what I've set with "builder.setHandler" for HTTPS as well? > > On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt wrote: > > Is there any documentation for configuring SSL on my server? I was > looking through the online docs and found nothing (apart from "Assembling a > Server Manually"). > > Any assistance would be appreciated. > > Thanks > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/3f6eaeb4/attachment-0001.html From matt at matthicks.com Thu Dec 8 20:16:44 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 01:16:44 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Also, to clarify, the HttpHandler's handleRequest is never being called. On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > It was worth a try, but no change. Thanks for the suggestion though. > > On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil wrote: > > Try the constructor with 4 args where you also pass a handler. > > public Builder addHttpsListener(int port, String host, SSLContext > sslContext, HttpHandler rootHandler) { > > > > On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt wrote: > > I've made some progress. After adding the following to the builder: > > val password = config.https.password.get.toCharArray > val keyStore = KeyStore.getInstance("JKS") > val keyStoreFile = config.https.keyStoreLocation.get > assert(keyStoreFile.exists(), s"No keystore file was found at the > location: ${keyStoreFile.getAbsolutePath}") > val keyStoreInput = new FileInputStream(keyStoreFile) > keyStore.load(keyStoreInput, password) > val keyManagerFactory = > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > keyManagerFactory.init(keyStore, password) > val trustManagerFactory = > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > trustManagerFactory.init(keyStore) > val sslContext = SSLContext.getInstance("TLS") > sslContext.init(keyManagerFactory.getKeyManagers, > trustManagerFactory.getTrustManagers, new SecureRandom) > builder.addHttpsListener(config.https.port.get, config.https.host.get, > sslContext) > > Everything starts as expected, no errors, but when I hit localhost:8443 > with the browser it says "localhost didn't send any data". > > Should it use what I've set with "builder.setHandler" for HTTPS as well? > > On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt wrote: > > Is there any documentation for configuring SSL on my server? I was > looking through the online docs and found nothing (apart from "Assembling a > Server Manually"). > > Any assistance would be appreciated. > > Thanks > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/40852ac7/attachment.html From bill at dartalley.com Thu Dec 8 20:26:34 2016 From: bill at dartalley.com (Bill O'Neil) Date: Thu, 8 Dec 2016 20:26:34 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Hmm I'm not sure. I SSL terminate before I hit undertow. On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > Also, to clarify, the HttpHandler's handleRequest is never being called. > > On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > >> It was worth a try, but no change. Thanks for the suggestion though. >> >> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil wrote: >> >> Try the constructor with 4 args where you also pass a handler. >> >> public Builder addHttpsListener(int port, String host, SSLContext >> sslContext, HttpHandler rootHandler) { >> >> >> >> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt wrote: >> >> I've made some progress. After adding the following to the builder: >> >> val password = config.https.password.get.toCharArray >> val keyStore = KeyStore.getInstance("JKS") >> val keyStoreFile = config.https.keyStoreLocation.get >> assert(keyStoreFile.exists(), s"No keystore file was found at the >> location: ${keyStoreFile.getAbsolutePath}") >> val keyStoreInput = new FileInputStream(keyStoreFile) >> keyStore.load(keyStoreInput, password) >> val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory. >> getDefaultAlgorithm) >> keyManagerFactory.init(keyStore, password) >> val trustManagerFactory = TrustManagerFactory.getInstance( >> TrustManagerFactory.getDefaultAlgorithm) >> trustManagerFactory.init(keyStore) >> val sslContext = SSLContext.getInstance("TLS") >> sslContext.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, >> new SecureRandom) >> builder.addHttpsListener(config.https.port.get, config.https.host.get, >> sslContext) >> >> Everything starts as expected, no errors, but when I hit localhost:8443 >> with the browser it says "localhost didn't send any data". >> >> Should it use what I've set with "builder.setHandler" for HTTPS as well? >> >> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt wrote: >> >> Is there any documentation for configuring SSL on my server? I was >> looking through the online docs and found nothing (apart from "Assembling a >> Server Manually"). >> >> Any assistance would be appreciated. >> >> Thanks >> >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161208/5f7be968/attachment-0001.html From matt at matthicks.com Thu Dec 8 20:30:45 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 01:30:45 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Well, I switched to using the signature that takes the KeyManagers array and TrustManagers array and now I'm at least getting an error: java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection cannot be cast to io.undertow.protocols.ssl.UndertowSslConnection at io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) This seems like a really flimsy implementation. Am I better offer just wrapping Undertow with Apache or Nginx? On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: > Hmm I'm not sure. I SSL terminate before I hit undertow. > > On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > > Also, to clarify, the HttpHandler's handleRequest is never being called. > > On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > > It was worth a try, but no change. Thanks for the suggestion though. > > On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil wrote: > > Try the constructor with 4 args where you also pass a handler. > > public Builder addHttpsListener(int port, String host, SSLContext > sslContext, HttpHandler rootHandler) { > > > > On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt wrote: > > I've made some progress. After adding the following to the builder: > > val password = config.https.password.get.toCharArray > val keyStore = KeyStore.getInstance("JKS") > val keyStoreFile = config.https.keyStoreLocation.get > assert(keyStoreFile.exists(), s"No keystore file was found at the > location: ${keyStoreFile.getAbsolutePath}") > val keyStoreInput = new FileInputStream(keyStoreFile) > keyStore.load(keyStoreInput, password) > val keyManagerFactory = > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > keyManagerFactory.init(keyStore, password) > val trustManagerFactory = > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > trustManagerFactory.init(keyStore) > val sslContext = SSLContext.getInstance("TLS") > sslContext.init(keyManagerFactory.getKeyManagers, > trustManagerFactory.getTrustManagers, new SecureRandom) > builder.addHttpsListener(config.https.port.get, config.https.host.get, > sslContext) > > Everything starts as expected, no errors, but when I hit localhost:8443 > with the browser it says "localhost didn't send any data". > > Should it use what I've set with "builder.setHandler" for HTTPS as well? > > On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt wrote: > > Is there any documentation for configuring SSL on my server? I was > looking through the online docs and found nothing (apart from "Assembling a > Server Manually"). > > Any assistance would be appreciated. > > Thanks > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/cc294c48/attachment.html From sdouglas at redhat.com Thu Dec 8 21:00:17 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Fri, 9 Dec 2016 13:00:17 +1100 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Here is an example: https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java Looks like you have run into a bug, with regard to the ClassCastException, you need to use the version that takes an SslContext for now, although this should be fixed later today. Stuart On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: > Well, I switched to using the signature that takes the KeyManagers array and > TrustManagers array and now I'm at least getting an error: > > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection cannot be > cast to io.undertow.protocols.ssl.UndertowSslConnection at > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) > > This seems like a really flimsy implementation. Am I better offer just > wrapping Undertow with Apache or Nginx? > > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: >> >> Hmm I'm not sure. I SSL terminate before I hit undertow. >> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: >>> >>> Also, to clarify, the HttpHandler's handleRequest is never being called. >>> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: >>>> >>>> It was worth a try, but no change. Thanks for the suggestion though. >>>> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil wrote: >>>>> >>>>> Try the constructor with 4 args where you also pass a handler. >>>>> >>>>> public Builder addHttpsListener(int port, String host, >>>>> SSLContext sslContext, HttpHandler rootHandler) { >>>>> >>>>> >>>>> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt wrote: >>>>>> >>>>>> I've made some progress. After adding the following to the builder: >>>>>> >>>>>> val password = config.https.password.get.toCharArray >>>>>> val keyStore = KeyStore.getInstance("JKS") >>>>>> val keyStoreFile = config.https.keyStoreLocation.get >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the >>>>>> location: ${keyStoreFile.getAbsolutePath}") >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) >>>>>> keyStore.load(keyStoreInput, password) >>>>>> val keyManagerFactory = >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) >>>>>> keyManagerFactory.init(keyStore, password) >>>>>> val trustManagerFactory = >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) >>>>>> trustManagerFactory.init(keyStore) >>>>>> val sslContext = SSLContext.getInstance("TLS") >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) >>>>>> builder.addHttpsListener(config.https.port.get, config.https.host.get, >>>>>> sslContext) >>>>>> >>>>>> Everything starts as expected, no errors, but when I hit >>>>>> localhost:8443 with the browser it says "localhost didn't send any data". >>>>>> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as >>>>>> well? >>>>>> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt >>>>>> wrote: >>>>>>> >>>>>>> Is there any documentation for configuring SSL on my server? I was >>>>>>> looking through the online docs and found nothing (apart from "Assembling a >>>>>>> Server Manually"). >>>>>>> >>>>>>> Any assistance would be appreciated. >>>>>>> >>>>>>> Thanks >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> undertow-dev mailing list >>>>>> undertow-dev at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>>> >>>>> >> > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev From matt at matthicks.com Fri Dec 9 10:24:48 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 15:24:48 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Yeah, I'm pretty sure Undertow's support for SSL is broken! I copied and pasted the example into my project and am getting the same results. I modified it to not do any proxying, but the server isn't responding properly and my anonymous HttpHandler is never invoked: https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 This is incredibly frustrating. Stuart, tell me if I shouldn't be using Undertow for SSL support and I'll start migrating to wrap with nginx. On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > Here is an example: > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > Looks like you have run into a bug, with regard to the > ClassCastException, you need to use the version that takes an > SslContext for now, although this should be fixed later today. > > Stuart > > On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: > > Well, I switched to using the signature that takes the KeyManagers array > and > > TrustManagers array and now I'm at least getting an error: > > > > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection > cannot be > > cast to io.undertow.protocols.ssl.UndertowSslConnection at > > > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) > > > > This seems like a really flimsy implementation. Am I better offer just > > wrapping Undertow with Apache or Nginx? > > > > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: > >> > >> Hmm I'm not sure. I SSL terminate before I hit undertow. > >> > >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > >>> > >>> Also, to clarify, the HttpHandler's handleRequest is never being > called. > >>> > >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > >>>> > >>>> It was worth a try, but no change. Thanks for the suggestion though. > >>>> > >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil > wrote: > >>>>> > >>>>> Try the constructor with 4 args where you also pass a handler. > >>>>> > >>>>> public Builder addHttpsListener(int port, String host, > >>>>> SSLContext sslContext, HttpHandler rootHandler) { > >>>>> > >>>>> > >>>>> > >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt > wrote: > >>>>>> > >>>>>> I've made some progress. After adding the following to the builder: > >>>>>> > >>>>>> val password = config.https.password.get.toCharArray > >>>>>> val keyStore = KeyStore.getInstance("JKS") > >>>>>> val keyStoreFile = config.https.keyStoreLocation.get > >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the > >>>>>> location: ${keyStoreFile.getAbsolutePath}") > >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) > >>>>>> keyStore.load(keyStoreInput, password) > >>>>>> val keyManagerFactory = > >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > >>>>>> keyManagerFactory.init(keyStore, password) > >>>>>> val trustManagerFactory = > >>>>>> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > >>>>>> trustManagerFactory.init(keyStore) > >>>>>> val sslContext = SSLContext.getInstance("TLS") > >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, > >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) > >>>>>> builder.addHttpsListener(config.https.port.get, > config.https.host.get, > >>>>>> sslContext) > >>>>>> > >>>>>> Everything starts as expected, no errors, but when I hit > >>>>>> localhost:8443 with the browser it says "localhost didn't send any > data". > >>>>>> > >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as > >>>>>> well? > >>>>>> > >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt > >>>>>> wrote: > >>>>>>> > >>>>>>> Is there any documentation for configuring SSL on my server? I was > >>>>>>> looking through the online docs and found nothing (apart from > "Assembling a > >>>>>>> Server Manually"). > >>>>>>> > >>>>>>> Any assistance would be appreciated. > >>>>>>> > >>>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> undertow-dev mailing list > >>>>>> undertow-dev at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev > >>>>> > >>>>> > >> > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/c7b258b3/attachment-0001.html From mike at stardog.com Fri Dec 9 12:59:48 2016 From: mike at stardog.com (Michael Grove) Date: Fri, 9 Dec 2016 12:59:48 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: > Yeah, I'm pretty sure Undertow's support for SSL is broken! > It's working fine for me, and I'm using a setup almost exactly like what's shown in the examples. > I copied and pasted the example into my project and am getting the same > results. I modified it to not do any proxying, but the server isn't > responding properly and my anonymous HttpHandler is never invoked: > > https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 > > This is incredibly frustrating. Stuart, tell me if I shouldn't be using > Undertow for SSL support and I'll start migrating to wrap with nginx. > > On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > >> Here is an example: >> >> https://github.com/undertow-io/undertow/blob/master/ >> examples/src/main/java/io/undertow/examples/http2/Http2Server.java >> >> Looks like you have run into a bug, with regard to the >> ClassCastException, you need to use the version that takes an >> SslContext for now, although this should be fixed later today. >> >> Stuart >> >> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: >> > Well, I switched to using the signature that takes the KeyManagers >> array and >> > TrustManagers array and now I'm at least getting an error: >> > >> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection >> cannot be >> > cast to io.undertow.protocols.ssl.UndertowSslConnection at >> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit( >> UndertowXnioSsl.java:141) >> > >> > This seems like a really flimsy implementation. Am I better offer just >> > wrapping Undertow with Apache or Nginx? >> > >> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: >> >> >> >> Hmm I'm not sure. I SSL terminate before I hit undertow. >> >> >> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt >> wrote: >> >>> >> >>> Also, to clarify, the HttpHandler's handleRequest is never being >> called. >> >>> >> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt >> wrote: >> >>>> >> >>>> It was worth a try, but no change. Thanks for the suggestion though. >> >>>> >> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil >> wrote: >> >>>>> >> >>>>> Try the constructor with 4 args where you also pass a handler. >> >>>>> >> >>>>> public Builder addHttpsListener(int port, String host, >> >>>>> SSLContext sslContext, HttpHandler rootHandler) { >> >>>>> >> >>>>> >> >>>>> >> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt >> wrote: >> >>>>>> >> >>>>>> I've made some progress. After adding the following to the >> builder: >> >>>>>> >> >>>>>> val password = config.https.password.get.toCharArray >> >>>>>> val keyStore = KeyStore.getInstance("JKS") >> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get >> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the >> >>>>>> location: ${keyStoreFile.getAbsolutePath}") >> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) >> >>>>>> keyStore.load(keyStoreInput, password) >> >>>>>> val keyManagerFactory = >> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory. >> getDefaultAlgorithm) >> >>>>>> keyManagerFactory.init(keyStore, password) >> >>>>>> val trustManagerFactory = >> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory. >> getDefaultAlgorithm) >> >>>>>> trustManagerFactory.init(keyStore) >> >>>>>> val sslContext = SSLContext.getInstance("TLS") >> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, >> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) >> >>>>>> builder.addHttpsListener(config.https.port.get, >> config.https.host.get, >> >>>>>> sslContext) >> >>>>>> >> >>>>>> Everything starts as expected, no errors, but when I hit >> >>>>>> localhost:8443 with the browser it says "localhost didn't send any >> data". >> >>>>>> >> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as >> >>>>>> well? >> >>>>>> >> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt >> >>>>>> wrote: >> >>>>>>> >> >>>>>>> Is there any documentation for configuring SSL on my server? I >> was >> >>>>>>> looking through the online docs and found nothing (apart from >> "Assembling a >> >>>>>>> Server Manually"). >> >>>>>>> >> >>>>>>> Any assistance would be appreciated. >> >>>>>>> >> >>>>>>> Thanks >> >>>>>> >> >>>>>> >> >>>>>> _______________________________________________ >> >>>>>> undertow-dev mailing list >> >>>>>> undertow-dev at lists.jboss.org >> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >>>>> >> >>>>> >> >> >> > >> > _______________________________________________ >> > undertow-dev mailing list >> > undertow-dev at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/undertow-dev >> > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/eb96a45d/attachment.html From matt at matthicks.com Fri Dec 9 13:11:59 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 18:11:59 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Hi Michael, thanks for the response. What version of Undertow are you using? Are you overriding the SSL certificate storage or using the example's? Would you mind terribly trying the exact code snippet and see if it works for you? This is very confusing if it's a problem on my end...especially since HTTP works fine. On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: > On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: > > Yeah, I'm pretty sure Undertow's support for SSL is broken! > > > It's working fine for me, and I'm using a setup almost exactly like what's > shown in the examples. > > > I copied and pasted the example into my project and am getting the same > results. I modified it to not do any proxying, but the server isn't > responding properly and my anonymous HttpHandler is never invoked: > > https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 > > This is incredibly frustrating. Stuart, tell me if I shouldn't be using > Undertow for SSL support and I'll start migrating to wrap with nginx. > > On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > > Here is an example: > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > Looks like you have run into a bug, with regard to the > ClassCastException, you need to use the version that takes an > SslContext for now, although this should be fixed later today. > > Stuart > > On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: > > Well, I switched to using the signature that takes the KeyManagers array > and > > TrustManagers array and now I'm at least getting an error: > > > > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection > cannot be > > cast to io.undertow.protocols.ssl.UndertowSslConnection at > > > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) > > > > This seems like a really flimsy implementation. Am I better offer just > > wrapping Undertow with Apache or Nginx? > > > > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: > >> > >> Hmm I'm not sure. I SSL terminate before I hit undertow. > >> > >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > >>> > >>> Also, to clarify, the HttpHandler's handleRequest is never being > called. > >>> > >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > >>>> > >>>> It was worth a try, but no change. Thanks for the suggestion though. > >>>> > >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil > wrote: > >>>>> > >>>>> Try the constructor with 4 args where you also pass a handler. > >>>>> > >>>>> public Builder addHttpsListener(int port, String host, > >>>>> SSLContext sslContext, HttpHandler rootHandler) { > >>>>> > >>>>> > >>>>> > >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt > wrote: > >>>>>> > >>>>>> I've made some progress. After adding the following to the builder: > >>>>>> > >>>>>> val password = config.https.password.get.toCharArray > >>>>>> val keyStore = KeyStore.getInstance("JKS") > >>>>>> val keyStoreFile = config.https.keyStoreLocation.get > >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the > >>>>>> location: ${keyStoreFile.getAbsolutePath}") > >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) > >>>>>> keyStore.load(keyStoreInput, password) > >>>>>> val keyManagerFactory = > >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > >>>>>> keyManagerFactory.init(keyStore, password) > >>>>>> val trustManagerFactory = > >>>>>> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > >>>>>> trustManagerFactory.init(keyStore) > >>>>>> val sslContext = SSLContext.getInstance("TLS") > >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, > >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) > >>>>>> builder.addHttpsListener(config.https.port.get, > config.https.host.get, > >>>>>> sslContext) > >>>>>> > >>>>>> Everything starts as expected, no errors, but when I hit > >>>>>> localhost:8443 with the browser it says "localhost didn't send any > data". > >>>>>> > >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as > >>>>>> well? > >>>>>> > >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt > >>>>>> wrote: > >>>>>>> > >>>>>>> Is there any documentation for configuring SSL on my server? I was > >>>>>>> looking through the online docs and found nothing (apart from > "Assembling a > >>>>>>> Server Manually"). > >>>>>>> > >>>>>>> Any assistance would be appreciated. > >>>>>>> > >>>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> undertow-dev mailing list > >>>>>> undertow-dev at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev > >>>>> > >>>>> > >> > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/d9118084/attachment-0001.html From mike at stardog.com Fri Dec 9 13:43:17 2016 From: mike at stardog.com (Michael Grove) Date: Fri, 9 Dec 2016 13:43:17 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > Hi Michael, thanks for the response. What version of Undertow are you > using? > I'm using 1.3.20, so I'm a bit behind. > Are you overriding the SSL certificate storage or using the example's? > I'm just creating the SSLContext that's passed to the builder via addHttpsListener directly from the standard JVM properties, eg javax.net.ssl.keyStore > Would you mind terribly trying the exact code snippet and see if it works > for you? This is very confusing if it's a problem on my end...especially > since HTTP works fine. > > On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: > >> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: >> >> Yeah, I'm pretty sure Undertow's support for SSL is broken! >> >> >> It's working fine for me, and I'm using a setup almost exactly like >> what's shown in the examples. >> >> >> I copied and pasted the example into my project and am getting the same >> results. I modified it to not do any proxying, but the server isn't >> responding properly and my anonymous HttpHandler is never invoked: >> >> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >> >> This is incredibly frustrating. Stuart, tell me if I shouldn't be using >> Undertow for SSL support and I'll start migrating to wrap with nginx. >> >> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >> wrote: >> >> Here is an example: >> >> https://github.com/undertow-io/undertow/blob/master/ >> examples/src/main/java/io/undertow/examples/http2/Http2Server.java >> >> Looks like you have run into a bug, with regard to the >> ClassCastException, you need to use the version that takes an >> SslContext for now, although this should be fixed later today. >> >> Stuart >> >> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: >> > Well, I switched to using the signature that takes the KeyManagers >> array and >> > TrustManagers array and now I'm at least getting an error: >> > >> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection >> cannot be >> > cast to io.undertow.protocols.ssl.UndertowSslConnection at >> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit( >> UndertowXnioSsl.java:141) >> > >> > This seems like a really flimsy implementation. Am I better offer just >> > wrapping Undertow with Apache or Nginx? >> > >> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: >> >> >> >> Hmm I'm not sure. I SSL terminate before I hit undertow. >> >> >> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt >> wrote: >> >>> >> >>> Also, to clarify, the HttpHandler's handleRequest is never being >> called. >> >>> >> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt >> wrote: >> >>>> >> >>>> It was worth a try, but no change. Thanks for the suggestion though. >> >>>> >> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil >> wrote: >> >>>>> >> >>>>> Try the constructor with 4 args where you also pass a handler. >> >>>>> >> >>>>> public Builder addHttpsListener(int port, String host, >> >>>>> SSLContext sslContext, HttpHandler rootHandler) { >> >>>>> >> >>>>> >> >>>>> >> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt >> wrote: >> >>>>>> >> >>>>>> I've made some progress. After adding the following to the >> builder: >> >>>>>> >> >>>>>> val password = config.https.password.get.toCharArray >> >>>>>> val keyStore = KeyStore.getInstance("JKS") >> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get >> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the >> >>>>>> location: ${keyStoreFile.getAbsolutePath}") >> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) >> >>>>>> keyStore.load(keyStoreInput, password) >> >>>>>> val keyManagerFactory = >> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory. >> getDefaultAlgorithm) >> >>>>>> keyManagerFactory.init(keyStore, password) >> >>>>>> val trustManagerFactory = >> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory. >> getDefaultAlgorithm) >> >>>>>> trustManagerFactory.init(keyStore) >> >>>>>> val sslContext = SSLContext.getInstance("TLS") >> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, >> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) >> >>>>>> builder.addHttpsListener(config.https.port.get, >> config.https.host.get, >> >>>>>> sslContext) >> >>>>>> >> >>>>>> Everything starts as expected, no errors, but when I hit >> >>>>>> localhost:8443 with the browser it says "localhost didn't send any >> data". >> >>>>>> >> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as >> >>>>>> well? >> >>>>>> >> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt >> >>>>>> wrote: >> >>>>>>> >> >>>>>>> Is there any documentation for configuring SSL on my server? I >> was >> >>>>>>> looking through the online docs and found nothing (apart from >> "Assembling a >> >>>>>>> Server Manually"). >> >>>>>>> >> >>>>>>> Any assistance would be appreciated. >> >>>>>>> >> >>>>>>> Thanks >> >>>>>> >> >>>>>> >> >>>>>> _______________________________________________ >> >>>>>> undertow-dev mailing list >> >>>>>> undertow-dev at lists.jboss.org >> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >>>>> >> >>>>> >> >> >> > >> > _______________________________________________ >> > undertow-dev mailing list >> > undertow-dev at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/55da07c8/attachment-0001.html From mike at stardog.com Fri Dec 9 13:49:04 2016 From: mike at stardog.com (Michael Grove) Date: Fri, 9 Dec 2016 13:49:04 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Prematurely hit send! On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > >> Hi Michael, thanks for the response. What version of Undertow are you >> using? >> > > I'm using 1.3.20, so I'm a bit behind. > > >> Are you overriding the SSL certificate storage or using the example's? >> > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > This is the basic code for that: public static SSLContext createSSLContext(final Options theOptions) throws SSLException { return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. KEY_STORE_TYPE), theOptions.get(ServerOptions.KEY_STORE), theOptions.get(ServerOptions.KEY_STORE_PASSWD), theOptions.get(ServerOptions.TRUST_STORE_TYPE), theOptions.get(ServerOptions.TRUST_STORE), theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); } I tweak the XNIO properties for SSL in the event the user needs client auth: aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED); At that point, it works nicely. > > >> Would you mind terribly trying the exact code snippet and see if it works >> for you? This is very confusing if it's a problem on my end...especially >> since HTTP works fine. >> > I can try to run it over the weekend, I'm a bit swamped with day to day stuff atm. Cheers, Mike > >> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: >> >>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: >>> >>> Yeah, I'm pretty sure Undertow's support for SSL is broken! >>> >>> >>> It's working fine for me, and I'm using a setup almost exactly like >>> what's shown in the examples. >>> >>> >>> I copied and pasted the example into my project and am getting the same >>> results. I modified it to not do any proxying, but the server isn't >>> responding properly and my anonymous HttpHandler is never invoked: >>> >>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >>> >>> This is incredibly frustrating. Stuart, tell me if I shouldn't be using >>> Undertow for SSL support and I'll start migrating to wrap with nginx. >>> >>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >>> wrote: >>> >>> Here is an example: >>> >>> https://github.com/undertow-io/undertow/blob/master/examples >>> /src/main/java/io/undertow/examples/http2/Http2Server.java >>> >>> Looks like you have run into a bug, with regard to the >>> ClassCastException, you need to use the version that takes an >>> SslContext for now, although this should be fixed later today. >>> >>> Stuart >>> >>> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: >>> > Well, I switched to using the signature that takes the KeyManagers >>> array and >>> > TrustManagers array and now I'm at least getting an error: >>> > >>> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection >>> cannot be >>> > cast to io.undertow.protocols.ssl.UndertowSslConnection at >>> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(Unde >>> rtowXnioSsl.java:141) >>> > >>> > This seems like a really flimsy implementation. Am I better offer just >>> > wrapping Undertow with Apache or Nginx? >>> > >>> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: >>> >> >>> >> Hmm I'm not sure. I SSL terminate before I hit undertow. >>> >> >>> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt >>> wrote: >>> >>> >>> >>> Also, to clarify, the HttpHandler's handleRequest is never being >>> called. >>> >>> >>> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt >>> wrote: >>> >>>> >>> >>>> It was worth a try, but no change. Thanks for the suggestion >>> though. >>> >>>> >>> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil >>> wrote: >>> >>>>> >>> >>>>> Try the constructor with 4 args where you also pass a handler. >>> >>>>> >>> >>>>> public Builder addHttpsListener(int port, String host, >>> >>>>> SSLContext sslContext, HttpHandler rootHandler) { >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt >>> wrote: >>> >>>>>> >>> >>>>>> I've made some progress. After adding the following to the >>> builder: >>> >>>>>> >>> >>>>>> val password = config.https.password.get.toCharArray >>> >>>>>> val keyStore = KeyStore.getInstance("JKS") >>> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get >>> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the >>> >>>>>> location: ${keyStoreFile.getAbsolutePath}") >>> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) >>> >>>>>> keyStore.load(keyStoreInput, password) >>> >>>>>> val keyManagerFactory = >>> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAl >>> gorithm) >>> >>>>>> keyManagerFactory.init(keyStore, password) >>> >>>>>> val trustManagerFactory = >>> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory.getDefau >>> ltAlgorithm) >>> >>>>>> trustManagerFactory.init(keyStore) >>> >>>>>> val sslContext = SSLContext.getInstance("TLS") >>> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, >>> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) >>> >>>>>> builder.addHttpsListener(config.https.port.get, >>> config.https.host.get, >>> >>>>>> sslContext) >>> >>>>>> >>> >>>>>> Everything starts as expected, no errors, but when I hit >>> >>>>>> localhost:8443 with the browser it says "localhost didn't send >>> any data". >>> >>>>>> >>> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as >>> >>>>>> well? >>> >>>>>> >>> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt >>> >>>>>> wrote: >>> >>>>>>> >>> >>>>>>> Is there any documentation for configuring SSL on my server? I >>> was >>> >>>>>>> looking through the online docs and found nothing (apart from >>> "Assembling a >>> >>>>>>> Server Manually"). >>> >>>>>>> >>> >>>>>>> Any assistance would be appreciated. >>> >>>>>>> >>> >>>>>>> Thanks >>> >>>>>> >>> >>>>>> >>> >>>>>> _______________________________________________ >>> >>>>>> undertow-dev mailing list >>> >>>>>> undertow-dev at lists.jboss.org >>> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >>>>> >>> >>>>> >>> >> >>> > >>> > _______________________________________________ >>> > undertow-dev mailing list >>> > undertow-dev at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >>> >>> _______________________________________________ >>> undertow-dev mailing list >>> undertow-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/95f1b9a5/attachment-0001.html From matt at matthicks.com Fri Dec 9 14:08:34 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 19:08:34 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Thanks guys. Michael, I'll try your code here in a bit to see if it makes any difference. On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > Are you overriding the SSL certificate storage or using the example's? > > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > > > This is the basic code for that: > > public static SSLContext createSSLContext(final Options theOptions) throws > SSLException { > return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. > KEY_STORE_TYPE), > theOptions.get(ServerOptions.KEY_STORE), > theOptions.get(ServerOptions.KEY_STORE_PASSWD), > theOptions.get(ServerOptions.TRUST_STORE_TYPE), > theOptions.get(ServerOptions.TRUST_STORE), > theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); > } > > I tweak the XNIO properties for SSL in the event the user needs client > auth: > > aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, > SslClientAuthMode.REQUIRED); > > At that point, it works nicely. > > > > > > Would you mind terribly trying the exact code snippet and see if it works > for you? This is very confusing if it's a problem on my end...especially > since HTTP works fine. > > > I can try to run it over the weekend, I'm a bit swamped with day to day > stuff atm. > > Cheers, > > Mike > > > > On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: > > On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: > > Yeah, I'm pretty sure Undertow's support for SSL is broken! > > > It's working fine for me, and I'm using a setup almost exactly like what's > shown in the examples. > > > I copied and pasted the example into my project and am getting the same > results. I modified it to not do any proxying, but the server isn't > responding properly and my anonymous HttpHandler is never invoked: > > https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 > > This is incredibly frustrating. Stuart, tell me if I shouldn't be using > Undertow for SSL support and I'll start migrating to wrap with nginx. > > On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > > Here is an example: > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > Looks like you have run into a bug, with regard to the > ClassCastException, you need to use the version that takes an > SslContext for now, although this should be fixed later today. > > Stuart > > On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: > > Well, I switched to using the signature that takes the KeyManagers array > and > > TrustManagers array and now I'm at least getting an error: > > > > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection > cannot be > > cast to io.undertow.protocols.ssl.UndertowSslConnection at > > > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) > > > > This seems like a really flimsy implementation. Am I better offer just > > wrapping Undertow with Apache or Nginx? > > > > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: > >> > >> Hmm I'm not sure. I SSL terminate before I hit undertow. > >> > >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > >>> > >>> Also, to clarify, the HttpHandler's handleRequest is never being > called. > >>> > >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > >>>> > >>>> It was worth a try, but no change. Thanks for the suggestion though. > >>>> > >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil > wrote: > >>>>> > >>>>> Try the constructor with 4 args where you also pass a handler. > >>>>> > >>>>> public Builder addHttpsListener(int port, String host, > >>>>> SSLContext sslContext, HttpHandler rootHandler) { > >>>>> > >>>>> > >>>>> > >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt > wrote: > >>>>>> > >>>>>> I've made some progress. After adding the following to the builder: > >>>>>> > >>>>>> val password = config.https.password.get.toCharArray > >>>>>> val keyStore = KeyStore.getInstance("JKS") > >>>>>> val keyStoreFile = config.https.keyStoreLocation.get > >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the > >>>>>> location: ${keyStoreFile.getAbsolutePath}") > >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) > >>>>>> keyStore.load(keyStoreInput, password) > >>>>>> val keyManagerFactory = > >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > >>>>>> keyManagerFactory.init(keyStore, password) > >>>>>> val trustManagerFactory = > >>>>>> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > >>>>>> trustManagerFactory.init(keyStore) > >>>>>> val sslContext = SSLContext.getInstance("TLS") > >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, > >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) > >>>>>> builder.addHttpsListener(config.https.port.get, > config.https.host.get, > >>>>>> sslContext) > >>>>>> > >>>>>> Everything starts as expected, no errors, but when I hit > >>>>>> localhost:8443 with the browser it says "localhost didn't send any > data". > >>>>>> > >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as > >>>>>> well? > >>>>>> > >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt > >>>>>> wrote: > >>>>>>> > >>>>>>> Is there any documentation for configuring SSL on my server? I was > >>>>>>> looking through the online docs and found nothing (apart from > "Assembling a > >>>>>>> Server Manually"). > >>>>>>> > >>>>>>> Any assistance would be appreciated. > >>>>>>> > >>>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> undertow-dev mailing list > >>>>>> undertow-dev at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev > >>>>> > >>>>> > >> > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/241c0e79/attachment-0001.html From matt at matthicks.com Fri Dec 9 17:00:51 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 22:00:51 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Michael, where are you getting SSLContextFactory from? I assumed it was something built-in or available in Undertow. On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > Thanks guys. Michael, I'll try your code here in a bit to see if it makes > any difference. > > On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > Are you overriding the SSL certificate storage or using the example's? > > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > > > This is the basic code for that: > > public static SSLContext createSSLContext(final Options theOptions) throws > SSLException { > return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. > KEY_STORE_TYPE), > theOptions.get(ServerOptions.KEY_STORE), > theOptions.get(ServerOptions.KEY_STORE_PASSWD), > theOptions.get(ServerOptions.TRUST_STORE_TYPE), > theOptions.get(ServerOptions.TRUST_STORE), > theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); > } > > I tweak the XNIO properties for SSL in the event the user needs client > auth: > > aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, > SslClientAuthMode.REQUIRED); > > At that point, it works nicely. > > > > > > Would you mind terribly trying the exact code snippet and see if it works > for you? This is very confusing if it's a problem on my end...especially > since HTTP works fine. > > > I can try to run it over the weekend, I'm a bit swamped with day to day > stuff atm. > > Cheers, > > Mike > > > > On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: > > On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: > > Yeah, I'm pretty sure Undertow's support for SSL is broken! > > > It's working fine for me, and I'm using a setup almost exactly like what's > shown in the examples. > > > I copied and pasted the example into my project and am getting the same > results. I modified it to not do any proxying, but the server isn't > responding properly and my anonymous HttpHandler is never invoked: > > https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 > > This is incredibly frustrating. Stuart, tell me if I shouldn't be using > Undertow for SSL support and I'll start migrating to wrap with nginx. > > On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > > Here is an example: > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > Looks like you have run into a bug, with regard to the > ClassCastException, you need to use the version that takes an > SslContext for now, although this should be fixed later today. > > Stuart > > On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: > > Well, I switched to using the signature that takes the KeyManagers array > and > > TrustManagers array and now I'm at least getting an error: > > > > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection > cannot be > > cast to io.undertow.protocols.ssl.UndertowSslConnection at > > > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) > > > > This seems like a really flimsy implementation. Am I better offer just > > wrapping Undertow with Apache or Nginx? > > > > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: > >> > >> Hmm I'm not sure. I SSL terminate before I hit undertow. > >> > >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > >>> > >>> Also, to clarify, the HttpHandler's handleRequest is never being > called. > >>> > >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > >>>> > >>>> It was worth a try, but no change. Thanks for the suggestion though. > >>>> > >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil > wrote: > >>>>> > >>>>> Try the constructor with 4 args where you also pass a handler. > >>>>> > >>>>> public Builder addHttpsListener(int port, String host, > >>>>> SSLContext sslContext, HttpHandler rootHandler) { > >>>>> > >>>>> > >>>>> > >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt > wrote: > >>>>>> > >>>>>> I've made some progress. After adding the following to the builder: > >>>>>> > >>>>>> val password = config.https.password.get.toCharArray > >>>>>> val keyStore = KeyStore.getInstance("JKS") > >>>>>> val keyStoreFile = config.https.keyStoreLocation.get > >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the > >>>>>> location: ${keyStoreFile.getAbsolutePath}") > >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) > >>>>>> keyStore.load(keyStoreInput, password) > >>>>>> val keyManagerFactory = > >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > >>>>>> keyManagerFactory.init(keyStore, password) > >>>>>> val trustManagerFactory = > >>>>>> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > >>>>>> trustManagerFactory.init(keyStore) > >>>>>> val sslContext = SSLContext.getInstance("TLS") > >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, > >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) > >>>>>> builder.addHttpsListener(config.https.port.get, > config.https.host.get, > >>>>>> sslContext) > >>>>>> > >>>>>> Everything starts as expected, no errors, but when I hit > >>>>>> localhost:8443 with the browser it says "localhost didn't send any > data". > >>>>>> > >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as > >>>>>> well? > >>>>>> > >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt > >>>>>> wrote: > >>>>>>> > >>>>>>> Is there any documentation for configuring SSL on my server? I was > >>>>>>> looking through the online docs and found nothing (apart from > "Assembling a > >>>>>>> Server Manually"). > >>>>>>> > >>>>>>> Any assistance would be appreciated. > >>>>>>> > >>>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> undertow-dev mailing list > >>>>>> undertow-dev at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev > >>>>> > >>>>> > >> > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/aca1ec83/attachment-0001.html From sdouglas at redhat.com Fri Dec 9 17:30:05 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Sat, 10 Dec 2016 09:30:05 +1100 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: I just released 1.4.7.Final that should fix the ClassCastException that you were seeing. Your example code should work. What version of Undertow are you using, and do you have the JCE unlimited strength ciphers installed? Some versions of Undertow would attempt to enable HTTP/2 even if the required ciphers were not installed, which would result in a connection error as HTTP/2 would be negotiated with an incorrect cipher, and the browser will kill the connection as a result. This could be fixed by either installing the JCE unlimited strength policy files, or by disabling HTTP/2. Stuart On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: > Michael, where are you getting SSLContextFactory from? I assumed it was > something built-in or available in Undertow. > > On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > >> Thanks guys. Michael, I'll try your code here in a bit to see if it >> makes any difference. >> >> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: >> >> Prematurely hit send! >> >> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: >> >> >> >> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: >> >> Hi Michael, thanks for the response. What version of Undertow are you >> using? >> >> >> I'm using 1.3.20, so I'm a bit behind. >> >> >> Are you overriding the SSL certificate storage or using the example's? >> >> >> I'm just creating the SSLContext that's passed to the builder via >> addHttpsListener directly from the standard JVM properties, eg >> javax.net.ssl.keyStore >> >> >> This is the basic code for that: >> >> public static SSLContext createSSLContext(final Options theOptions) >> throws SSLException { >> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. >> KEY_STORE_TYPE), >> theOptions.get(ServerOptions.KEY_STORE), >> theOptions.get(ServerOptions.KEY_STORE_PASSWD), >> theOptions.get(ServerOptions.TRUST_STORE_TYPE), >> theOptions.get(ServerOptions.TRUST_STORE), >> theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); >> } >> >> I tweak the XNIO properties for SSL in the event the user needs client >> auth: >> >> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, >> SslClientAuthMode.REQUIRED); >> >> At that point, it works nicely. >> >> >> >> >> >> Would you mind terribly trying the exact code snippet and see if it works >> for you? This is very confusing if it's a problem on my end...especially >> since HTTP works fine. >> >> >> I can try to run it over the weekend, I'm a bit swamped with day to day >> stuff atm. >> >> Cheers, >> >> Mike >> >> >> >> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: >> >> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: >> >> Yeah, I'm pretty sure Undertow's support for SSL is broken! >> >> >> It's working fine for me, and I'm using a setup almost exactly like >> what's shown in the examples. >> >> >> I copied and pasted the example into my project and am getting the same >> results. I modified it to not do any proxying, but the server isn't >> responding properly and my anonymous HttpHandler is never invoked: >> >> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >> >> This is incredibly frustrating. Stuart, tell me if I shouldn't be using >> Undertow for SSL support and I'll start migrating to wrap with nginx. >> >> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >> wrote: >> >> Here is an example: >> >> https://github.com/undertow-io/undertow/blob/master/ >> examples/src/main/java/io/undertow/examples/http2/Http2Server.java >> >> Looks like you have run into a bug, with regard to the >> ClassCastException, you need to use the version that takes an >> SslContext for now, although this should be fixed later today. >> >> Stuart >> >> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: >> > Well, I switched to using the signature that takes the KeyManagers >> array and >> > TrustManagers array and now I'm at least getting an error: >> > >> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection >> cannot be >> > cast to io.undertow.protocols.ssl.UndertowSslConnection at >> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit( >> UndertowXnioSsl.java:141) >> > >> > This seems like a really flimsy implementation. Am I better offer just >> > wrapping Undertow with Apache or Nginx? >> > >> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: >> >> >> >> Hmm I'm not sure. I SSL terminate before I hit undertow. >> >> >> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt >> wrote: >> >>> >> >>> Also, to clarify, the HttpHandler's handleRequest is never being >> called. >> >>> >> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt >> wrote: >> >>>> >> >>>> It was worth a try, but no change. Thanks for the suggestion though. >> >>>> >> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil >> wrote: >> >>>>> >> >>>>> Try the constructor with 4 args where you also pass a handler. >> >>>>> >> >>>>> public Builder addHttpsListener(int port, String host, >> >>>>> SSLContext sslContext, HttpHandler rootHandler) { >> >>>>> >> >>>>> >> >>>>> >> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt >> wrote: >> >>>>>> >> >>>>>> I've made some progress. After adding the following to the >> builder: >> >>>>>> >> >>>>>> val password = config.https.password.get.toCharArray >> >>>>>> val keyStore = KeyStore.getInstance("JKS") >> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get >> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the >> >>>>>> location: ${keyStoreFile.getAbsolutePath}") >> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) >> >>>>>> keyStore.load(keyStoreInput, password) >> >>>>>> val keyManagerFactory = >> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory. >> getDefaultAlgorithm) >> >>>>>> keyManagerFactory.init(keyStore, password) >> >>>>>> val trustManagerFactory = >> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory. >> getDefaultAlgorithm) >> >>>>>> trustManagerFactory.init(keyStore) >> >>>>>> val sslContext = SSLContext.getInstance("TLS") >> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, >> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) >> >>>>>> builder.addHttpsListener(config.https.port.get, >> config.https.host.get, >> >>>>>> sslContext) >> >>>>>> >> >>>>>> Everything starts as expected, no errors, but when I hit >> >>>>>> localhost:8443 with the browser it says "localhost didn't send any >> data". >> >>>>>> >> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as >> >>>>>> well? >> >>>>>> >> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt >> >>>>>> wrote: >> >>>>>>> >> >>>>>>> Is there any documentation for configuring SSL on my server? I >> was >> >>>>>>> looking through the online docs and found nothing (apart from >> "Assembling a >> >>>>>>> Server Manually"). >> >>>>>>> >> >>>>>>> Any assistance would be appreciated. >> >>>>>>> >> >>>>>>> Thanks >> >>>>>> >> >>>>>> >> >>>>>> _______________________________________________ >> >>>>>> undertow-dev mailing list >> >>>>>> undertow-dev at lists.jboss.org >> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >>>>> >> >>>>> >> >> >> > >> > _______________________________________________ >> > undertow-dev mailing list >> > undertow-dev at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/f957658e/attachment-0001.html From matt at matthicks.com Fri Dec 9 18:30:58 2016 From: matt at matthicks.com (Hicks, Matt) Date: Fri, 09 Dec 2016 23:30:58 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Stuart, I don't think I have the JCE Unlimited Strength policy files installed. I'll look into seeing if that's the problem. I am currently using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting the same problem. It will probably be tomorrow before I can get the JCE Unlimited Strength installed, but either way I should be seeing an error but I am not. Can you check that code snippet I posted? It's a simplified version of the example you sent me previously that just outputs "Hello, World!". If you're able to run it and it works then perhaps there's something wrong in my machine configuration, but I'd like some confirmation. On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas wrote: > I just released 1.4.7.Final that should fix the ClassCastException that > you were seeing. > > Your example code should work. What version of Undertow are you using, and > do you have the JCE unlimited strength ciphers installed? > > Some versions of Undertow would attempt to enable HTTP/2 even if the > required ciphers were not installed, which would result in a connection > error as HTTP/2 would be negotiated with an incorrect cipher, and the > browser will kill the connection as a result. This could be fixed by either > installing the JCE unlimited strength policy files, or by disabling HTTP/2. > > Stuart > > On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: > > Michael, where are you getting SSLContextFactory from? I assumed it was > something built-in or available in Undertow. > > On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > > Thanks guys. Michael, I'll try your code here in a bit to see if it makes > any difference. > > On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > Are you overriding the SSL certificate storage or using the example's? > > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > > > This is the basic code for that: > > public static SSLContext createSSLContext(final Options theOptions) throws > SSLException { > return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. > KEY_STORE_TYPE), > theOptions.get(ServerOptions.KEY_STORE), > theOptions.get(ServerOptions.KEY_STORE_PASSWD), > theOptions.get(ServerOptions.TRUST_STORE_TYPE), > theOptions.get(ServerOptions.TRUST_STORE), > theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); > } > > I tweak the XNIO properties for SSL in the event the user needs client > auth: > > aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, > SslClientAuthMode.REQUIRED); > > At that point, it works nicely. > > > > > > Would you mind terribly trying the exact code snippet and see if it works > for you? This is very confusing if it's a problem on my end...especially > since HTTP works fine. > > > I can try to run it over the weekend, I'm a bit swamped with day to day > stuff atm. > > Cheers, > > Mike > > > > On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: > > On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: > > Yeah, I'm pretty sure Undertow's support for SSL is broken! > > > It's working fine for me, and I'm using a setup almost exactly like what's > shown in the examples. > > > I copied and pasted the example into my project and am getting the same > results. I modified it to not do any proxying, but the server isn't > responding properly and my anonymous HttpHandler is never invoked: > > https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 > > This is incredibly frustrating. Stuart, tell me if I shouldn't be using > Undertow for SSL support and I'll start migrating to wrap with nginx. > > On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > > Here is an example: > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > Looks like you have run into a bug, with regard to the > ClassCastException, you need to use the version that takes an > SslContext for now, although this should be fixed later today. > > Stuart > > On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: > > Well, I switched to using the signature that takes the KeyManagers array > and > > TrustManagers array and now I'm at least getting an error: > > > > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection > cannot be > > cast to io.undertow.protocols.ssl.UndertowSslConnection at > > > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) > > > > This seems like a really flimsy implementation. Am I better offer just > > wrapping Undertow with Apache or Nginx? > > > > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: > >> > >> Hmm I'm not sure. I SSL terminate before I hit undertow. > >> > >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > >>> > >>> Also, to clarify, the HttpHandler's handleRequest is never being > called. > >>> > >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > >>>> > >>>> It was worth a try, but no change. Thanks for the suggestion though. > >>>> > >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil > wrote: > >>>>> > >>>>> Try the constructor with 4 args where you also pass a handler. > >>>>> > >>>>> public Builder addHttpsListener(int port, String host, > >>>>> SSLContext sslContext, HttpHandler rootHandler) { > >>>>> > >>>>> > >>>>> > >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt > wrote: > >>>>>> > >>>>>> I've made some progress. After adding the following to the builder: > >>>>>> > >>>>>> val password = config.https.password.get.toCharArray > >>>>>> val keyStore = KeyStore.getInstance("JKS") > >>>>>> val keyStoreFile = config.https.keyStoreLocation.get > >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the > >>>>>> location: ${keyStoreFile.getAbsolutePath}") > >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) > >>>>>> keyStore.load(keyStoreInput, password) > >>>>>> val keyManagerFactory = > >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > >>>>>> keyManagerFactory.init(keyStore, password) > >>>>>> val trustManagerFactory = > >>>>>> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > >>>>>> trustManagerFactory.init(keyStore) > >>>>>> val sslContext = SSLContext.getInstance("TLS") > >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, > >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) > >>>>>> builder.addHttpsListener(config.https.port.get, > config.https.host.get, > >>>>>> sslContext) > >>>>>> > >>>>>> Everything starts as expected, no errors, but when I hit > >>>>>> localhost:8443 with the browser it says "localhost didn't send any > data". > >>>>>> > >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as > >>>>>> well? > >>>>>> > >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt > >>>>>> wrote: > >>>>>>> > >>>>>>> Is there any documentation for configuring SSL on my server? I was > >>>>>>> looking through the online docs and found nothing (apart from > "Assembling a > >>>>>>> Server Manually"). > >>>>>>> > >>>>>>> Any assistance would be appreciated. > >>>>>>> > >>>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> undertow-dev mailing list > >>>>>> undertow-dev at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev > >>>>> > >>>>> > >> > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/8bec9fce/attachment-0001.html From dieter at bogdoll.net Sat Dec 10 04:17:30 2016 From: dieter at bogdoll.net (Dieter Bogdoll) Date: Sat, 10 Dec 2016 09:17:30 +0000 Subject: [undertow-dev] Undertow: How to use client cert auth with roles Message-ID: Hello Mailinglist, I would like to use undertow for creating REST APIs. I also would like to use HTTPS for communcation between client and server. The user should authenticate itself with a client certificate. On the server should be a component which takes the client certificate and uses some other service (properties file, database, ...) to which roles the user has (and therefor if and what parts of the REST API he can use). I think I know how to listen only to HTTPS, but I'm not sure how to extract the relevant bits from the client certificate and how to set the groups/roles. The solution should be compatible with the Servlet API. Is there some example code which I could look up, or some tutorial describing what I required? Best regards, Dieter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/aa86c554/attachment.html From krampenschiesser at gmail.com Sat Dec 10 06:30:56 2016 From: krampenschiesser at gmail.com (Christian Krampenschiesser) Date: Sat, 10 Dec 2016 12:30:56 +0100 Subject: [undertow-dev] Wildcard routing and PathTemplate Message-ID: I added those 2 tests to RoutingHandlerTestCase: @Test public void testWildCardRoutingTemplateHandler2() throws IOException { TestHttpClient client = new TestHttpClient(); try { HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL() + "/wilder/test/card"); HttpResponse result = client.execute(get); Assert.assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode()); Assert.assertEquals("wilder:[/test/card]", HttpClientUtils.readResponse(result)); } finally { client.getConnectionManager().shutdown(); } } @Test public void testWildCardRoutingTemplateHandler3() throws IOException { TestHttpClient client = new TestHttpClient(); try { HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL() + "/wildestBeast"); HttpResponse result = client.execute(get); Assert.assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode()); Assert.assertEquals("wildest:[Beast]", HttpClientUtils.readResponse(result)); } finally { client.getConnectionManager().shutdown(); } } Additional routes are: .add(Methods.GET, "/wilder/*", new HttpHandler() { @Override public void handleRequest(HttpServerExchange exchange) throws Exception { exchange.getResponseSender().send("wilder:" + exchange.getQueryParameters().get("*")); } }) .add(Methods.GET, "/wildest*", new HttpHandler() { @Override public void handleRequest(HttpServerExchange exchange) throws Exception { exchange.getResponseSender().send("wildest:" + exchange.getQueryParameters().get("*")); } }) Now the problem is that without a part representing the wildcard at the pathtemplate the *PathTemplateMatcher* doesn't work, and therefore the routing doesn't too. However when I try to fix the *PathTemplate* the actual matching doesn't work. I have no problem digging a bit and fixing this issue, I just want to know which class should be the preferred class to fix it. Enhance the *PathTemplateMatcher#match* to handle the index of c correctly(which is complicated because wrong base in pathTemplates) or fix *PathTemplate#matches *and *PathTemplate#create* I would be really happy to get some feedback, right now I feel more like mangling with the PathTemplate because it seems to be called only at creation/instantiation time instead of the Matcher which is called with every request. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/7169e194/attachment.html From bill at dartalley.com Sat Dec 10 09:02:58 2016 From: bill at dartalley.com (Bill O'Neil) Date: Sat, 10 Dec 2016 09:02:58 -0500 Subject: [undertow-dev] Wildcard routing and PathTemplate In-Reply-To: References: Message-ID: I didn't think the RoutingHandler currently supports wildcards. I'm also not sure what syntax you are using. Path parameters are handled using "/path/{param}". Yours is fetching query parameters but there is no query string so I am confused how it is working at all? I achieved wildcards by mixing a PathHandler and a RoutingHandler. I use pathPrefix routes from the path handler for wildcards and RoutingHandler for the exact routes. On Sat, Dec 10, 2016 at 6:30 AM, Christian Krampenschiesser < krampenschiesser at gmail.com> wrote: > I added those 2 tests to RoutingHandlerTestCase: > > @Test > public void testWildCardRoutingTemplateHandler2() throws IOException { > TestHttpClient client = new TestHttpClient(); > try { > HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL() + "/wilder/test/card"); > HttpResponse result = client.execute(get); > Assert.assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode()); > Assert.assertEquals("wilder:[/test/card]", HttpClientUtils.readResponse(result)); > > } finally { > client.getConnectionManager().shutdown(); > } > } > > @Test > public void testWildCardRoutingTemplateHandler3() throws IOException { > TestHttpClient client = new TestHttpClient(); > try { > HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL() + "/wildestBeast"); > HttpResponse result = client.execute(get); > Assert.assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode()); > Assert.assertEquals("wildest:[Beast]", HttpClientUtils.readResponse(result)); > > } finally { > client.getConnectionManager().shutdown(); > } > } > > Additional routes are: > > .add(Methods.GET, "/wilder/*", new HttpHandler() { > @Override > public void handleRequest(HttpServerExchange exchange) throws Exception { > exchange.getResponseSender().send("wilder:" + exchange.getQueryParameters().get("*")); > } > }) > .add(Methods.GET, "/wildest*", new HttpHandler() { > @Override > public void handleRequest(HttpServerExchange exchange) throws Exception { > exchange.getResponseSender().send("wildest:" + exchange.getQueryParameters().get("*")); > } > }) > > > Now the problem is that without a part representing the wildcard at the pathtemplate the *PathTemplateMatcher* doesn't work, and therefore the routing doesn't too. > > However when I try to fix the *PathTemplate* the actual matching doesn't work. > > I have no problem digging a bit and fixing this issue, I just want to know which class should be the preferred class to fix it. > > Enhance the *PathTemplateMatcher#match* to handle the index of c correctly(which is complicated because wrong base in pathTemplates) > > or fix *PathTemplate#matches *and *PathTemplate#create* > > I would be really happy to get some feedback, right now I feel more like mangling with the PathTemplate because it seems to be > > called only at creation/instantiation time instead of the Matcher which is called with every request. > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/0ca71f49/attachment.html From matt at matthicks.com Sat Dec 10 10:15:38 2016 From: matt at matthicks.com (Hicks, Matt) Date: Sat, 10 Dec 2016 15:15:38 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try to connect to https://localhost:8443 If I connect to http://localhost:8080 then I get the expected "Hello, World!". If someone could just test that snippet and tell me if they can repeat the problem it would be greatly appreciated. On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: > Stuart, I don't think I have the JCE Unlimited Strength policy files > installed. I'll look into seeing if that's the problem. I am currently > using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting > the same problem. It will probably be tomorrow before I can get the JCE > Unlimited Strength installed, but either way I should be seeing an error > but I am not. > > Can you check that code snippet I posted? It's a simplified version of > the example you sent me previously that just outputs "Hello, World!". If > you're able to run it and it works then perhaps there's something wrong in > my machine configuration, but I'd like some confirmation. > > On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas wrote: > > I just released 1.4.7.Final that should fix the ClassCastException that > you were seeing. > > Your example code should work. What version of Undertow are you using, and > do you have the JCE unlimited strength ciphers installed? > > Some versions of Undertow would attempt to enable HTTP/2 even if the > required ciphers were not installed, which would result in a connection > error as HTTP/2 would be negotiated with an incorrect cipher, and the > browser will kill the connection as a result. This could be fixed by either > installing the JCE unlimited strength policy files, or by disabling HTTP/2. > > Stuart > > On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: > > Michael, where are you getting SSLContextFactory from? I assumed it was > something built-in or available in Undertow. > > On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > > Thanks guys. Michael, I'll try your code here in a bit to see if it makes > any difference. > > On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > Are you overriding the SSL certificate storage or using the example's? > > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > > > This is the basic code for that: > > public static SSLContext createSSLContext(final Options theOptions) throws > SSLException { > return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. > KEY_STORE_TYPE), > theOptions.get(ServerOptions.KEY_STORE), > theOptions.get(ServerOptions.KEY_STORE_PASSWD), > theOptions.get(ServerOptions.TRUST_STORE_TYPE), > theOptions.get(ServerOptions.TRUST_STORE), > theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); > } > > I tweak the XNIO properties for SSL in the event the user needs client > auth: > > aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, > SslClientAuthMode.REQUIRED); > > At that point, it works nicely. > > > > > > Would you mind terribly trying the exact code snippet and see if it works > for you? This is very confusing if it's a problem on my end...especially > since HTTP works fine. > > > I can try to run it over the weekend, I'm a bit swamped with day to day > stuff atm. > > Cheers, > > Mike > > > > On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: > > On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: > > Yeah, I'm pretty sure Undertow's support for SSL is broken! > > > It's working fine for me, and I'm using a setup almost exactly like what's > shown in the examples. > > > I copied and pasted the example into my project and am getting the same > results. I modified it to not do any proxying, but the server isn't > responding properly and my anonymous HttpHandler is never invoked: > > https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 > > This is incredibly frustrating. Stuart, tell me if I shouldn't be using > Undertow for SSL support and I'll start migrating to wrap with nginx. > > On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > > Here is an example: > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > Looks like you have run into a bug, with regard to the > ClassCastException, you need to use the version that takes an > SslContext for now, although this should be fixed later today. > > Stuart > > On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: > > Well, I switched to using the signature that takes the KeyManagers array > and > > TrustManagers array and now I'm at least getting an error: > > > > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection > cannot be > > cast to io.undertow.protocols.ssl.UndertowSslConnection at > > > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141) > > > > This seems like a really flimsy implementation. Am I better offer just > > wrapping Undertow with Apache or Nginx? > > > > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: > >> > >> Hmm I'm not sure. I SSL terminate before I hit undertow. > >> > >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt wrote: > >>> > >>> Also, to clarify, the HttpHandler's handleRequest is never being > called. > >>> > >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt wrote: > >>>> > >>>> It was worth a try, but no change. Thanks for the suggestion though. > >>>> > >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil > wrote: > >>>>> > >>>>> Try the constructor with 4 args where you also pass a handler. > >>>>> > >>>>> public Builder addHttpsListener(int port, String host, > >>>>> SSLContext sslContext, HttpHandler rootHandler) { > >>>>> > >>>>> > >>>>> > >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt > wrote: > >>>>>> > >>>>>> I've made some progress. After adding the following to the builder: > >>>>>> > >>>>>> val password = config.https.password.get.toCharArray > >>>>>> val keyStore = KeyStore.getInstance("JKS") > >>>>>> val keyStoreFile = config.https.keyStoreLocation.get > >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the > >>>>>> location: ${keyStoreFile.getAbsolutePath}") > >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) > >>>>>> keyStore.load(keyStoreInput, password) > >>>>>> val keyManagerFactory = > >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) > >>>>>> keyManagerFactory.init(keyStore, password) > >>>>>> val trustManagerFactory = > >>>>>> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) > >>>>>> trustManagerFactory.init(keyStore) > >>>>>> val sslContext = SSLContext.getInstance("TLS") > >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, > >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) > >>>>>> builder.addHttpsListener(config.https.port.get, > config.https.host.get, > >>>>>> sslContext) > >>>>>> > >>>>>> Everything starts as expected, no errors, but when I hit > >>>>>> localhost:8443 with the browser it says "localhost didn't send any > data". > >>>>>> > >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as > >>>>>> well? > >>>>>> > >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt > >>>>>> wrote: > >>>>>>> > >>>>>>> Is there any documentation for configuring SSL on my server? I was > >>>>>>> looking through the online docs and found nothing (apart from > "Assembling a > >>>>>>> Server Manually"). > >>>>>>> > >>>>>>> Any assistance would be appreciated. > >>>>>>> > >>>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> undertow-dev mailing list > >>>>>> undertow-dev at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev > >>>>> > >>>>> > >> > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > > > _______________________________________________ > undertow-dev mailing list > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/f426bc86/attachment-0001.html From bill at dartalley.com Sat Dec 10 10:45:31 2016 From: bill at dartalley.com (Bill O'Neil) Date: Sat, 10 Dec 2016 10:45:31 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Matt did you try turning on logging? Here are the two errors I get. Stuart maybe you can help from this I don't know much about SSL. This error is on server start. I'm running JDK 8. java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) at java.lang.Class.getMethod(Class.java:1786) at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) at java.security.AccessController.doPrivileged(Native Method) at io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at java.lang.Class.newInstance(Class.java:442) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) at io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:67) at io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:90) at io.undertow.Undertow.start(Undertow.java:177) at com.dartalley.function.Http2Server.main(Http2Server.java:70) The following errors happen on request to the localhost:8443 from Matt's code which leads to an empty response. 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An IOException occurred javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An IOException occurred javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An IOException occurred javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: > I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers > and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've > installed the JCE Unlimited Strength (and verified it's being used) and I'm > consistently getting ERR_CONNECTION_CLOSED when I try to connect to > https://localhost:8443 > > If I connect to http://localhost:8080 then I get the expected "Hello, > World!". If someone could just test that snippet and tell me if they can > repeat the problem it would be greatly appreciated. > > On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: > >> Stuart, I don't think I have the JCE Unlimited Strength policy files >> installed. I'll look into seeing if that's the problem. I am currently >> using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting >> the same problem. It will probably be tomorrow before I can get the JCE >> Unlimited Strength installed, but either way I should be seeing an error >> but I am not. >> >> Can you check that code snippet I posted? It's a simplified version of >> the example you sent me previously that just outputs "Hello, World!". If >> you're able to run it and it works then perhaps there's something wrong in >> my machine configuration, but I'd like some confirmation. >> >> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas >> wrote: >> >> I just released 1.4.7.Final that should fix the ClassCastException that >> you were seeing. >> >> Your example code should work. What version of Undertow are you using, >> and do you have the JCE unlimited strength ciphers installed? >> >> Some versions of Undertow would attempt to enable HTTP/2 even if the >> required ciphers were not installed, which would result in a connection >> error as HTTP/2 would be negotiated with an incorrect cipher, and the >> browser will kill the connection as a result. This could be fixed by either >> installing the JCE unlimited strength policy files, or by disabling HTTP/2. >> >> Stuart >> >> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: >> >> Michael, where are you getting SSLContextFactory from? I assumed it was >> something built-in or available in Undertow. >> >> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: >> >> Thanks guys. Michael, I'll try your code here in a bit to see if it >> makes any difference. >> >> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: >> >> Prematurely hit send! >> >> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: >> >> >> >> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: >> >> Hi Michael, thanks for the response. What version of Undertow are you >> using? >> >> >> I'm using 1.3.20, so I'm a bit behind. >> >> >> Are you overriding the SSL certificate storage or using the example's? >> >> >> I'm just creating the SSLContext that's passed to the builder via >> addHttpsListener directly from the standard JVM properties, eg >> javax.net.ssl.keyStore >> >> >> This is the basic code for that: >> >> public static SSLContext createSSLContext(final Options theOptions) >> throws SSLException { >> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. >> KEY_STORE_TYPE), >> theOptions.get(ServerOptions.KEY_STORE), >> theOptions.get(ServerOptions.KEY_STORE_PASSWD), >> theOptions.get(ServerOptions.TRUST_STORE_TYPE), >> theOptions.get(ServerOptions.TRUST_STORE), >> theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); >> } >> >> I tweak the XNIO properties for SSL in the event the user needs client >> auth: >> >> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, >> SslClientAuthMode.REQUIRED); >> >> At that point, it works nicely. >> >> >> >> >> >> Would you mind terribly trying the exact code snippet and see if it works >> for you? This is very confusing if it's a problem on my end...especially >> since HTTP works fine. >> >> >> I can try to run it over the weekend, I'm a bit swamped with day to day >> stuff atm. >> >> Cheers, >> >> Mike >> >> >> >> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: >> >> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: >> >> Yeah, I'm pretty sure Undertow's support for SSL is broken! >> >> >> It's working fine for me, and I'm using a setup almost exactly like >> what's shown in the examples. >> >> >> I copied and pasted the example into my project and am getting the same >> results. I modified it to not do any proxying, but the server isn't >> responding properly and my anonymous HttpHandler is never invoked: >> >> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >> >> This is incredibly frustrating. Stuart, tell me if I shouldn't be using >> Undertow for SSL support and I'll start migrating to wrap with nginx. >> >> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >> wrote: >> >> Here is an example: >> >> https://github.com/undertow-io/undertow/blob/master/ >> examples/src/main/java/io/undertow/examples/http2/Http2Server.java >> >> Looks like you have run into a bug, with regard to the >> ClassCastException, you need to use the version that takes an >> SslContext for now, although this should be fixed later today. >> >> Stuart >> >> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: >> > Well, I switched to using the signature that takes the KeyManagers >> array and >> > TrustManagers array and now I'm at least getting an error: >> > >> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection >> cannot be >> > cast to io.undertow.protocols.ssl.UndertowSslConnection at >> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit( >> UndertowXnioSsl.java:141) >> > >> > This seems like a really flimsy implementation. Am I better offer just >> > wrapping Undertow with Apache or Nginx? >> > >> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: >> >> >> >> Hmm I'm not sure. I SSL terminate before I hit undertow. >> >> >> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt >> wrote: >> >>> >> >>> Also, to clarify, the HttpHandler's handleRequest is never being >> called. >> >>> >> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt >> wrote: >> >>>> >> >>>> It was worth a try, but no change. Thanks for the suggestion though. >> >>>> >> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil >> wrote: >> >>>>> >> >>>>> Try the constructor with 4 args where you also pass a handler. >> >>>>> >> >>>>> public Builder addHttpsListener(int port, String host, >> >>>>> SSLContext sslContext, HttpHandler rootHandler) { >> >>>>> >> >>>>> >> >>>>> >> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt >> wrote: >> >>>>>> >> >>>>>> I've made some progress. After adding the following to the >> builder: >> >>>>>> >> >>>>>> val password = config.https.password.get.toCharArray >> >>>>>> val keyStore = KeyStore.getInstance("JKS") >> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get >> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the >> >>>>>> location: ${keyStoreFile.getAbsolutePath}") >> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) >> >>>>>> keyStore.load(keyStoreInput, password) >> >>>>>> val keyManagerFactory = >> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory. >> getDefaultAlgorithm) >> >>>>>> keyManagerFactory.init(keyStore, password) >> >>>>>> val trustManagerFactory = >> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory. >> getDefaultAlgorithm) >> >>>>>> trustManagerFactory.init(keyStore) >> >>>>>> val sslContext = SSLContext.getInstance("TLS") >> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, >> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) >> >>>>>> builder.addHttpsListener(config.https.port.get, >> config.https.host.get, >> >>>>>> sslContext) >> >>>>>> >> >>>>>> Everything starts as expected, no errors, but when I hit >> >>>>>> localhost:8443 with the browser it says "localhost didn't send any >> data". >> >>>>>> >> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as >> >>>>>> well? >> >>>>>> >> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt >> >>>>>> wrote: >> >>>>>>> >> >>>>>>> Is there any documentation for configuring SSL on my server? I >> was >> >>>>>>> looking through the online docs and found nothing (apart from >> "Assembling a >> >>>>>>> Server Manually"). >> >>>>>>> >> >>>>>>> Any assistance would be appreciated. >> >>>>>>> >> >>>>>>> Thanks >> >>>>>> >> >>>>>> >> >>>>>> _______________________________________________ >> >>>>>> undertow-dev mailing list >> >>>>>> undertow-dev at lists.jboss.org >> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >>>>> >> >>>>> >> >> >> > >> > _______________________________________________ >> > undertow-dev mailing list >> > undertow-dev at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> >> _______________________________________________ >> undertow-dev mailing list >> >> >> > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/49aadcc3/attachment-0001.html From bill at dartalley.com Sat Dec 10 10:51:29 2016 From: bill at dartalley.com (Bill O'Neil) Date: Sat, 10 Dec 2016 10:51:29 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Oops I forgot https://localhost:8443. Now it is giving me localhost unexpectedly closed the connection. With no errors. I also don't have a cert set up but I would think that should throw an error? The on startup JDK9 issue is still there. On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters. > setApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run( > JDK9AlpnProvider.java:47) > at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run( > JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at io.undertow.protocols.alpn.JDK9AlpnProvider.( > JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService( > ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.http.AlpnOpenListener.( > AlpnOpenListener.java:67) > at io.undertow.server.protocol.http.AlpnOpenListener.( > AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is > not a handshake record > at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. > exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( > ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at org.xnio.conduits.ConduitStreamSourceChannel.read( > ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.http.AlpnOpenListener$ > AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.http.AlpnOpenListener. > handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.http.AlpnOpenListener. > handleEvent(AlpnOpenListener.java:60) > at org.xnio.ChannelListeners.invokeChannelListener( > ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at org.xnio.ChannelListeners.invokeChannelListener( > ChannelListeners.java:92) > at org.xnio.ChannelListeners$DelegatingChannelListener. > handleEvent(ChannelListeners.java:1092) > at org.xnio.ChannelListeners.invokeChannelListener( > ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is > not a handshake record > at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. > exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( > ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady( > SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is > not a handshake record > at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. > exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( > ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady( > SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > > > On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: > >> I've updated to 1.4.7.Final, I switched to passing an Array of >> keyManagers and an Array of trustManagers, I've tried commenting out >> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's >> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try >> to connect to https://localhost:8443 >> >> If I connect to http://localhost:8080 then I get the expected "Hello, >> World!". If someone could just test that snippet and tell me if they can >> repeat the problem it would be greatly appreciated. >> >> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: >> >>> Stuart, I don't think I have the JCE Unlimited Strength policy files >>> installed. I'll look into seeing if that's the problem. I am currently >>> using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting >>> the same problem. It will probably be tomorrow before I can get the JCE >>> Unlimited Strength installed, but either way I should be seeing an error >>> but I am not. >>> >>> Can you check that code snippet I posted? It's a simplified version of >>> the example you sent me previously that just outputs "Hello, World!". If >>> you're able to run it and it works then perhaps there's something wrong in >>> my machine configuration, but I'd like some confirmation. >>> >>> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas >>> wrote: >>> >>> I just released 1.4.7.Final that should fix the ClassCastException that >>> you were seeing. >>> >>> Your example code should work. What version of Undertow are you using, >>> and do you have the JCE unlimited strength ciphers installed? >>> >>> Some versions of Undertow would attempt to enable HTTP/2 even if the >>> required ciphers were not installed, which would result in a connection >>> error as HTTP/2 would be negotiated with an incorrect cipher, and the >>> browser will kill the connection as a result. This could be fixed by either >>> installing the JCE unlimited strength policy files, or by disabling HTTP/2. >>> >>> Stuart >>> >>> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: >>> >>> Michael, where are you getting SSLContextFactory from? I assumed it was >>> something built-in or available in Undertow. >>> >>> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: >>> >>> Thanks guys. Michael, I'll try your code here in a bit to see if it >>> makes any difference. >>> >>> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: >>> >>> Prematurely hit send! >>> >>> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: >>> >>> >>> >>> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: >>> >>> Hi Michael, thanks for the response. What version of Undertow are you >>> using? >>> >>> >>> I'm using 1.3.20, so I'm a bit behind. >>> >>> >>> Are you overriding the SSL certificate storage or using the example's? >>> >>> >>> I'm just creating the SSLContext that's passed to the builder via >>> addHttpsListener directly from the standard JVM properties, eg >>> javax.net.ssl.keyStore >>> >>> >>> This is the basic code for that: >>> >>> public static SSLContext createSSLContext(final Options theOptions) >>> throws SSLException { >>> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. >>> KEY_STORE_TYPE), >>> theOptions.get(ServerOptions.KEY_STORE), >>> theOptions.get(ServerOptions.KEY_STORE_PASSWD), >>> theOptions.get(ServerOptions.TRUST_STORE_TYPE), >>> theOptions.get(ServerOptions.TRUST_STORE), >>> theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); >>> } >>> >>> I tweak the XNIO properties for SSL in the event the user needs client >>> auth: >>> >>> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, >>> SslClientAuthMode.REQUIRED); >>> >>> At that point, it works nicely. >>> >>> >>> >>> >>> >>> Would you mind terribly trying the exact code snippet and see if it >>> works for you? This is very confusing if it's a problem on my >>> end...especially since HTTP works fine. >>> >>> >>> I can try to run it over the weekend, I'm a bit swamped with day to day >>> stuff atm. >>> >>> Cheers, >>> >>> Mike >>> >>> >>> >>> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: >>> >>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: >>> >>> Yeah, I'm pretty sure Undertow's support for SSL is broken! >>> >>> >>> It's working fine for me, and I'm using a setup almost exactly like >>> what's shown in the examples. >>> >>> >>> I copied and pasted the example into my project and am getting the same >>> results. I modified it to not do any proxying, but the server isn't >>> responding properly and my anonymous HttpHandler is never invoked: >>> >>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >>> >>> This is incredibly frustrating. Stuart, tell me if I shouldn't be using >>> Undertow for SSL support and I'll start migrating to wrap with nginx. >>> >>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >>> wrote: >>> >>> Here is an example: >>> >>> https://github.com/undertow-io/undertow/blob/master/examples >>> /src/main/java/io/undertow/examples/http2/Http2Server.java >>> >>> Looks like you have run into a bug, with regard to the >>> ClassCastException, you need to use the version that takes an >>> SslContext for now, although this should be fixed later today. >>> >>> Stuart >>> >>> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt wrote: >>> > Well, I switched to using the signature that takes the KeyManagers >>> array and >>> > TrustManagers array and now I'm at least getting an error: >>> > >>> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection >>> cannot be >>> > cast to io.undertow.protocols.ssl.UndertowSslConnection at >>> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(Unde >>> rtowXnioSsl.java:141) >>> > >>> > This seems like a really flimsy implementation. Am I better offer just >>> > wrapping Undertow with Apache or Nginx? >>> > >>> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil wrote: >>> >> >>> >> Hmm I'm not sure. I SSL terminate before I hit undertow. >>> >> >>> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt >>> wrote: >>> >>> >>> >>> Also, to clarify, the HttpHandler's handleRequest is never being >>> called. >>> >>> >>> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt >>> wrote: >>> >>>> >>> >>>> It was worth a try, but no change. Thanks for the suggestion >>> though. >>> >>>> >>> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil >>> wrote: >>> >>>>> >>> >>>>> Try the constructor with 4 args where you also pass a handler. >>> >>>>> >>> >>>>> public Builder addHttpsListener(int port, String host, >>> >>>>> SSLContext sslContext, HttpHandler rootHandler) { >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt >>> wrote: >>> >>>>>> >>> >>>>>> I've made some progress. After adding the following to the >>> builder: >>> >>>>>> >>> >>>>>> val password = config.https.password.get.toCharArray >>> >>>>>> val keyStore = KeyStore.getInstance("JKS") >>> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get >>> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the >>> >>>>>> location: ${keyStoreFile.getAbsolutePath}") >>> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile) >>> >>>>>> keyStore.load(keyStoreInput, password) >>> >>>>>> val keyManagerFactory = >>> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAl >>> gorithm) >>> >>>>>> keyManagerFactory.init(keyStore, password) >>> >>>>>> val trustManagerFactory = >>> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory.getDefau >>> ltAlgorithm) >>> >>>>>> trustManagerFactory.init(keyStore) >>> >>>>>> val sslContext = SSLContext.getInstance("TLS") >>> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers, >>> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom) >>> >>>>>> builder.addHttpsListener(config.https.port.get, >>> config.https.host.get, >>> >>>>>> sslContext) >>> >>>>>> >>> >>>>>> Everything starts as expected, no errors, but when I hit >>> >>>>>> localhost:8443 with the browser it says "localhost didn't send >>> any data". >>> >>>>>> >>> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as >>> >>>>>> well? >>> >>>>>> >>> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt >>> >>>>>> wrote: >>> >>>>>>> >>> >>>>>>> Is there any documentation for configuring SSL on my server? I >>> was >>> >>>>>>> looking through the online docs and found nothing (apart from >>> "Assembling a >>> >>>>>>> Server Manually"). >>> >>>>>>> >>> >>>>>>> Any assistance would be appreciated. >>> >>>>>>> >>> >>>>>>> Thanks >>> >>>>>> >>> >>>>>> >>> >>>>>> _______________________________________________ >>> >>>>>> undertow-dev mailing list >>> >>>>>> undertow-dev at lists.jboss.org >>> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >>>>> >>> >>>>> >>> >> >>> > >>> > _______________________________________________ >>> > undertow-dev mailing list >>> > undertow-dev at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >>> >>> _______________________________________________ >>> undertow-dev mailing list >>> >>> >>> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/2a912a05/attachment-0001.html From matt at matthicks.com Sat Dec 10 10:58:08 2016 From: matt at matthicks.com (Hicks, Matt) Date: Sat, 10 Dec 2016 15:58:08 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Thanks Bill....I don't feel as crazy now. ;) On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > Oops I forgot https://localhost:8443. Now it is giving me localhost > unexpectedly closed the connection. With no errors. I also don't have a > cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: > javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at > io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:67) > at > io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at > io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at > io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at > io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > > > On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: > > I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers > and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've > installed the JCE Unlimited Strength (and verified it's being used) and I'm > consistently getting ERR_CONNECTION_CLOSED when I try to connect to > https://localhost:8443 > > If I connect to http://localhost:8080 then I get the expected "Hello, > World!". If someone could just test that snippet and tell me if they can > repeat the problem it would be greatly appreciated. > > On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: > > Stuart, I don't think I have the JCE Unlimited Strength policy files > installed. I'll look into seeing if that's the problem. I am currently > using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting > the same problem. It will probably be tomorrow before I can get the JCE > Unlimited Strength installed, but either way I should be seeing an error > but I am not. > > Can you check that code snippet I posted? It's a simplified version of > the example you sent me previously that just outputs "Hello, World!". If > you're able to run it and it works then perhaps there's something wrong in > my machine configuration, but I'd like some confirmation. > > On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas wrote: > > I just released 1.4.7.Final that should fix the ClassCastException that > you were seeing. > > Your example code should work. What version of Undertow are you using, and > do you have the JCE unlimited strength ciphers installed? > > Some versions of Undertow would attempt to enable HTTP/2 even if the > required ciphers were not installed, which would result in a connection > error as HTTP/2 would be negotiated with an incorrect cipher, and the > browser will kill the connection as a result. This could be fixed by either > installing the JCE unlimited strength policy files, or by disabling HTTP/2. > > Stuart > > On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: > > Michael, where are you getting SSLContextFactory from? I assumed it was > something built-in or available in Undertow. > > On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > > Thanks guys. Michael, I'll try your code here in a bit to see if it makes > any difference. > > On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > Are you overriding the SSL certificate storage or using the example's? > > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > > > This is the basic code for that: > > public static SSLContext createSSLContext(final Options theOptions) throws > SSLException { > return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. > KEY_STORE_TYPE), > theOptions.get(ServerOptions.KEY_STORE), > theOptions.get(ServerOptions.KEY_STORE_PASSWD), > theOptions.get(ServerOptions.TRUST_STORE_TYPE), > theOptions.get(ServerOptions.TRUST_STORE), > theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); > } > > I tweak the XNIO properties for SSL in the event the user needs client > auth: > > aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, > SslClientAuthMode.REQUIRED); > > At that point, it works nicely. > > > > > > Would you mind terribly trying the exact code snippet and see if it works > for you? This is very confusing if it's a problem on my end...especially > since HTTP works fine. > > > I can try to run it over the weekend, I'm a bit swamped with day to day > stuff atm. > > Cheers, > > Mike > > > > On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: > > On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: > > Yeah, I'm pretty sure Undertow's support for SSL is broken! > > > It's working fine for me, and I'm using a setup almost exactly like what's > shown in the examples. > > > I copied and pasted the example into my project and am getting the same > results. I modified it to not do any proxying, but the server isn't > responding properly and my anonymous HttpHandler is never invoked: > > https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 > > This is incredibly frustrating. Stuart, tell me if I shouldn't be using > Undertow for SSL support and I'll start migrating to wrap with nginx. > > On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas wrote: > > Here is an example: > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > Looks like you have run into a bug, with regard to the > ClassCastException, you need to use the version that take > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/df39d8c0/attachment-0001.html From bill at dartalley.com Sat Dec 10 11:05:02 2016 From: bill at dartalley.com (Bill O'Neil) Date: Sat, 10 Dec 2016 11:05:02 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Here is the trace occurs with Http2 true and false. Issue seems to be javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Delegating channel listener -> Accepting listener for io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP server (NIO) <13f5555f> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Accepting listener for io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened connection with /127.0.0.1:56854 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener Delegating channel listener -> Accepting listener for io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP server (NIO) <13f5555f> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener Accepting listener for io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened connection with /127.0.0.1:56856 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ 127.0.0.1:56854] 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - Exception closing read side of SSL channel javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - Exception closing read side of SSL channel javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key sun.nio.ch.SelectionKeyImpl at 4805f11b of java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ 127.0.0.1:56856] (same thread) 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key sun.nio.ch.SelectionKeyImpl at 673b2384 of java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ 127.0.0.1:56854] (same thread) 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$2 at 52d9523b 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$2 at 320a217a 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Delegating channel listener -> Accepting listener for io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP server (NIO) <13f5555f> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Accepting listener for io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened connection with /127.0.0.1:56858 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - Exception closing read side of SSL channel javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ 127.0.0.1:56858] (same thread) 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$1 at 11f5487 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$2 at 348d6036 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > >> Oops I forgot https://localhost:8443. Now it is giving me localhost >> unexpectedly closed the connection. With no errors. I also don't have a >> cert set up but I would think that should throw an error? >> >> The on startup JDK9 issue is still there. >> >> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: >> >> Matt did you try turning on logging? Here are the two errors I get. >> Stuart maybe you can help from this I don't know much about SSL. >> >> This error is on server start. I'm running JDK 8. >> >> java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters. >> setApplicationProtocols([Ljava.lang.String;) >> at java.lang.Class.getMethod(Class.java:1786) >> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run( >> JDK9AlpnProvider.java:47) >> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run( >> JDK9AlpnProvider.java:43) >> at java.security.AccessController.doPrivileged(Native Method) >> at io.undertow.protocols.alpn.JDK9AlpnProvider.( >> JDK9AlpnProvider.java:43) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance( >> NativeConstructorAccessorImpl.java:62) >> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( >> DelegatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:422) >> at java.lang.Class.newInstance(Class.java:442) >> at java.util.ServiceLoader$LazyIterator.nextService( >> ServiceLoader.java:380) >> at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >> at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) >> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) >> at io.undertow.server.protocol.http.AlpnOpenListener.( >> AlpnOpenListener.java:67) >> at io.undertow.server.protocol.http.AlpnOpenListener.( >> AlpnOpenListener.java:90) >> at io.undertow.Undertow.start(Undertow.java:177) >> at com.dartalley.function.Http2Server.main(Http2Server.java:70) >> >> >> The following errors happen on request to the localhost:8443 from Matt's >> code which leads to an empty response. >> >> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An >> IOException occurred >> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >> not a handshake record >> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. >> exploreClientHello(ALPNHackClientHelloExplorer.java:84) >> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( >> ALPNHackSSLEngine.java:205) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) >> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) >> at org.xnio.conduits.ConduitStreamSourceChannel.read( >> ConduitStreamSourceChannel.java:127) >> at io.undertow.server.protocol.http.AlpnOpenListener$ >> AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) >> at io.undertow.server.protocol.http.AlpnOpenListener. >> handleEvent(AlpnOpenListener.java:249) >> at io.undertow.server.protocol.http.AlpnOpenListener. >> handleEvent(AlpnOpenListener.java:60) >> at org.xnio.ChannelListeners.invokeChannelListener( >> ChannelListeners.java:92) >> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) >> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) >> at org.xnio.ChannelListeners.invokeChannelListener( >> ChannelListeners.java:92) >> at org.xnio.ChannelListeners$DelegatingChannelListener. >> handleEvent(ChannelListeners.java:1092) >> at org.xnio.ChannelListeners.invokeChannelListener( >> ChannelListeners.java:92) >> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An >> IOException occurred >> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >> not a handshake record >> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. >> exploreClientHello(ALPNHackClientHelloExplorer.java:84) >> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( >> ALPNHackSSLEngine.java:205) >> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady( >> SslConduit.java:1097) >> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An >> IOException occurred >> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >> not a handshake record >> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. >> exploreClientHello(ALPNHackClientHelloExplorer.java:84) >> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( >> ALPNHackSSLEngine.java:205) >> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady( >> SslConduit.java:1097) >> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >> >> >> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: >> >> I've updated to 1.4.7.Final, I switched to passing an Array of >> keyManagers and an Array of trustManagers, I've tried commenting out >> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's >> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try >> to connect to https://localhost:8443 >> >> If I connect to http://localhost:8080 then I get the expected "Hello, >> World!". If someone could just test that snippet and tell me if they can >> repeat the problem it would be greatly appreciated. >> >> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: >> >> Stuart, I don't think I have the JCE Unlimited Strength policy files >> installed. I'll look into seeing if that's the problem. I am currently >> using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting >> the same problem. It will probably be tomorrow before I can get the JCE >> Unlimited Strength installed, but either way I should be seeing an error >> but I am not. >> >> Can you check that code snippet I posted? It's a simplified version of >> the example you sent me previously that just outputs "Hello, World!". If >> you're able to run it and it works then perhaps there's something wrong in >> my machine configuration, but I'd like some confirmation. >> >> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas >> wrote: >> >> I just released 1.4.7.Final that should fix the ClassCastException that >> you were seeing. >> >> Your example code should work. What version of Undertow are you using, >> and do you have the JCE unlimited strength ciphers installed? >> >> Some versions of Undertow would attempt to enable HTTP/2 even if the >> required ciphers were not installed, which would result in a connection >> error as HTTP/2 would be negotiated with an incorrect cipher, and the >> browser will kill the connection as a result. This could be fixed by either >> installing the JCE unlimited strength policy files, or by disabling HTTP/2. >> >> Stuart >> >> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: >> >> Michael, where are you getting SSLContextFactory from? I assumed it was >> something built-in or available in Undertow. >> >> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: >> >> Thanks guys. Michael, I'll try your code here in a bit to see if it >> makes any difference. >> >> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: >> >> Prematurely hit send! >> >> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: >> >> >> >> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: >> >> Hi Michael, thanks for the response. What version of Undertow are you >> using? >> >> >> I'm using 1.3.20, so I'm a bit behind. >> >> >> Are you overriding the SSL certificate storage or using the example's? >> >> >> I'm just creating the SSLContext that's passed to the builder via >> addHttpsListener directly from the standard JVM properties, eg >> javax.net.ssl.keyStore >> >> >> This is the basic code for that: >> >> public static SSLContext createSSLContext(final Options theOptions) >> throws SSLException { >> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. >> KEY_STORE_TYPE), >> theOptions.get(ServerOptions.KEY_STORE), >> theOptions.get(ServerOptions.KEY_STORE_PASSWD), >> theOptions.get(ServerOptions.TRUST_STORE_TYPE), >> theOptions.get(ServerOptions.TRUST_STORE), >> theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); >> } >> >> I tweak the XNIO properties for SSL in the event the user needs client >> auth: >> >> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, >> SslClientAuthMode.REQUIRED); >> >> At that point, it works nicely. >> >> >> >> >> >> Would you mind terribly trying the exact code snippet and see if it works >> for you? This is very confusing if it's a problem on my end...especially >> since HTTP works fine. >> >> >> I can try to run it over the weekend, I'm a bit swamped with day to day >> stuff atm. >> >> Cheers, >> >> Mike >> >> >> >> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: >> >> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: >> >> Yeah, I'm pretty sure Undertow's support for SSL is broken! >> >> >> It's working fine for me, and I'm using a setup almost exactly like >> what's shown in the examples. >> >> >> I copied and pasted the example into my project and am getting the same >> results. I modified it to not do any proxying, but the server isn't >> responding properly and my anonymous HttpHandler is never invoked: >> >> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >> >> This is incredibly frustrating. Stuart, tell me if I shouldn't be using >> Undertow for SSL support and I'll start migrating to wrap with nginx. >> >> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >> wrote: >> >> Here is an example: >> >> https://github.com/undertow-io/undertow/blob/master/ >> examples/src/main/java/io/undertow/examples/http2/Http2Server.java >> >> Looks like you have run into a bug, with regard to the >> ClassCastException, you need to use the version that take >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/5df1178a/attachment-0001.html From sdouglas at redhat.com Sat Dec 10 18:44:56 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Sun, 11 Dec 2016 10:44:56 +1100 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: I also failed to run the example, until I realized that the code does not validate that the keystore is loaded correctly (passing 'null' into KeyStore.load apparently works without error). Are you sure you are actually loading the keystore correctly (maybe add a null check into the loading code)? Stuart On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > Here is the trace occurs with Http2 true and false. Issue seems to be > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch. > ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch. > ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol. > http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl. > UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol. > http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl. > UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for java.nio.channels.SocketChannel[connected > local=/127.0.0.1:8443 remote=/127.0.0.1:56854] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at io.undertow.protocols.ssl.SslConduit.notifyReadClosed( > SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at io.undertow.protocols.ssl.SslConduit.notifyReadClosed( > SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 4805f11b of java.nio.channels.SocketChannel[connected > local=/127.0.0.1:8443 remote=/127.0.0.1:56856] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 673b2384 of java.nio.channels.SocketChannel[connected > local=/127.0.0.1:8443 remote=/127.0.0.1:56854] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch. > ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol. > http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl. > UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at io.undertow.protocols.ssl.SslConduit.notifyReadClosed( > SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 7da1dc1a of java.nio.channels.SocketChannel[connected > local=/127.0.0.1:8443 remote=/127.0.0.1:56858] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > >> Thanks Bill....I don't feel as crazy now. ;) >> >> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: >> >>> Oops I forgot https://localhost:8443. Now it is giving me localhost >>> unexpectedly closed the connection. With no errors. I also don't have a >>> cert set up but I would think that should throw an error? >>> >>> The on startup JDK9 issue is still there. >>> >>> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil >>> wrote: >>> >>> Matt did you try turning on logging? Here are the two errors I get. >>> Stuart maybe you can help from this I don't know much about SSL. >>> >>> This error is on server start. I'm running JDK 8. >>> >>> java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se >>> tApplicationProtocols([Ljava.lang.String;) >>> at java.lang.Class.getMethod(Class.java:1786) >>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr >>> ovider.java:47) >>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr >>> ovider.java:43) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9Alp >>> nProvider.java:43) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>> ConstructorAccessorImpl.java:62) >>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>> legatingConstructorAccessorImpl.java:45) >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422) >>> at java.lang.Class.newInstance(Class.java:442) >>> at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoad >>> er.java:380) >>> at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >>> at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >>> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) >>> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) >>> at io.undertow.server.protocol.http.AlpnOpenListener.(Alp >>> nOpenListener.java:67) >>> at io.undertow.server.protocol.http.AlpnOpenListener.(Alp >>> nOpenListener.java:90) >>> at io.undertow.Undertow.start(Undertow.java:177) >>> at com.dartalley.function.Http2Server.main(Http2Server.java:70) >>> >>> >>> The following errors happen on request to the localhost:8443 from Matt's >>> code which leads to an empty response. >>> >>> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An >>> IOException occurred >>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >>> not a handshake record >>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor >>> eClientHello(ALPNHackClientHelloExplorer.java:84) >>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS >>> SLEngine.java:205) >>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) >>> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) >>> at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStr >>> eamSourceChannel.java:127) >>> at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnec >>> tionListener.handleEvent(AlpnOpenListener.java:280) >>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven >>> t(AlpnOpenListener.java:249) >>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven >>> t(AlpnOpenListener.java:60) >>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe >>> ners.java:92) >>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) >>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) >>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe >>> ners.java:92) >>> at org.xnio.ChannelListeners$DelegatingChannelListener.handleEv >>> ent(ChannelListeners.java:1092) >>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe >>> ners.java:92) >>> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) >>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An >>> IOException occurred >>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >>> not a handshake record >>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor >>> eClientHello(ALPNHackClientHelloExplorer.java:84) >>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS >>> SLEngine.java:205) >>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler. >>> readReady(SslConduit.java:1097) >>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >>> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An >>> IOException occurred >>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >>> not a handshake record >>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor >>> eClientHello(ALPNHackClientHelloExplorer.java:84) >>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS >>> SLEngine.java:205) >>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler. >>> readReady(SslConduit.java:1097) >>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >>> >>> >>> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt >>> wrote: >>> >>> I've updated to 1.4.7.Final, I switched to passing an Array of >>> keyManagers and an Array of trustManagers, I've tried commenting out >>> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's >>> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try >>> to connect to https://localhost:8443 >>> >>> If I connect to http://localhost:8080 then I get the expected "Hello, >>> World!". If someone could just test that snippet and tell me if they can >>> repeat the problem it would be greatly appreciated. >>> >>> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: >>> >>> Stuart, I don't think I have the JCE Unlimited Strength policy files >>> installed. I'll look into seeing if that's the problem. I am currently >>> using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting >>> the same problem. It will probably be tomorrow before I can get the JCE >>> Unlimited Strength installed, but either way I should be seeing an error >>> but I am not. >>> >>> Can you check that code snippet I posted? It's a simplified version of >>> the example you sent me previously that just outputs "Hello, World!". If >>> you're able to run it and it works then perhaps there's something wrong in >>> my machine configuration, but I'd like some confirmation. >>> >>> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas >>> wrote: >>> >>> I just released 1.4.7.Final that should fix the ClassCastException that >>> you were seeing. >>> >>> Your example code should work. What version of Undertow are you using, >>> and do you have the JCE unlimited strength ciphers installed? >>> >>> Some versions of Undertow would attempt to enable HTTP/2 even if the >>> required ciphers were not installed, which would result in a connection >>> error as HTTP/2 would be negotiated with an incorrect cipher, and the >>> browser will kill the connection as a result. This could be fixed by either >>> installing the JCE unlimited strength policy files, or by disabling HTTP/2. >>> >>> Stuart >>> >>> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: >>> >>> Michael, where are you getting SSLContextFactory from? I assumed it was >>> something built-in or available in Undertow. >>> >>> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: >>> >>> Thanks guys. Michael, I'll try your code here in a bit to see if it >>> makes any difference. >>> >>> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: >>> >>> Prematurely hit send! >>> >>> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: >>> >>> >>> >>> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: >>> >>> Hi Michael, thanks for the response. What version of Undertow are you >>> using? >>> >>> >>> I'm using 1.3.20, so I'm a bit behind. >>> >>> >>> Are you overriding the SSL certificate storage or using the example's? >>> >>> >>> I'm just creating the SSLContext that's passed to the builder via >>> addHttpsListener directly from the standard JVM properties, eg >>> javax.net.ssl.keyStore >>> >>> >>> This is the basic code for that: >>> >>> public static SSLContext createSSLContext(final Options theOptions) >>> throws SSLException { >>> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. >>> KEY_STORE_TYPE), >>> theOptions.get(ServerOptions.KEY_STORE), >>> theOptions.get(ServerOptions.KEY_STORE_PASSWD), >>> theOptions.get(ServerOptions.TRUST_STORE_TYPE), >>> theOptions.get(ServerOptions.TRUST_STORE), >>> theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); >>> } >>> >>> I tweak the XNIO properties for SSL in the event the user needs client >>> auth: >>> >>> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, >>> SslClientAuthMode.REQUIRED); >>> >>> At that point, it works nicely. >>> >>> >>> >>> >>> >>> Would you mind terribly trying the exact code snippet and see if it >>> works for you? This is very confusing if it's a problem on my >>> end...especially since HTTP works fine. >>> >>> >>> I can try to run it over the weekend, I'm a bit swamped with day to day >>> stuff atm. >>> >>> Cheers, >>> >>> Mike >>> >>> >>> >>> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: >>> >>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt wrote: >>> >>> Yeah, I'm pretty sure Undertow's support for SSL is broken! >>> >>> >>> It's working fine for me, and I'm using a setup almost exactly like >>> what's shown in the examples. >>> >>> >>> I copied and pasted the example into my project and am getting the same >>> results. I modified it to not do any proxying, but the server isn't >>> responding properly and my anonymous HttpHandler is never invoked: >>> >>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >>> >>> This is incredibly frustrating. Stuart, tell me if I shouldn't be using >>> Undertow for SSL support and I'll start migrating to wrap with nginx. >>> >>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >>> wrote: >>> >>> Here is an example: >>> >>> https://github.com/undertow-io/undertow/blob/master/examples >>> /src/main/java/io/undertow/examples/http2/Http2Server.java >>> >>> Looks like you have run into a bug, with regard to the >>> ClassCastException, you need to use the version that take >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161211/eb3b07fd/attachment-0001.html From sdouglas at redhat.com Sat Dec 10 19:47:45 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Sun, 11 Dec 2016 11:47:45 +1100 Subject: [undertow-dev] Undertow: How to use client cert auth with roles In-Reply-To: References: Message-ID: Here is an example of using servlet + client cert: https://github.com/undertow-io/undertow/commit/e8473ec35c420b782e072723d1e6338548def842 Basically the IdentityManager implementation is responsible for retrieving the roles for a given user. Stuart On Sat, Dec 10, 2016 at 8:17 PM, Dieter Bogdoll wrote: > Hello Mailinglist, > > I would like to use undertow for creating REST APIs. > I also would like to use HTTPS for communcation between client and server. > The user should authenticate itself with a client certificate. On the > server should be a component which takes the client certificate and > uses some other service (properties file, database, ...) to which roles > the user has (and therefor if and what parts of the REST API he can use). > > I think I know how to listen only to HTTPS, but I'm not sure how to extract > the relevant bits from the client certificate and how to set the > groups/roles. > > The solution should be compatible with the Servlet API. Is there some > example > code which I could look up, or some tutorial describing what I required? > > Best regards, > Dieter > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev From dieter at bogdoll.net Sun Dec 11 04:24:35 2016 From: dieter at bogdoll.net (Dieter Bogdoll) Date: Sun, 11 Dec 2016 09:24:35 +0000 Subject: [undertow-dev] Undertow: How to use client cert auth with roles In-Reply-To: References: Message-ID: Stuart, thanks a lot! That works for me. Super! On Sun, Dec 11, 2016 at 1:47 AM Stuart Douglas wrote: > Here is an example of using servlet + client cert: > > > https://github.com/undertow-io/undertow/commit/e8473ec35c420b782e072723d1e6338548def842 > > Basically the IdentityManager implementation is responsible for > retrieving the roles for a given user. > > Stuart > > On Sat, Dec 10, 2016 at 8:17 PM, Dieter Bogdoll > wrote: > > Hello Mailinglist, > > > > I would like to use undertow for creating REST APIs. > > I also would like to use HTTPS for communcation between client and > server. > > The user should authenticate itself with a client certificate. On the > > server should be a component which takes the client certificate and > > uses some other service (properties file, database, ...) to which roles > > the user has (and therefor if and what parts of the REST API he can use). > > > > I think I know how to listen only to HTTPS, but I'm not sure how to > extract > > the relevant bits from the client certificate and how to set the > > groups/roles. > > > > The solution should be compatible with the Servlet API. Is there some > > example > > code which I could look up, or some tutorial describing what I required? > > > > Best regards, > > Dieter > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161211/170f3d79/attachment.html From slavastap at gmail.com Sun Dec 11 17:56:09 2016 From: slavastap at gmail.com (=?UTF-8?B?0JLRj9GH0LXRgdC70LDQsiDQkA==?=) Date: Mon, 12 Dec 2016 01:56:09 +0300 Subject: [undertow-dev] Add basic auth programmatically Message-ID: Hello. I have a problem with auth for web services in my jar. I want to add BASIC auth programmatically. I have two places: from ServletExtension and from HttpHandler for request. I cant find the way to do it ( It will be better if i can do it from ServletExtension by modify DeploymentInfo. Thank you in advance for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/cf1e38d0/attachment.html From sdouglas at redhat.com Sun Dec 11 17:58:29 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Mon, 12 Dec 2016 09:58:29 +1100 Subject: [undertow-dev] Add basic auth programmatically In-Reply-To: References: Message-ID: You should be able to just do: deploymentInfo.setLoginConfig(new LoginConfig("my realm").addFirstAuthMethod("BASIC")) Stuart On Mon, Dec 12, 2016 at 9:56 AM, ???????? ? wrote: > Hello. > I have a problem with auth for web services in my jar. > I want to add BASIC auth programmatically. > I have two places: from ServletExtension and from HttpHandler for request. > I cant find the way to do it ( It will be better if i can do it from > ServletExtension by modify DeploymentInfo. > Thank you in advance for your help. > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev From miere.teixeira at gmail.com Sun Dec 11 19:31:41 2016 From: miere.teixeira at gmail.com (Miere Teixeira) Date: Mon, 12 Dec 2016 00:31:41 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: HI Matt, Do you mind to send us a zip with a minimum project the setup that reproduce exactly the same problem you are facing? I can imagine how crazy you are feeling about this SSL issue. I'm pretty sure a small project should be enough to let us better understand your problem. Regards On Sat, Dec 10, 2016 at 9:46 PM Stuart Douglas wrote: > I also failed to run the example, until I realized that the code does not > validate that the keystore is loaded correctly (passing 'null' into > KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a > null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > > Here is the trace occurs with Http2 true and false. Issue seems to be > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 4805f11b of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56856] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 673b2384 of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 7da1dc1a of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56858] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > > Oops I forgot https://localhost:8443. Now it is giving me localhost > unexpectedly closed the connection. With no errors. I also don't have a > cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se > tApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:67) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > > > On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: > > I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers > and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've > installed the JCE Unlimited Strength (and verified it's being used) and I'm > consistently getting ERR_CONNECTION_CLOSED when I try to connect to > https://localhost:8443 > > If I connect to http://localhost:8080 then I get the expected "Hello, > World!". If someone could just test that snippet and tell me if they can > repeat the problem it would be greatly appreciated. > > On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: > > Stuart, I don't think I have the JCE Unlimited Strength policy files > installed. I'll look into seeing if that's the problem. I am currently > using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting > the same problem. It will probably be tomorrow before I can get the JCE > Unlimited Strength installed, but either way I should be seeing an error > but I am not. > > Can you check that code snippet I posted? It's a simplified version of > the example you sent me previously that just outputs "Hello, World!". If > you're able to run it and it works then perhaps there's something wrong in > my machine configuration, but I'd like some confirmation. > > On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas wrote: > > I just released 1.4.7.Final that should fix the ClassCastException that > you were seeing. > > Your example code should work. What version of Undertow are you using, and > do you have the JCE unlimited strength ciphers installed? > > Some versions of Undertow would attempt to enable HTTP/2 even if the > required ciphers were not installed, which would result in a connection > error as HTTP/2 would be negotiated with an incorrect cipher, and the > browser will kill the connection as a result. This could be fixed by either > installing the JCE unlimited strength policy files, or by disabling HTTP/2. > > Stuart > > On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: > > Michael, where are you getting SSLContextFactory from? I assumed it was > something built-in or available in Undertow. > > On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > > Thanks guys. Michael, I'll try your code here in a bit to see if it makes > any difference. > > On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > Are you overriding the SSL certificate storage or using the example's? > > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > > > This is the basic code for that: > > public static SSLContext createSSLContext(final Options theOptions) throws > SSLException { > return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. > KEY_STORE_TYPE), > theOptions.get( > > -- Miere Teixeira -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/0eed3d2b/attachment-0001.html From sdouglas at redhat.com Sun Dec 11 19:48:50 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Mon, 12 Dec 2016 11:48:50 +1100 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: I have modified the example so it will now blow up if the keystore cannot be loaded: https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b Stuart On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas wrote: > I also failed to run the example, until I realized that the code does not > validate that the keystore is loaded correctly (passing 'null' into > KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a > null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > >> Here is the trace occurs with Http2 true and false. Issue seems to be >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> >> >> 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch >> .ServerSocketChannelImpl[/127.0.0.1:8443] >> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Delegating channel listener -> Accepting listener for >> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >> TCP server (NIO) <13f5555f> >> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch >> .ServerSocketChannelImpl[/127.0.0.1:8443] >> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Accepting listener for io.undertow.server.protocol.ht >> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.Unde >> rtowAcceptingSslChannel at 328f1eb6 >> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on >> channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >> 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >> 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened >> connection with /127.0.0.1:56854 >> 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >> 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >> 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener Delegating channel listener -> Accepting listener for >> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >> TCP server (NIO) <13f5555f> >> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener Accepting listener for io.undertow.server.protocol.ht >> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.Unde >> rtowAcceptingSslChannel at 328f1eb6 >> 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on >> channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened >> connection with /127.0.0.1:56856 >> 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for >> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ >> 127.0.0.1:56854] >> 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) >> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - >> Exception closing read side of SSL channel >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslCon >> duit.java:612) >> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - >> Exception closing read side of SSL channel >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslCon >> duit.java:612) >> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 >> on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 >> on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >> Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling >> key sun.nio.ch.SelectionKeyImpl at 4805f11b of >> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ >> 127.0.0.1:56856] (same thread) >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling >> key sun.nio.ch.SelectionKeyImpl at 673b2384 of >> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ >> 127.0.0.1:56854] (same thread) >> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 >> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac >> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >> 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 >> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >> Closing resource io.undertow.server.protocol.ht >> tp.HttpServerConnection at 6cdbf711 >> 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.server.protocol.ht >> tp.HttpServerConnection at 4bcc5cdf >> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$2 at 52d9523b >> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$2 at 320a217a >> 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b >> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch >> .ServerSocketChannelImpl[/127.0.0.1:8443] >> 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Delegating channel listener -> Accepting listener for >> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >> TCP server (NIO) <13f5555f> >> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Accepting listener for io.undertow.server.protocol.ht >> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.Unde >> rtowAcceptingSslChannel at 328f1eb6 >> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on >> channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened >> connection with /127.0.0.1:56858 >> 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - >> Exception closing read side of SSL channel >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslCon >> duit.java:612) >> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb >> on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling >> key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of >> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ >> 127.0.0.1:56858] (same thread) >> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$1 at 11f5487 >> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 >> 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.server.protocol.ht >> tp.HttpServerConnection at 4f4dae34 >> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$2 at 348d6036 >> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> >> >> On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: >> >>> Thanks Bill....I don't feel as crazy now. ;) >>> >>> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: >>> >>>> Oops I forgot https://localhost:8443. Now it is giving me localhost >>>> unexpectedly closed the connection. With no errors. I also don't have a >>>> cert set up but I would think that should throw an error? >>>> >>>> The on startup JDK9 issue is still there. >>>> >>>> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil >>>> wrote: >>>> >>>> Matt did you try turning on logging? Here are the two errors I get. >>>> Stuart maybe you can help from this I don't know much about SSL. >>>> >>>> This error is on server start. I'm running JDK 8. >>>> >>>> java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se >>>> tApplicationProtocols([Ljava.lang.String;) >>>> at java.lang.Class.getMethod(Class.java:1786) >>>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr >>>> ovider.java:47) >>>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr >>>> ovider.java:43) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9Alp >>>> nProvider.java:43) >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>> Method) >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>> ConstructorAccessorImpl.java:62) >>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>> legatingConstructorAccessorImpl.java:45) >>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422) >>>> at java.lang.Class.newInstance(Class.java:442) >>>> at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoad >>>> er.java:380) >>>> at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >>>> at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >>>> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) >>>> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) >>>> at io.undertow.server.protocol.http.AlpnOpenListener.(Alp >>>> nOpenListener.java:67) >>>> at io.undertow.server.protocol.http.AlpnOpenListener.(Alp >>>> nOpenListener.java:90) >>>> at io.undertow.Undertow.start(Undertow.java:177) >>>> at com.dartalley.function.Http2Server.main(Http2Server.java:70) >>>> >>>> >>>> The following errors happen on request to the localhost:8443 from >>>> Matt's code which leads to an empty response. >>>> >>>> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: >>>> An IOException occurred >>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >>>> not a handshake record >>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor >>>> eClientHello(ALPNHackClientHelloExplorer.java:84) >>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS >>>> SLEngine.java:205) >>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) >>>> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) >>>> at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStr >>>> eamSourceChannel.java:127) >>>> at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnec >>>> tionListener.handleEvent(AlpnOpenListener.java:280) >>>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven >>>> t(AlpnOpenListener.java:249) >>>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven >>>> t(AlpnOpenListener.java:60) >>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe >>>> ners.java:92) >>>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) >>>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) >>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe >>>> ners.java:92) >>>> at org.xnio.ChannelListeners$DelegatingChannelListener.handleEv >>>> ent(ChannelListeners.java:1092) >>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe >>>> ners.java:92) >>>> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) >>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An >>>> IOException occurred >>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >>>> not a handshake record >>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor >>>> eClientHello(ALPNHackClientHelloExplorer.java:84) >>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS >>>> SLEngine.java:205) >>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >>>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit. >>>> java:645) >>>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.rea >>>> dReady(SslConduit.java:1097) >>>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >>>> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An >>>> IOException occurred >>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >>>> not a handshake record >>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor >>>> eClientHello(ALPNHackClientHelloExplorer.java:84) >>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS >>>> SLEngine.java:205) >>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >>>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit. >>>> java:645) >>>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.rea >>>> dReady(SslConduit.java:1097) >>>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >>>> >>>> >>>> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt >>>> wrote: >>>> >>>> I've updated to 1.4.7.Final, I switched to passing an Array of >>>> keyManagers and an Array of trustManagers, I've tried commenting out >>>> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's >>>> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try >>>> to connect to https://localhost:8443 >>>> >>>> If I connect to http://localhost:8080 then I get the expected "Hello, >>>> World!". If someone could just test that snippet and tell me if they can >>>> repeat the problem it would be greatly appreciated. >>>> >>>> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: >>>> >>>> Stuart, I don't think I have the JCE Unlimited Strength policy files >>>> installed. I'll look into seeing if that's the problem. I am currently >>>> using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting >>>> the same problem. It will probably be tomorrow before I can get the JCE >>>> Unlimited Strength installed, but either way I should be seeing an error >>>> but I am not. >>>> >>>> Can you check that code snippet I posted? It's a simplified version of >>>> the example you sent me previously that just outputs "Hello, World!". If >>>> you're able to run it and it works then perhaps there's something wrong in >>>> my machine configuration, but I'd like some confirmation. >>>> >>>> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas >>>> wrote: >>>> >>>> I just released 1.4.7.Final that should fix the ClassCastException that >>>> you were seeing. >>>> >>>> Your example code should work. What version of Undertow are you using, >>>> and do you have the JCE unlimited strength ciphers installed? >>>> >>>> Some versions of Undertow would attempt to enable HTTP/2 even if the >>>> required ciphers were not installed, which would result in a connection >>>> error as HTTP/2 would be negotiated with an incorrect cipher, and the >>>> browser will kill the connection as a result. This could be fixed by either >>>> installing the JCE unlimited strength policy files, or by disabling HTTP/2. >>>> >>>> Stuart >>>> >>>> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt >>>> wrote: >>>> >>>> Michael, where are you getting SSLContextFactory from? I assumed it >>>> was something built-in or available in Undertow. >>>> >>>> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: >>>> >>>> Thanks guys. Michael, I'll try your code here in a bit to see if it >>>> makes any difference. >>>> >>>> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: >>>> >>>> Prematurely hit send! >>>> >>>> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: >>>> >>>> >>>> >>>> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: >>>> >>>> Hi Michael, thanks for the response. What version of Undertow are you >>>> using? >>>> >>>> >>>> I'm using 1.3.20, so I'm a bit behind. >>>> >>>> >>>> Are you overriding the SSL certificate storage or using the example's? >>>> >>>> >>>> I'm just creating the SSLContext that's passed to the builder via >>>> addHttpsListener directly from the standard JVM properties, eg >>>> javax.net.ssl.keyStore >>>> >>>> >>>> This is the basic code for that: >>>> >>>> public static SSLContext createSSLContext(final Options theOptions) >>>> throws SSLException { >>>> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions. >>>> KEY_STORE_TYPE), >>>> theOptions.get(ServerOptions.KEY_STORE), >>>> theOptions.get(ServerOptions.KEY_STORE_PASSWD), >>>> theOptions.get(ServerOptions.TRUST_STORE_TYPE), >>>> theOptions.get(ServerOptions.TRUST_STORE), >>>> theOptions.get(ServerOptions.TRUST_STORE_PASSWD)); >>>> } >>>> >>>> I tweak the XNIO properties for SSL in the event the user needs client >>>> auth: >>>> >>>> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, >>>> SslClientAuthMode.REQUIRED); >>>> >>>> At that point, it works nicely. >>>> >>>> >>>> >>>> >>>> >>>> Would you mind terribly trying the exact code snippet and see if it >>>> works for you? This is very confusing if it's a problem on my >>>> end...especially since HTTP works fine. >>>> >>>> >>>> I can try to run it over the weekend, I'm a bit swamped with day to day >>>> stuff atm. >>>> >>>> Cheers, >>>> >>>> Mike >>>> >>>> >>>> >>>> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove wrote: >>>> >>>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt >>>> wrote: >>>> >>>> Yeah, I'm pretty sure Undertow's support for SSL is broken! >>>> >>>> >>>> It's working fine for me, and I'm using a setup almost exactly like >>>> what's shown in the examples. >>>> >>>> >>>> I copied and pasted the example into my project and am getting the same >>>> results. I modified it to not do any proxying, but the server isn't >>>> responding properly and my anonymous HttpHandler is never invoked: >>>> >>>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7 >>>> >>>> This is incredibly frustrating. Stuart, tell me if I shouldn't be >>>> using Undertow for SSL support and I'll start migrating to wrap with nginx. >>>> >>>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas >>>> wrote: >>>> >>>> Here is an example: >>>> >>>> https://github.com/undertow-io/undertow/blob/master/examples >>>> /src/main/java/io/undertow/examples/http2/Http2Server.java >>>> >>>> Looks like you have run into a bug, with regard to the >>>> ClassCastException, you need to use the version that take >>>> >>>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/0f9c1d4f/attachment-0001.html From matt at matthicks.com Mon Dec 12 12:01:04 2016 From: matt at matthicks.com (Hicks, Matt) Date: Mon, 12 Dec 2016 17:01:04 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Stuart, I apologize for not figuring that out myself, but that was the problem. It's working correctly now. Ideally Undertow should be able to detect this internally and throw an error instead of just silently failing. I understand that this relies on the SSLContext which is not part of Undertow's code, but it seems like if there is any way to detect this scenario it would be a major convenience to avoid such pitfalls for other developers in the future. Thanks everyone for your help with this. I greatly appreciate it. On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas wrote: > I have modified the example so it will now blow up if the keystore cannot > be loaded: > > https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b > > Stuart > > On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas > wrote: > > I also failed to run the example, until I realized that the code does not > validate that the keystore is loaded correctly (passing 'null' into > KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a > null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > > Here is the trace occurs with Http2 true and false. Issue seems to be > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 4805f11b of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56856] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 673b2384 of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 7da1dc1a of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56858] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > > Oops I forgot https://localhost:8443. Now it is giving me localhost > unexpectedly closed the connection. With no errors. I also don't have a > cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se > tApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:67) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > > > On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: > > I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers > and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've > installed the JCE Unlimited Strength (and verified it's being used) and I'm > consistently getting ERR_CONNECTION_CLOSED when I try to connect to > https://localhost:8443 > > If I connect to http://localhost:8080 then I get the expected "Hello, > World!". If someone could just test that snippet and tell me if they can > repeat the problem it would be greatly appreciated. > > On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: > > Stuart, I don't think I have the JCE Unlimited Strength policy files > installed. I'll look into seeing if that's the problem. I am currently > using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting > the same problem. It will probably be tomorrow before I can get the JCE > Unlimited Strength installed, but either way I should be seeing an error > but I am not. > > Can you check that code snippet I posted? It's a simplified version of > the example you sent me previously that just outputs "Hello, World!". If > you're able to run it and it works then perhaps there's something wrong in > my machine configuration, but I'd like some confirmation. > > On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas wrote: > > I just released 1.4.7.Final that should fix the ClassCastException that > you were seeing. > > Your example code should work. What version of Undertow are you using, and > do you have the JCE unlimited strength ciphers installed? > > Some versions of Undertow would attempt to enable HTTP/2 even if the > required ciphers were not installed, which would result in a connection > error as HTTP/2 would be negotiated with an incorrect cipher, and the > browser will kill the connection as a result. This could be fixed by either > installing the JCE unlimited strength policy files, or by disabling HTTP/2. > > Stuart > > On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: > > Michael, where are you getting SSLContextFactory from? I assumed it was > something built-in or available in Undertow. > > On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > > Thanks guys. Michael, I'll try your code here in a bit to see if it makes > any difference. > > On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > Are you overriding the SSL certificate storage or using the example's? > > > I'm just creating the SSLContext that's passed to the builder via > addHttpsListener directly from the standard JVM properties, eg > javax.net.ssl.keyStore > > > This is the basic code for that: > > public static SSLContext createSSLContext(final Options theOptions) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/4756f587/attachment-0001.html From matt at matthicks.com Mon Dec 12 13:13:13 2016 From: matt at matthicks.com (Hicks, Matt) Date: Mon, 12 Dec 2016 18:13:13 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Sorry guys, I need to resurrect this thread. SSL is working for the most part, but it seems when I try to load any URL that has GET args it starts throwing: siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners invokeChannelListener siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an exception siteJVM[ERROR] java.lang.IllegalStateException siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) siteJVM[ERROR] at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) siteJVM[ERROR] at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) siteJVM[ERROR] at io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) siteJVM[ERROR] at io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) siteJVM[ERROR] at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) All over the place. It also throws XNIO000011 sometimes as well. If I load the exact same URL with no GET args it seems to load just fine. Any idea why this might be happening? On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt wrote: > Stuart, I apologize for not figuring that out myself, but that was the > problem. It's working correctly now. > > Ideally Undertow should be able to detect this internally and throw an > error instead of just silently failing. I understand that this relies on > the SSLContext which is not part of Undertow's code, but it seems like if > there is any way to detect this scenario it would be a major convenience to > avoid such pitfalls for other developers in the future. > > Thanks everyone for your help with this. I greatly appreciate it. > > On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas > wrote: > > I have modified the example so it will now blow up if the keystore cannot > be loaded: > > https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b > > Stuart > > On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas > wrote: > > I also failed to run the example, until I realized that the code does not > validate that the keystore is loaded correctly (passing 'null' into > KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a > null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > > Here is the trace occurs with Http2 true and false. Issue seems to be > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 4805f11b of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56856] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 673b2384 of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 7da1dc1a of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56858] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > > Oops I forgot https://localhost:8443. Now it is giving me localhost > unexpectedly closed the connection. With no errors. I also don't have a > cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se > tApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:67) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > > > On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: > > I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers > and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've > installed the JCE Unlimited Strength (and verified it's being used) and I'm > consistently getting ERR_CONNECTION_CLOSED when I try to connect to > https://localhost:8443 > > If I connect to http://localhost:8080 then I get the expected "Hello, > World!". If someone could just test that snippet and tell me if they can > repeat the problem it would be greatly appreciated. > > On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: > > Stuart, I don't think I have the JCE Unlimited Strength policy files > installed. I'll look into seeing if that's the problem. I am currently > using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting > the same problem. It will probably be tomorrow before I can get the JCE > Unlimited Strength installed, but either way I should be seeing an error > but I am not. > > Can you check that code snippet I posted? It's a simplified version of > the example you sent me previously that just outputs "Hello, World!". If > you're able to run it and it works then perhaps there's something wrong in > my machine configuration, but I'd like some confirmation. > > On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas wrote: > > I just released 1.4.7.Final that should fix the ClassCastException that > you were seeing. > > Your example code should work. What version of Undertow are you using, and > do you have the JCE unlimited strength ciphers installed? > > Some versions of Undertow would attempt to enable HTTP/2 even if the > required ciphers were not installed, which would result in a connection > error as HTTP/2 would be negotiated with an incorrect cipher, and the > browser will kill the connection as a result. This could be fixed by either > installing the JCE unlimited strength policy files, or by disabling HTTP/2. > > Stuart > > On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: > > Michael, where are you getting SSLContextFactory from? I assumed it was > something built-in or available in Undertow. > > On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: > > Thanks guys. Michael, I'll try your code here in a bit to see if it makes > any difference. > > On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: > > Prematurely hit send! > > On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: > > > > On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: > > Hi Michael, thanks for the response. What version of Undertow are you > using? > > > I'm using 1.3.20, so I'm a bit behind. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/4f3c653a/attachment-0001.html From bill at dartalley.com Mon Dec 12 14:24:07 2016 From: bill at dartalley.com (Bill O'Neil) Date: Mon, 12 Dec 2016 14:24:07 -0500 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Does the same code work in HTTP? can you post a snippet of where you read the query parameters? On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt wrote: > Sorry guys, I need to resurrect this thread. > > SSL is working for the most part, but it seems when I try to load any URL > that has GET args it starts throwing: > > siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners > invokeChannelListener > siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an > exception > siteJVM[ERROR] java.lang.IllegalStateException > siteJVM[ERROR] at io.undertow.server.protocol.framed. > AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChanne > l.java:578) > siteJVM[ERROR] at io.undertow.server.protocol. > framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) > siteJVM[ERROR] at io.undertow.server.protocol. > framed.AbstractFramedChannel$FrameWriteListener.handleEvent( > AbstractFramedChannel.java:943) > siteJVM[ERROR] at io.undertow.server.protocol. > framed.AbstractFramedChannel$FrameWriteListener.handleEvent( > AbstractFramedChannel.java:940) > siteJVM[ERROR] at org.xnio.ChannelListeners.invokeChannelListener( > ChannelListeners.java:92) > siteJVM[ERROR] at org.xnio.conduits.WriteReadyHandler$ > ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) > siteJVM[ERROR] at io.undertow.protocols.ssl.SslConduit$ > SslWriteReadyHandler.writeReady(SslConduit.java:1224) > siteJVM[ERROR] at io.undertow.protocols.ssl.SslConduit$3.run(SslConduit. > java:275) > siteJVM[ERROR] at org.xnio.nio.WorkerThread. > safeRun(WorkerThread.java:580) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > > All over the place. It also throws XNIO000011 sometimes as well. If I > load the exact same URL with no GET args it seems to load just fine. Any > idea why this might be happening? > > On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt wrote: > >> Stuart, I apologize for not figuring that out myself, but that was the >> problem. It's working correctly now. >> >> Ideally Undertow should be able to detect this internally and throw an >> error instead of just silently failing. I understand that this relies on >> the SSLContext which is not part of Undertow's code, but it seems like if >> there is any way to detect this scenario it would be a major convenience to >> avoid such pitfalls for other developers in the future. >> >> Thanks everyone for your help with this. I greatly appreciate it. >> >> On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas >> wrote: >> >> I have modified the example so it will now blow up if the keystore cannot >> be loaded: >> https://github.com/undertow-io/undertow/commit/ >> d142748f138bb7416b8f5ff003f03c4af746678b >> >> Stuart >> >> On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas >> wrote: >> >> I also failed to run the example, until I realized that the code does not >> validate that the keystore is loaded correctly (passing 'null' into >> KeyStore.load apparently works without error). >> >> Are you sure you are actually loading the keystore correctly (maybe add a >> null check into the loading code)? >> >> Stuart >> >> On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: >> >> Here is the trace occurs with Http2 true and false. Issue seems to be >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> >> >> 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch. >> ServerSocketChannelImpl[/127.0.0.1:8443] >> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Delegating channel listener -> Accepting listener for >> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >> TCP server (NIO) <13f5555f> >> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch. >> ServerSocketChannelImpl[/127.0.0.1:8443] >> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Accepting listener for io.undertow.server.protocol.ht >> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl. >> UndertowAcceptingSslChannel at 328f1eb6 >> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on >> channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >> 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >> 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened >> connection with /127.0.0.1:56854 >> 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >> 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >> 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener Delegating channel listener -> Accepting listener for >> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >> TCP server (NIO) <13f5555f> >> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener Accepting listener for io.undertow.server.protocol.ht >> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl. >> UndertowAcceptingSslChannel at 328f1eb6 >> 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on >> channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened >> connection with /127.0.0.1:56856 >> 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for java.nio.channels.SocketChannel[connected >> local=/127.0.0.1:8443 remote=/127.0.0.1:56854] >> 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) >> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 >> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - >> Exception closing read side of SSL channel >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed( >> SslConduit.java:612) >> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - >> Exception closing read side of SSL channel >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed( >> SslConduit.java:612) >> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 >> on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 >> on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >> Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling >> key sun.nio.ch.SelectionKeyImpl at 4805f11b of java.nio.channels.SocketChannel[connected >> local=/127.0.0.1:8443 remote=/127.0.0.1:56856] (same thread) >> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling >> key sun.nio.ch.SelectionKeyImpl at 673b2384 of java.nio.channels.SocketChannel[connected >> local=/127.0.0.1:8443 remote=/127.0.0.1:56854] (same thread) >> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 >> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac >> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >> 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 >> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >> Closing resource io.undertow.server.protocol.http.HttpServerConnection@ >> 6cdbf711 >> 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.server.protocol.http.HttpServerConnection@ >> 4bcc5cdf >> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$2 at 52d9523b >> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$2 at 320a217a >> 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b >> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch. >> ServerSocketChannelImpl[/127.0.0.1:8443] >> 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Delegating channel listener -> Accepting listener for >> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >> TCP server (NIO) <13f5555f> >> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener Accepting listener for io.undertow.server.protocol.ht >> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl. >> UndertowAcceptingSslChannel at 328f1eb6 >> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on >> channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened >> connection with /127.0.0.1:56858 >> 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - >> Exception closing read side of SSL channel >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed( >> SslConduit.java:612) >> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb >> on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd >> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling >> key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of java.nio.channels.SocketChannel[connected >> local=/127.0.0.1:8443 remote=/127.0.0.1:56858] (same thread) >> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$1 at 11f5487 >> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task >> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking >> listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on >> channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 >> 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >> 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >> Closing resource io.undertow.server.protocol.http.HttpServerConnection@ >> 4f4dae34 >> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task >> io.undertow.protocols.ssl.SslConduit$2 at 348d6036 >> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >> >> >> On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: >> >> Thanks Bill....I don't feel as crazy now. ;) >> >> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: >> >> Oops I forgot https://localhost:8443. Now it is giving me localhost >> unexpectedly closed the connection. With no errors. I also don't have a >> cert set up but I would think that should throw an error? >> >> The on startup JDK9 issue is still there. >> >> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: >> >> Matt did you try turning on logging? Here are the two errors I get. >> Stuart maybe you can help from this I don't know much about SSL. >> >> This error is on server start. I'm running JDK 8. >> >> java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se >> tApplicationProtocols([Ljava.lang.String;) >> at java.lang.Class.getMethod(Class.java:1786) >> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run( >> JDK9AlpnProvider.java:47) >> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run( >> JDK9AlpnProvider.java:43) >> at java.security.AccessController.doPrivileged(Native Method) >> at io.undertow.protocols.alpn.JDK9AlpnProvider.( >> JDK9AlpnProvider.java:43) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance( >> NativeConstructorAccessorImpl.java:62) >> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( >> DelegatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:422) >> at java.lang.Class.newInstance(Class.java:442) >> at java.util.ServiceLoader$LazyIterator.nextService( >> ServiceLoader.java:380) >> at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >> at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) >> at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) >> at io.undertow.server.protocol.http.AlpnOpenListener.( >> AlpnOpenListener.java:67) >> at io.undertow.server.protocol.http.AlpnOpenListener.( >> AlpnOpenListener.java:90) >> at io.undertow.Undertow.start(Undertow.java:177) >> at com.dartalley.function.Http2Server.main(Http2Server.java:70) >> >> >> The following errors happen on request to the localhost:8443 from Matt's >> code which leads to an empty response. >> >> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An >> IOException occurred >> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >> not a handshake record >> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. >> exploreClientHello(ALPNHackClientHelloExplorer.java:84) >> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( >> ALPNHackSSLEngine.java:205) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) >> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) >> at org.xnio.conduits.ConduitStreamSourceChannel.read( >> ConduitStreamSourceChannel.java:127) >> at io.undertow.server.protocol.http.AlpnOpenListener$ >> AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) >> at io.undertow.server.protocol.http.AlpnOpenListener. >> handleEvent(AlpnOpenListener.java:249) >> at io.undertow.server.protocol.http.AlpnOpenListener. >> handleEvent(AlpnOpenListener.java:60) >> at org.xnio.ChannelListeners.invokeChannelListener( >> ChannelListeners.java:92) >> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) >> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) >> at org.xnio.ChannelListeners.invokeChannelListener( >> ChannelListeners.java:92) >> at org.xnio.ChannelListeners$DelegatingChannelListener. >> handleEvent(ChannelListeners.java:1092) >> at org.xnio.ChannelListeners.invokeChannelListener( >> ChannelListeners.java:92) >> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) >> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An >> IOException occurred >> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >> not a handshake record >> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. >> exploreClientHello(ALPNHackClientHelloExplorer.java:84) >> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( >> ALPNHackSSLEngine.java:205) >> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady( >> SslConduit.java:1097) >> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An >> IOException occurred >> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is >> not a handshake record >> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer. >> exploreClientHello(ALPNHackClientHelloExplorer.java:84) >> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap( >> ALPNHackSSLEngine.java:205) >> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady( >> SslConduit.java:1097) >> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >> >> >> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: >> >> I've updated to 1.4.7.Final, I switched to passing an Array of >> keyManagers and an Array of trustManagers, I've tried commenting out >> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's >> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try >> to connect to https://localhost:8443 >> >> If I connect to http://localhost:8080 then I get the expected "Hello, >> World!". If someone could just test that snippet and tell me if they can >> repeat the problem it would be greatly appreciated. >> >> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: >> >> Stuart, I don't think I have the JCE Unlimited Strength policy files >> installed. I'll look into seeing if that's the problem. I am currently >> using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting >> the same problem. It will probably be tomorrow before I can get the JCE >> Unlimited Strength installed, but either way I should be seeing an error >> but I am not. >> >> Can you check that code snippet I posted? It's a simplified version of >> the example you sent me previously that just outputs "Hello, World!". If >> you're able to run it and it works then perhaps there's something wrong in >> my machine configuration, but I'd like some confirmation. >> >> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas >> wrote: >> >> I just released 1.4.7.Final that should fix the ClassCastException that >> you were seeing. >> >> Your example code should work. What version of Undertow are you using, >> and do you have the JCE unlimited strength ciphers installed? >> >> Some versions of Undertow would attempt to enable HTTP/2 even if the >> required ciphers were not installed, which would result in a connection >> error as HTTP/2 would be negotiated with an incorrect cipher, and the >> browser will kill the connection as a result. This could be fixed by either >> installing the JCE unlimited strength policy files, or by disabling HTTP/2. >> >> Stuart >> >> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt wrote: >> >> Michael, where are you getting SSLContextFactory from? I assumed it was >> something built-in or available in Undertow. >> >> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt wrote: >> >> Thanks guys. Michael, I'll try your code here in a bit to see if it >> makes any difference. >> >> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove wrote: >> >> Prematurely hit send! >> >> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove wrote: >> >> >> >> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt wrote: >> >> Hi Michael, thanks for the response. What version of Undertow are you >> using? >> >> >> I'm using 1.3.20, so I'm a bit behind. >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/0001245b/attachment-0001.html From matt at matthicks.com Mon Dec 12 15:25:09 2016 From: matt at matthicks.com (Hicks, Matt) Date: Mon, 12 Dec 2016 20:25:09 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Yes, the same code works in HTTP, but if you look at the trace it looks as though it's never even getting to my code. I'm getting ERR_CONNECTION_RESET in the browser when I load the page with GET params but the page itself is loading. Something really bizarre is happening here and the referenced resources aren't coming through properly. The same exact resources though come through fine if I manually load them or if I do it from a URL without any query args. I'm still digging into this, but it seems directly related to SSL. Stuart, can you make any sense of this? On Mon, Dec 12, 2016 at 1:24 PM Bill O'Neil wrote: > Does the same code work in HTTP? can you post a snippet of where you read > the query parameters? > > On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt wrote: > > Sorry guys, I need to resurrect this thread. > > SSL is working for the most part, but it seems when I try to load any URL > that has GET args it starts throwing: > > siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners > invokeChannelListener > siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an > exception > siteJVM[ERROR] java.lang.IllegalStateException > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) > siteJVM[ERROR] at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > siteJVM[ERROR] at > org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) > siteJVM[ERROR] at > io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) > siteJVM[ERROR] at > io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > > All over the place. It also throws XNIO000011 sometimes as well. If I > load the exact same URL with no GET args it seems to load just fine. Any > idea why this might be happening? > > On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt wrote: > > Stuart, I apologize for not figuring that out myself, but that was the > problem. It's working correctly now. > > Ideally Undertow should be able to detect this internally and throw an > error instead of just silently failing. I understand that this relies on > the SSLContext which is not part of Undertow's code, but it seems like if > there is any way to detect this scenario it would be a major convenience to > avoid such pitfalls for other developers in the future. > > Thanks everyone for your help with this. I greatly appreciate it. > > On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas > wrote: > > I have modified the example so it will now blow up if the keystore cannot > be loaded: > > https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b > > Stuart > > On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas > wrote: > > I also failed to run the example, until I realized that the code does not > validate that the keystore is loaded correctly (passing 'null' into > KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a > null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > > Here is the trace occurs with Http2 true and false. Issue seems to be > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 4805f11b of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56856] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 673b2384 of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 7da1dc1a of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56858] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > > Oops I forgot https://localhost:8443. Now it is giving me localhost > unexpectedly closed the connection. With no errors. I also don't have a > cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se > tApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:67) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > > > On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt wrote: > > I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers > and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've > installed the JCE Unlimited Strength (and verified it's being used) and I'm > consistently getting ERR_CONNECTION_CLOSED when I try to connect to > https://localhost:8443 > > If I connect to http://localhost:8080 then I get the expected "Hello, > World!". If someone could just test that snippet and tell me if they can > repeat the problem it would be greatly appreciated. > > On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt wrote: > > Stuart, I don't think I have the JCE Unlimited Strength policy files > installed. I'll look into seeing if that's the problem. I am currently > using 1.4.6.Final. I commented out enabling of HTTP2 but I'm still getting > the same problem. It will probably be tomorrow before I can get the JCE > Unlimited Strength installed, but either way I should be seeing an error > but I am not. > > Can you check that code snippet I posted? It's a simplified version of > the example you sent me previously that just outputs "Hello, World!". If > you're able to run it and it works then perhaps there's something wrong in > my machine configuration, but I'd like some confirmation. > > On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas wrote: > > I just released 1.4.7.Final that should fix the ClassCastException that > you were seeing. > > Your example code should work. What version of Undertow are you using, and > do you have the JCE unlimited strength ciphers installed? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/b41f47e9/attachment-0001.html From matt at matthicks.com Mon Dec 12 15:27:54 2016 From: matt at matthicks.com (Hicks, Matt) Date: Mon, 12 Dec 2016 20:27:54 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: Looking at AbstractFramedStreamSinkChannel:578 the exception is caused because the channel is STATUS_CLOSED. On Mon, Dec 12, 2016 at 2:25 PM Hicks, Matt wrote: > Yes, the same code works in HTTP, but if you look at the trace it looks as > though it's never even getting to my code. I'm getting > ERR_CONNECTION_RESET in the browser when I load the page with GET params > but the page itself is loading. Something really bizarre is happening here > and the referenced resources aren't coming through properly. The same > exact resources though come through fine if I manually load them or if I do > it from a URL without any query args. I'm still digging into this, but it > seems directly related to SSL. > > Stuart, can you make any sense of this? > > > > On Mon, Dec 12, 2016 at 1:24 PM Bill O'Neil wrote: > > Does the same code work in HTTP? can you post a snippet of where you read > the query parameters? > > On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt wrote: > > Sorry guys, I need to resurrect this thread. > > SSL is working for the most part, but it seems when I try to load any URL > that has GET args it starts throwing: > > siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners > invokeChannelListener > siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an > exception > siteJVM[ERROR] java.lang.IllegalStateException > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) > siteJVM[ERROR] at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > siteJVM[ERROR] at > org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) > siteJVM[ERROR] at > io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) > siteJVM[ERROR] at > io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > > All over the place. It also throws XNIO000011 sometimes as well. If I > load the exact same URL with no GET args it seems to load just fine. Any > idea why this might be happening? > > On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt wrote: > > Stuart, I apologize for not figuring that out myself, but that was the > problem. It's working correctly now. > > Ideally Undertow should be able to detect this internally and throw an > error instead of just silently failing. I understand that this relies on > the SSLContext which is not part of Undertow's code, but it seems like if > there is any way to detect this scenario it would be a major convenience to > avoid such pitfalls for other developers in the future. > > Thanks everyone for your help with this. I greatly appreciate it. > > On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas > wrote: > > I have modified the example so it will now blow up if the keystore cannot > be loaded: > > https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b > > Stuart > > On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas > wrote: > > I also failed to run the example, until I realized that the code does not > validate that the keystore is loaded correctly (passing 'null' into > KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a > null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > > Here is the trace occurs with Http2 true and false. Issue seems to be > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 4805f11b of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56856] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 673b2384 of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 7da1dc1a of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56858] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > > Oops I forgot https://localhost:8443. Now it is giving me localhost > unexpectedly closed the connection. With no errors. I also don't have a > cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se > tApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:67) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at > io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/914f8291/attachment-0001.html From jason.greene at redhat.com Mon Dec 12 15:34:52 2016 From: jason.greene at redhat.com (Jason Greene) Date: Mon, 12 Dec 2016 14:34:52 -0600 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: <9F75A57A-3D27-4594-845C-406582B833EE@redhat.com> Random thought. Earlier you ran into a problem with bad content lengths, could you be hitting that again? If you disable HTTP/2 does it work for you? > On Dec 12, 2016, at 2:27 PM, Hicks, Matt wrote: > > Looking at AbstractFramedStreamSinkChannel:578 the exception is caused because the channel is STATUS_CLOSED. > > On Mon, Dec 12, 2016 at 2:25 PM Hicks, Matt > wrote: > Yes, the same code works in HTTP, but if you look at the trace it looks as though it's never even getting to my code. I'm getting ERR_CONNECTION_RESET in the browser when I load the page with GET params but the page itself is loading. Something really bizarre is happening here and the referenced resources aren't coming through properly. The same exact resources though come through fine if I manually load them or if I do it from a URL without any query args. I'm still digging into this, but it seems directly related to SSL. > > Stuart, can you make any sense of this? > > > > On Mon, Dec 12, 2016 at 1:24 PM Bill O'Neil > wrote: > Does the same code work in HTTP? can you post a snippet of where you read the query parameters? > > On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt > wrote: > Sorry guys, I need to resurrect this thread. > > SSL is working for the most part, but it seems when I try to load any URL that has GET args it starts throwing: > > siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners invokeChannelListener > siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an exception > siteJVM[ERROR] java.lang.IllegalStateException > siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) > siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) > siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) > siteJVM[ERROR] at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) > siteJVM[ERROR] at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > siteJVM[ERROR] at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) > siteJVM[ERROR] at io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) > siteJVM[ERROR] at io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > > All over the place. It also throws XNIO000011 sometimes as well. If I load the exact same URL with no GET args it seems to load just fine. Any idea why this might be happening? > > On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt > wrote: > Stuart, I apologize for not figuring that out myself, but that was the problem. It's working correctly now. > > Ideally Undertow should be able to detect this internally and throw an error instead of just silently failing. I understand that this relies on the SSLContext which is not part of Undertow's code, but it seems like if there is any way to detect this scenario it would be a major convenience to avoid such pitfalls for other developers in the future. > > Thanks everyone for your help with this. I greatly appreciate it. > > On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas > wrote: > I have modified the example so it will now blow up if the keystore cannot be loaded: > https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b > > Stuart > > On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas > wrote: > I also failed to run the example, until I realized that the code does not validate that the keystore is loaded correctly (passing 'null' into KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil > wrote: > Here is the trace occurs with Http2 true and false. Issue seems to be javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch .ServerSocketChannelImpl[/127.0.0.1:8443 ] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Delegating channel listener -> Accepting listener for io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel TCP server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch .ServerSocketChannelImpl[/127.0.0.1:8443 ] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Accepting listener for io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener Delegating channel listener -> Accepting listener for io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel TCP server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener Accepting listener for io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/127.0.0.1:56854 ] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.ht tp.HttpReadListener at 255c6481 on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key sun.nio.ch.SelectionKeyImpl at 4805f11b of java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/127.0.0.1:56856 ] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key sun.nio.ch.SelectionKeyImpl at 673b2384 of java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/127.0.0.1:56854 ] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.ht tp.HttpReadListener at 6962bde3 on channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.ht tp.HttpReadListener at 255c6481 on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing resource io.undertow.server.protocol.ht tp.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.server.protocol.ht tp.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch .ServerSocketChannelImpl[/127.0.0.1:8443 ] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Delegating channel listener -> Accepting listener for io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel TCP server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener Accepting listener for io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.ht tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/127.0.0.1:56858 ] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking listener io.undertow.server.protocol.ht tp.HttpReadListener at 6b60e713 on channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing resource io.undertow.server.protocol.ht tp.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt > wrote: > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil > wrote: > Oops I forgot https://localhost:8443 . Now it is giving me localhost unexpectedly closed the connection. With no errors. I also don't have a cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil > wrote: > Matt did you try turning on logging? Here are the two errors I get. Stuart maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se tApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.ht tp.AlpnOpenListener.(AlpnOpenListener.java:67) > at io.undertow.server.protocol.ht tp.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record > at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.ht tp.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.ht tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.ht tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record > at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) > 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record > at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev -- Jason T. Greene WildFly Lead / JBoss EAP Platform Architect JBoss, a division of Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/5bcc6442/attachment-0001.html From sdouglas at redhat.com Mon Dec 12 16:12:03 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Tue, 13 Dec 2016 08:12:03 +1100 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: Message-ID: This looks really weird, and would usually only happen if a HTTP/2 channel was forcibly closed while in the middle of writing a response (that said we could potentially handle this better, depending on what is causing the channel to be closed). What is your handler doing? If it is forcibly closing the channel it could account for why it works with HTTP/1 and not HTTP/2, as the flush()/close() behavior is slightly different between them (the channel contract is the same, but HTTP/1 is more likely to work if you don't stick to the contract). Stuart On Tue, Dec 13, 2016 at 7:25 AM, Hicks, Matt wrote: > Yes, the same code works in HTTP, but if you look at the trace it looks as > though it's never even getting to my code. I'm getting ERR_CONNECTION_RESET > in the browser when I load the page with GET params but the page itself is > loading. Something really bizarre is happening here and the referenced > resources aren't coming through properly. The same exact resources though > come through fine if I manually load them or if I do it from a URL without > any query args. I'm still digging into this, but it seems directly related > to SSL. > > Stuart, can you make any sense of this? > > > > On Mon, Dec 12, 2016 at 1:24 PM Bill O'Neil wrote: >> >> Does the same code work in HTTP? can you post a snippet of where you read >> the query parameters? >> >> On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt wrote: >>> >>> Sorry guys, I need to resurrect this thread. >>> >>> SSL is working for the most part, but it seems when I try to load any URL >>> that has GET args it starts throwing: >>> >>> siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners >>> invokeChannelListener >>> siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an >>> exception >>> siteJVM[ERROR] java.lang.IllegalStateException >>> siteJVM[ERROR] at >>> io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) >>> siteJVM[ERROR] at >>> io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) >>> siteJVM[ERROR] at >>> io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) >>> siteJVM[ERROR] at >>> io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) >>> siteJVM[ERROR] at >>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) >>> siteJVM[ERROR] at >>> org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) >>> siteJVM[ERROR] at >>> io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) >>> siteJVM[ERROR] at >>> io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) >>> siteJVM[ERROR] at >>> org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>> siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>> >>> All over the place. It also throws XNIO000011 sometimes as well. If I >>> load the exact same URL with no GET args it seems to load just fine. Any >>> idea why this might be happening? >>> >>> On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt wrote: >>>> >>>> Stuart, I apologize for not figuring that out myself, but that was the >>>> problem. It's working correctly now. >>>> >>>> Ideally Undertow should be able to detect this internally and throw an >>>> error instead of just silently failing. I understand that this relies on >>>> the SSLContext which is not part of Undertow's code, but it seems like if >>>> there is any way to detect this scenario it would be a major convenience to >>>> avoid such pitfalls for other developers in the future. >>>> >>>> Thanks everyone for your help with this. I greatly appreciate it. >>>> >>>> On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas >>>> wrote: >>>>> >>>>> I have modified the example so it will now blow up if the keystore >>>>> cannot be loaded: >>>>> >>>>> https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b >>>>> >>>>> Stuart >>>>> >>>>> On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas >>>>> wrote: >>>>>> >>>>>> I also failed to run the example, until I realized that the code does >>>>>> not validate that the keystore is loaded correctly (passing 'null' into >>>>>> KeyStore.load apparently works without error). >>>>>> >>>>>> Are you sure you are actually loading the keystore correctly (maybe >>>>>> add a null check into the loading code)? >>>>>> >>>>>> Stuart >>>>>> >>>>>> On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil >>>>>> wrote: >>>>>>> >>>>>>> Here is the trace occurs with Http2 true and false. Issue seems to be >>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>> close_notify: possible truncation attack? >>>>>>> >>>>>>> >>>>>>> 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for >>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] >>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener Delegating channel listener -> Accepting listener for >>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP >>>>>>> server (NIO) <13f5555f> >>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for >>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] >>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener Accepting listener for >>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 >>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 >>>>>>> on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >>>>>>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >>>>>>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - >>>>>>> Opened connection with /127.0.0.1:56854 >>>>>>> 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >>>>>>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >>>>>>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>> Invoking listener Delegating channel listener -> Accepting listener for >>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP >>>>>>> server (NIO) <13f5555f> >>>>>>> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>> Invoking listener Accepting listener for >>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 >>>>>>> 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>> Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 >>>>>>> on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >>>>>>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - >>>>>>> Opened connection with /127.0.0.1:56856 >>>>>>> 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for >>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>> remote=/127.0.0.1:56854] >>>>>>> 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) >>>>>>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 >>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >>>>>>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 >>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 >>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - >>>>>>> Exception closing read side of SSL channel >>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>> close_notify: possible truncation attack? >>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >>>>>>> at >>>>>>> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) >>>>>>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >>>>>>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >>>>>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>>>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - >>>>>>> Exception closing read side of SSL channel >>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>> close_notify: possible truncation attack? >>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >>>>>>> at >>>>>>> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) >>>>>>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >>>>>>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >>>>>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>>>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>> Invoking listener >>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 on channel >>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener >>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 on channel >>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc >>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe >>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - >>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 4805f11b of >>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>> remote=/127.0.0.1:56856] (same thread) >>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - >>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 673b2384 of >>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>> remote=/127.0.0.1:56854] (same thread) >>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >>>>>>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running >>>>>>> task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 >>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac >>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running >>>>>>> task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 >>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 >>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 >>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >>>>>>> Closing resource >>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 >>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>> Closing resource >>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf >>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 52d9523b >>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 320a217a >>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b >>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>> 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for >>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] >>>>>>> 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>> 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >>>>>>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener Delegating channel listener -> Accepting listener for >>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP >>>>>>> server (NIO) <13f5555f> >>>>>>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener Accepting listener for >>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 >>>>>>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 >>>>>>> on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >>>>>>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - >>>>>>> Opened connection with /127.0.0.1:56858 >>>>>>> 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >>>>>>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 >>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - >>>>>>> Exception closing read side of SSL channel >>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>> close_notify: possible truncation attack? >>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >>>>>>> at >>>>>>> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) >>>>>>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >>>>>>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >>>>>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>> at >>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener >>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb on channel >>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd >>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - >>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of >>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>> remote=/127.0.0.1:56858] (same thread) >>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 11f5487 >>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running >>>>>>> task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 >>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 >>>>>>> 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>> 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>> Closing resource >>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 >>>>>>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 348d6036 >>>>>>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - >>>>>>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>> >>>>>>> >>>>>>> On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt >>>>>>> wrote: >>>>>>>> >>>>>>>> Thanks Bill....I don't feel as crazy now. ;) >>>>>>>> >>>>>>>> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Oops I forgot https://localhost:8443. Now it is giving me localhost >>>>>>>>> unexpectedly closed the connection. With no errors. I also don't have a cert >>>>>>>>> set up but I would think that should throw an error? >>>>>>>>> >>>>>>>>> The on startup JDK9 issue is still there. >>>>>>>>> >>>>>>>>> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Matt did you try turning on logging? Here are the two errors I >>>>>>>>>> get. Stuart maybe you can help from this I don't know much about SSL. >>>>>>>>>> >>>>>>>>>> This error is on server start. I'm running JDK 8. >>>>>>>>>> >>>>>>>>>> java.lang.NoSuchMethodException: >>>>>>>>>> javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) >>>>>>>>>> at java.lang.Class.getMethod(Class.java:1786) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) >>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) >>>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>>>>>> Method) >>>>>>>>>> at >>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>>>>>> at >>>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422) >>>>>>>>>> at java.lang.Class.newInstance(Class.java:442) >>>>>>>>>> at >>>>>>>>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) >>>>>>>>>> at >>>>>>>>>> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >>>>>>>>>> at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) >>>>>>>>>> at >>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:67) >>>>>>>>>> at >>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:90) >>>>>>>>>> at io.undertow.Undertow.start(Undertow.java:177) >>>>>>>>>> at com.dartalley.function.Http2Server.main(Http2Server.java:70) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The following errors happen on request to the localhost:8443 from >>>>>>>>>> Matt's code which leads to an empty response. >>>>>>>>>> >>>>>>>>>> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - >>>>>>>>>> UT005013: An IOException occurred >>>>>>>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS >>>>>>>>>> data is not a handshake record >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) >>>>>>>>>> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) >>>>>>>>>> at >>>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) >>>>>>>>>> at >>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) >>>>>>>>>> at >>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) >>>>>>>>>> at >>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) >>>>>>>>>> at >>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) >>>>>>>>>> at >>>>>>>>>> org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) >>>>>>>>>> at >>>>>>>>>> org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) >>>>>>>>>> at >>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) >>>>>>>>>> at >>>>>>>>>> org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) >>>>>>>>>> at >>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) >>>>>>>>>> at >>>>>>>>>> org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128) >>>>>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>>>>>>> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: >>>>>>>>>> An IOException occurred >>>>>>>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS >>>>>>>>>> data is not a handshake record >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) >>>>>>>>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) >>>>>>>>>> at >>>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >>>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >>>>>>>>>> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: >>>>>>>>>> An IOException occurred >>>>>>>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS >>>>>>>>>> data is not a handshake record >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) >>>>>>>>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>>>>> at >>>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097) >>>>>>>>>> at >>>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) >>>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> I've updated to 1.4.7.Final, I switched to passing an Array of >>>>>>>>>>> keyManagers and an Array of trustManagers, I've tried commenting out >>>>>>>>>>> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's >>>>>>>>>>> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try to >>>>>>>>>>> connect to https://localhost:8443 >>>>>>>>>>> >>>>>>>>>>> If I connect to http://localhost:8080 then I get the expected >>>>>>>>>>> "Hello, World!". If someone could just test that snippet and tell me if >>>>>>>>>>> they can repeat the problem it would be greatly appreciated. >>>>>>>>>>> >>>>>>>>>>> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Stuart, I don't think I have the JCE Unlimited Strength policy >>>>>>>>>>>> files installed. I'll look into seeing if that's the problem. I am >>>>>>>>>>>> currently using 1.4.6.Final. I commented out enabling of HTTP2 but I'm >>>>>>>>>>>> still getting the same problem. It will probably be tomorrow before I can >>>>>>>>>>>> get the JCE Unlimited Strength installed, but either way I should be seeing >>>>>>>>>>>> an error but I am not. >>>>>>>>>>>> >>>>>>>>>>>> Can you check that code snippet I posted? It's a simplified >>>>>>>>>>>> version of the example you sent me previously that just outputs "Hello, >>>>>>>>>>>> World!". If you're able to run it and it works then perhaps there's >>>>>>>>>>>> something wrong in my machine configuration, but I'd like some confirmation. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas >>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> I just released 1.4.7.Final that should fix the >>>>>>>>>>>>> ClassCastException that you were seeing. >>>>>>>>>>>>> >>>>>>>>>>>>> Your example code should work. What version of Undertow are you >>>>>>>>>>>>> using, and do you have the JCE unlimited strength ciphers installed? >>>>>>>>>>>>> > From matt at matthicks.com Mon Dec 12 16:13:35 2016 From: matt at matthicks.com (Hicks, Matt) Date: Mon, 12 Dec 2016 21:13:35 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: <9F75A57A-3D27-4594-845C-406582B833EE@redhat.com> References: <9F75A57A-3D27-4594-845C-406582B833EE@redhat.com> Message-ID: Jason, you rock! Disabling HTTP/2 made it magically start working! I have no idea why, but it seems to be consistently working now. Stuart, it's resources in the ResourceManager that are failing for me, so it's Undertow code that is supposed to be serving them up and handling the channels. On Mon, Dec 12, 2016 at 2:34 PM Jason Greene wrote: > Random thought. Earlier you ran into a problem with bad content lengths, > could you be hitting that again? > > If you disable HTTP/2 does it work for you? > > On Dec 12, 2016, at 2:27 PM, Hicks, Matt wrote: > > Looking at AbstractFramedStreamSinkChannel:578 the exception is caused > because the channel is STATUS_CLOSED. > > On Mon, Dec 12, 2016 at 2:25 PM Hicks, Matt wrote: > > Yes, the same code works in HTTP, but if you look at the trace it looks as > though it's never even getting to my code. I'm getting > ERR_CONNECTION_RESET in the browser when I load the page with GET params > but the page itself is loading. Something really bizarre is happening here > and the referenced resources aren't coming through properly. The same > exact resources though come through fine if I manually load them or if I do > it from a URL without any query args. I'm still digging into this, but it > seems directly related to SSL. > > Stuart, can you make any sense of this? > > > > On Mon, Dec 12, 2016 at 1:24 PM Bill O'Neil wrote: > > Does the same code work in HTTP? can you post a snippet of where you read > the query parameters? > > On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt wrote: > > Sorry guys, I need to resurrect this thread. > > SSL is working for the most part, but it seems when I try to load any URL > that has GET args it starts throwing: > > siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners > invokeChannelListener > siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an > exception > siteJVM[ERROR] java.lang.IllegalStateException > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) > siteJVM[ERROR] at > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) > siteJVM[ERROR] at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > siteJVM[ERROR] at > org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) > siteJVM[ERROR] at > io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) > siteJVM[ERROR] at > io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > > All over the place. It also throws XNIO000011 sometimes as well. If I > load the exact same URL with no GET args it seems to load just fine. Any > idea why this might be happening? > > On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt wrote: > > Stuart, I apologize for not figuring that out myself, but that was the > problem. It's working correctly now. > > Ideally Undertow should be able to detect this internally and throw an > error instead of just silently failing. I understand that this relies on > the SSLContext which is not part of Undertow's code, but it seems like if > there is any way to detect this scenario it would be a major convenience to > avoid such pitfalls for other developers in the future. > > Thanks everyone for your help with this. I greatly appreciate it. > > On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas > wrote: > > I have modified the example so it will now blow up if the keystore cannot > be loaded: > > https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b > > Stuart > > On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas > wrote: > > I also failed to run the example, until I realized that the code does not > validate that the keystore is loaded correctly (passing 'null' into > KeyStore.load apparently works without error). > > Are you sure you are actually loading the keystore correctly (maybe add a > null check into the loading code)? > > Stuart > > On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil wrote: > > Here is the trace occurs with Http2 true and false. Issue seems to be > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > > > 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56854 > 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56856 > 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] > 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 4805f11b of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56856] (same thread) > 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 673b2384 of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56854] (same thread) > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 320a217a > 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch > .ServerSocketChannelImpl[/127.0.0.1:8443] > 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Delegating channel listener -> Accepting listener for > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP > server (NIO) <13f5555f> > 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener Accepting listener for io.undertow.server.protocol.ht > tp.HttpOpenListener at 56f7c1e5 on channel > io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened > connection with /127.0.0.1:56858 > 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io - > Exception closing read side of SSL channel > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key > sun.nio.ch.SelectionKeyImpl at 7da1dc1a of > java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/ > 127.0.0.1:56858] (same thread) > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task > org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking > listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on > channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing > resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task > io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector - > Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > > > On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt wrote: > > Thanks Bill....I don't feel as crazy now. ;) > > On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil wrote: > > Oops I forgot https://localhost:8443. Now it is giving me localhost > unexpectedly closed the connection. With no errors. I also don't have a > cert set up but I would think that should throw an error? > > The on startup JDK9 issue is still there. > > On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil wrote: > > Matt did you try turning on logging? Here are the two errors I get. Stuart > maybe you can help from this I don't know much about SSL. > > This error is on server start. I'm running JDK 8. > > java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se > > tApplicationProtocols([Ljava.lang.String;) > at java.lang.Class.getMethod(Class.java:1786) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > at java.security.AccessController.doPrivileged(Native Method) > at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at java.lang.Class.newInstance(Class.java:442) > at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:67) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.(AlpnOpenListener.java:90) > at io.undertow.Undertow.start(Undertow.java:177) > at com.dartalley.function.Http2Server.main(Http2Server.java:70) > > > The following errors happen on request to the localhost:8443 from Matt's > code which leads to an empty response. > > 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An > IOException occurred > javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not > a handshake record > at > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > at > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > at > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > at io.undertow.server.protocol.ht > tp.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > at > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/d3565cc7/attachment-0001.html From sdouglas at redhat.com Mon Dec 12 16:42:33 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Tue, 13 Dec 2016 08:42:33 +1100 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: <9F75A57A-3D27-4594-845C-406582B833EE@redhat.com> Message-ID: Did this happen with every resource? I can't reproduce it on the HTTP2Server example which is basically the same thing. Stuart On Tue, Dec 13, 2016 at 8:13 AM, Hicks, Matt wrote: > Jason, you rock! Disabling HTTP/2 made it magically start working! I have > no idea why, but it seems to be consistently working now. > > Stuart, it's resources in the ResourceManager that are failing for me, so > it's Undertow code that is supposed to be serving them up and handling the > channels. > > On Mon, Dec 12, 2016 at 2:34 PM Jason Greene > wrote: >> >> Random thought. Earlier you ran into a problem with bad content lengths, >> could you be hitting that again? >> >> If you disable HTTP/2 does it work for you? >> >> On Dec 12, 2016, at 2:27 PM, Hicks, Matt wrote: >> >> Looking at AbstractFramedStreamSinkChannel:578 the exception is caused >> because the channel is STATUS_CLOSED. >> >> On Mon, Dec 12, 2016 at 2:25 PM Hicks, Matt wrote: >>> >>> Yes, the same code works in HTTP, but if you look at the trace it looks >>> as though it's never even getting to my code. I'm getting >>> ERR_CONNECTION_RESET in the browser when I load the page with GET params but >>> the page itself is loading. Something really bizarre is happening here and >>> the referenced resources aren't coming through properly. The same exact >>> resources though come through fine if I manually load them or if I do it >>> from a URL without any query args. I'm still digging into this, but it >>> seems directly related to SSL. >>> >>> Stuart, can you make any sense of this? >>> >>> >>> >>> On Mon, Dec 12, 2016 at 1:24 PM Bill O'Neil wrote: >>>> >>>> Does the same code work in HTTP? can you post a snippet of where you >>>> read the query parameters? >>>> >>>> On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt wrote: >>>>> >>>>> Sorry guys, I need to resurrect this thread. >>>>> >>>>> SSL is working for the most part, but it seems when I try to load any >>>>> URL that has GET args it starts throwing: >>>>> >>>>> siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners >>>>> invokeChannelListener >>>>> siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an >>>>> exception >>>>> siteJVM[ERROR] java.lang.IllegalStateException >>>>> siteJVM[ERROR] at >>>>> io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) >>>>> siteJVM[ERROR] at >>>>> io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) >>>>> siteJVM[ERROR] at >>>>> io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) >>>>> siteJVM[ERROR] at >>>>> io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) >>>>> siteJVM[ERROR] at >>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) >>>>> siteJVM[ERROR] at >>>>> org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) >>>>> siteJVM[ERROR] at >>>>> io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) >>>>> siteJVM[ERROR] at >>>>> io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) >>>>> siteJVM[ERROR] at >>>>> org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>> siteJVM[ERROR] at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>> >>>>> All over the place. It also throws XNIO000011 sometimes as well. If I >>>>> load the exact same URL with no GET args it seems to load just fine. Any >>>>> idea why this might be happening? >>>>> >>>>> On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt >>>>> wrote: >>>>>> >>>>>> Stuart, I apologize for not figuring that out myself, but that was the >>>>>> problem. It's working correctly now. >>>>>> >>>>>> Ideally Undertow should be able to detect this internally and throw an >>>>>> error instead of just silently failing. I understand that this relies on >>>>>> the SSLContext which is not part of Undertow's code, but it seems like if >>>>>> there is any way to detect this scenario it would be a major convenience to >>>>>> avoid such pitfalls for other developers in the future. >>>>>> >>>>>> Thanks everyone for your help with this. I greatly appreciate it. >>>>>> >>>>>> On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas >>>>>> wrote: >>>>>>> >>>>>>> I have modified the example so it will now blow up if the keystore >>>>>>> cannot be loaded: >>>>>>> >>>>>>> https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b >>>>>>> >>>>>>> Stuart >>>>>>> >>>>>>> On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas >>>>>>> wrote: >>>>>>>> >>>>>>>> I also failed to run the example, until I realized that the code >>>>>>>> does not validate that the keystore is loaded correctly (passing 'null' into >>>>>>>> KeyStore.load apparently works without error). >>>>>>>> >>>>>>>> Are you sure you are actually loading the keystore correctly (maybe >>>>>>>> add a null check into the loading code)? >>>>>>>> >>>>>>>> Stuart >>>>>>>> >>>>>>>> On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Here is the trace occurs with Http2 true and false. Issue seems to >>>>>>>>> be javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>>>> close_notify: possible truncation attack? >>>>>>>>> >>>>>>>>> >>>>>>>>> 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for >>>>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener Delegating channel listener -> Accepting listener for >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP >>>>>>>>> server (NIO) <13f5555f> >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for >>>>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener Accepting listener for >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >>>>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 >>>>>>>>> on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >>>>>>>>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >>>>>>>>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - >>>>>>>>> Opened connection with /127.0.0.1:56854 >>>>>>>>> 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >>>>>>>>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >>>>>>>>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>>>> Invoking listener Delegating channel listener -> Accepting listener for >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP >>>>>>>>> server (NIO) <13f5555f> >>>>>>>>> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>>>> Invoking listener Accepting listener for >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >>>>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 >>>>>>>>> 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>>>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>>>> Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 >>>>>>>>> on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >>>>>>>>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - >>>>>>>>> Opened connection with /127.0.0.1:56856 >>>>>>>>> 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>>>> remote=/127.0.0.1:56854] >>>>>>>>> 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout) >>>>>>>>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >>>>>>>>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io >>>>>>>>> - Exception closing read side of SSL channel >>>>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>>>> close_notify: possible truncation attack? >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >>>>>>>>> at >>>>>>>>> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) >>>>>>>>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >>>>>>>>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >>>>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>>>>>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io >>>>>>>>> - Exception closing read side of SSL channel >>>>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>>>> close_notify: possible truncation attack? >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >>>>>>>>> at >>>>>>>>> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) >>>>>>>>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >>>>>>>>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >>>>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>>>>>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>>>> Invoking listener >>>>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 on channel >>>>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener >>>>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 on channel >>>>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - >>>>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 4805f11b of >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>>>> remote=/127.0.0.1:56856] (same thread) >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - >>>>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 673b2384 of >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>>>> remote=/127.0.0.1:56854] (same thread) >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - >>>>>>>>> Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - >>>>>>>>> Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - >>>>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource >>>>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 >>>>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource >>>>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf >>>>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 52d9523b >>>>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 320a217a >>>>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b >>>>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>>>> 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for >>>>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] >>>>>>>>> 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>>>> 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 >>>>>>>>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener Delegating channel listener -> Accepting listener for >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP >>>>>>>>> server (NIO) <13f5555f> >>>>>>>>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener Accepting listener for >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel >>>>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 >>>>>>>>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 >>>>>>>>> on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >>>>>>>>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - >>>>>>>>> Opened connection with /127.0.0.1:56858 >>>>>>>>> 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout) >>>>>>>>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>>>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io >>>>>>>>> - Exception closing read side of SSL channel >>>>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's >>>>>>>>> close_notify: possible truncation attack? >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) >>>>>>>>> at >>>>>>>>> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) >>>>>>>>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) >>>>>>>>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) >>>>>>>>> at >>>>>>>>> io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) >>>>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) >>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener >>>>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb on channel >>>>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - >>>>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 >>>>>>>>> remote=/127.0.0.1:56858] (same thread) >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 11f5487 >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - >>>>>>>>> Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - >>>>>>>>> Invoking listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 >>>>>>>>> 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 >>>>>>>>> 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - >>>>>>>>> Closing resource >>>>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 >>>>>>>>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 348d6036 >>>>>>>>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Thanks Bill....I don't feel as crazy now. ;) >>>>>>>>>> >>>>>>>>>> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Oops I forgot https://localhost:8443. Now it is giving me >>>>>>>>>>> localhost unexpectedly closed the connection. With no errors. I also don't >>>>>>>>>>> have a cert set up but I would think that should throw an error? >>>>>>>>>>> >>>>>>>>>>> The on startup JDK9 issue is still there. >>>>>>>>>>> >>>>>>>>>>> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Matt did you try turning on logging? Here are the two errors I >>>>>>>>>>>> get. Stuart maybe you can help from this I don't know much about SSL. >>>>>>>>>>>> >>>>>>>>>>>> This error is on server start. I'm running JDK 8. >>>>>>>>>>>> >>>>>>>>>>>> java.lang.NoSuchMethodException: >>>>>>>>>>>> javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) >>>>>>>>>>>> at java.lang.Class.getMethod(Class.java:1786) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) >>>>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) >>>>>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>>>>>>>> Method) >>>>>>>>>>>> at >>>>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>>>>>>>> at >>>>>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>>>>>>>>> at >>>>>>>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:422) >>>>>>>>>>>> at java.lang.Class.newInstance(Class.java:442) >>>>>>>>>>>> at >>>>>>>>>>>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) >>>>>>>>>>>> at >>>>>>>>>>>> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) >>>>>>>>>>>> at java.util.ServiceLoader$1.next(ServiceLoader.java:480) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:67) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:90) >>>>>>>>>>>> at io.undertow.Undertow.start(Undertow.java:177) >>>>>>>>>>>> at com.dartalley.function.Http2Server.main(Http2Server.java:70) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> The following errors happen on request to the localhost:8443 >>>>>>>>>>>> from Matt's code which leads to an empty response. >>>>>>>>>>>> >>>>>>>>>>>> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - >>>>>>>>>>>> UT005013: An IOException occurred >>>>>>>>>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS >>>>>>>>>>>> data is not a handshake record >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) >>>>>>>>>>>> at >>>>>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) >>>>>>>>>>>> at >>>>>>>>>>>> io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) >>>>>>>>>>>> at >>>>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) >>>>>>>>>>>> at >>>>>>>>>>>> org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) >>>>>>>>>>>> at >>>>>>>>>>>> org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) >>>>>>>>>>>> at >>>>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) >>>>>>>>>>>> at >>>>>>>>>>>> org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) >>>>>>>>>>>> at >>>>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev From matt at matthicks.com Mon Dec 12 20:31:45 2016 From: matt at matthicks.com (Hicks, Matt) Date: Tue, 13 Dec 2016 01:31:45 +0000 Subject: [undertow-dev] SSL Documentation In-Reply-To: References: <9F75A57A-3D27-4594-845C-406582B833EE@redhat.com> Message-ID: I'm not sure if every resource was killed, but it was definitely most of them. It only happened with HTTP/2 enabled, SSL enabled, and with GET args in the URL. If I change any of those three factors everything works fine. I know...crazy situation. On Mon, Dec 12, 2016 at 3:42 PM Stuart Douglas wrote: > Did this happen with every resource? I can't reproduce it on the > HTTP2Server example which is basically the same thing. > > Stuart > > On Tue, Dec 13, 2016 at 8:13 AM, Hicks, Matt wrote: > > Jason, you rock! Disabling HTTP/2 made it magically start working! I > have > > no idea why, but it seems to be consistently working now. > > > > Stuart, it's resources in the ResourceManager that are failing for me, so > > it's Undertow code that is supposed to be serving them up and handling > the > > channels. > > > > On Mon, Dec 12, 2016 at 2:34 PM Jason Greene > > wrote: > >> > >> Random thought. Earlier you ran into a problem with bad content lengths, > >> could you be hitting that again? > >> > >> If you disable HTTP/2 does it work for you? > >> > >> On Dec 12, 2016, at 2:27 PM, Hicks, Matt wrote: > >> > >> Looking at AbstractFramedStreamSinkChannel:578 the exception is caused > >> because the channel is STATUS_CLOSED. > >> > >> On Mon, Dec 12, 2016 at 2:25 PM Hicks, Matt wrote: > >>> > >>> Yes, the same code works in HTTP, but if you look at the trace it looks > >>> as though it's never even getting to my code. I'm getting > >>> ERR_CONNECTION_RESET in the browser when I load the page with GET > params but > >>> the page itself is loading. Something really bizarre is happening > here and > >>> the referenced resources aren't coming through properly. The same > exact > >>> resources though come through fine if I manually load them or if I do > it > >>> from a URL without any query args. I'm still digging into this, but it > >>> seems directly related to SSL. > >>> > >>> Stuart, can you make any sense of this? > >>> > >>> > >>> > >>> On Mon, Dec 12, 2016 at 1:24 PM Bill O'Neil > wrote: > >>>> > >>>> Does the same code work in HTTP? can you post a snippet of where you > >>>> read the query parameters? > >>>> > >>>> On Mon, Dec 12, 2016 at 1:13 PM, Hicks, Matt > wrote: > >>>>> > >>>>> Sorry guys, I need to resurrect this thread. > >>>>> > >>>>> SSL is working for the most part, but it seems when I try to load any > >>>>> URL that has GET args it starts throwing: > >>>>> > >>>>> siteJVM[ERROR] Dec 12, 2016 12:10:41 PM org.xnio.ChannelListeners > >>>>> invokeChannelListener > >>>>> siteJVM[ERROR] ERROR: XNIO001007: A channel event listener threw an > >>>>> exception > >>>>> siteJVM[ERROR] java.lang.IllegalStateException > >>>>> siteJVM[ERROR] at > >>>>> > io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.getBuffer(AbstractFramedStreamSinkChannel.java:578) > >>>>> siteJVM[ERROR] at > >>>>> > io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:630) > >>>>> siteJVM[ERROR] at > >>>>> > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:943) > >>>>> siteJVM[ERROR] at > >>>>> > io.undertow.server.protocol.framed.AbstractFramedChannel$FrameWriteListener.handleEvent(AbstractFramedChannel.java:940) > >>>>> siteJVM[ERROR] at > >>>>> > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > >>>>> siteJVM[ERROR] at > >>>>> > org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) > >>>>> siteJVM[ERROR] at > >>>>> > io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1224) > >>>>> siteJVM[ERROR] at > >>>>> io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275) > >>>>> siteJVM[ERROR] at > >>>>> org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > >>>>> siteJVM[ERROR] at > org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > >>>>> > >>>>> All over the place. It also throws XNIO000011 sometimes as well. If > I > >>>>> load the exact same URL with no GET args it seems to load just fine. > Any > >>>>> idea why this might be happening? > >>>>> > >>>>> On Mon, Dec 12, 2016 at 11:01 AM Hicks, Matt > >>>>> wrote: > >>>>>> > >>>>>> Stuart, I apologize for not figuring that out myself, but that was > the > >>>>>> problem. It's working correctly now. > >>>>>> > >>>>>> Ideally Undertow should be able to detect this internally and throw > an > >>>>>> error instead of just silently failing. I understand that this > relies on > >>>>>> the SSLContext which is not part of Undertow's code, but it seems > like if > >>>>>> there is any way to detect this scenario it would be a major > convenience to > >>>>>> avoid such pitfalls for other developers in the future. > >>>>>> > >>>>>> Thanks everyone for your help with this. I greatly appreciate it. > >>>>>> > >>>>>> On Sun, Dec 11, 2016 at 6:48 PM Stuart Douglas > > >>>>>> wrote: > >>>>>>> > >>>>>>> I have modified the example so it will now blow up if the keystore > >>>>>>> cannot be loaded: > >>>>>>> > >>>>>>> > https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b > >>>>>>> > >>>>>>> Stuart > >>>>>>> > >>>>>>> On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> I also failed to run the example, until I realized that the code > >>>>>>>> does not validate that the keystore is loaded correctly (passing > 'null' into > >>>>>>>> KeyStore.load apparently works without error). > >>>>>>>> > >>>>>>>> Are you sure you are actually loading the keystore correctly > (maybe > >>>>>>>> add a null check into the loading code)? > >>>>>>>> > >>>>>>>> Stuart > >>>>>>>> > >>>>>>>> On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil > >>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>> Here is the trace occurs with Http2 true and false. Issue seems > to > >>>>>>>>> be javax.net.ssl.SSLException: Inbound closed before receiving > peer's > >>>>>>>>> close_notify: possible truncation attack? > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for > >>>>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] > >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > >>>>>>>>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener Delegating channel listener -> Accepting > listener for > >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel TCP > >>>>>>>>> server (NIO) <13f5555f> > >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for > >>>>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] > >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener Accepting listener for > >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel > >>>>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > >>>>>>>>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 > >>>>>>>>> on channel > io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > >>>>>>>>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > >>>>>>>>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request > - > >>>>>>>>> Opened connection with /127.0.0.1:56854 > >>>>>>>>> 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - > Running > >>>>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > >>>>>>>>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > (with timeout) > >>>>>>>>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener Delegating channel listener -> Accepting > listener for > >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel TCP > >>>>>>>>> server (NIO) <13f5555f> > >>>>>>>>> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener Accepting listener for > >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel > >>>>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > >>>>>>>>> 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > >>>>>>>>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 > >>>>>>>>> on channel > io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > >>>>>>>>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request > - > >>>>>>>>> Opened connection with /127.0.0.1:56856 > >>>>>>>>> 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for > >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 > >>>>>>>>> remote=/127.0.0.1:56854] > >>>>>>>>> 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > (with timeout) > >>>>>>>>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > io.undertow.server.protocol.http.HttpReadListener at 255c6481 > >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > >>>>>>>>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > (with timeout) > >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b > >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207 > >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59 > >>>>>>>>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE > io.undertow.request.io > >>>>>>>>> - Exception closing read side of SSL channel > >>>>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving > peer's > >>>>>>>>> close_notify: possible truncation attack? > >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > >>>>>>>>> at > >>>>>>>>> > sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > >>>>>>>>> at > io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > >>>>>>>>> at > io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > >>>>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > >>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > >>>>>>>>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE > io.undertow.request.io > >>>>>>>>> - Exception closing read side of SSL channel > >>>>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving > peer's > >>>>>>>>> close_notify: possible truncation attack? > >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > >>>>>>>>> at > >>>>>>>>> > sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > >>>>>>>>> at > io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > >>>>>>>>> at > io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > >>>>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > >>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > >>>>>>>>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > >>>>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063 > on channel > >>>>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > >>>>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 42277317 > on channel > >>>>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc > >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe > >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - > >>>>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 4805f11b of > >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 > >>>>>>>>> remote=/127.0.0.1:56856] (same thread) > >>>>>>>>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - > >>>>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 673b2384 of > >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 > >>>>>>>>> remote=/127.0.0.1:56854] (same thread) > >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource > io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450 > >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource > io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92 > >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - > >>>>>>>>> Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > >>>>>>>>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 77593ca5 > >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac > >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - > >>>>>>>>> Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > io.undertow.server.protocol.http.HttpReadListener at 6962bde3 > >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494 > >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > io.undertow.server.protocol.http.HttpReadListener at 255c6481 > >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad > >>>>>>>>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource > >>>>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711 > >>>>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource > >>>>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf > >>>>>>>>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 52d9523b > >>>>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 320a217a > >>>>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b > >>>>>>>>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > >>>>>>>>> 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for > >>>>>>>>> sun.nio.ch.ServerSocketChannelImpl[/127.0.0.1:8443] > >>>>>>>>> 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > >>>>>>>>> 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64 > >>>>>>>>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener Delegating channel listener -> Accepting > listener for > >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel TCP > >>>>>>>>> server (NIO) <13f5555f> > >>>>>>>>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener Accepting listener for > >>>>>>>>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on > channel > >>>>>>>>> io.undertow.protocols.ssl.UndertowAcceptingSslChannel at 328f1eb6 > >>>>>>>>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 > >>>>>>>>> on channel > io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > >>>>>>>>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request > - > >>>>>>>>> Opened connection with /127.0.0.1:56858 > >>>>>>>>> 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > (with timeout) > >>>>>>>>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > >>>>>>>>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01 > >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE > io.undertow.request.io > >>>>>>>>> - Exception closing read side of SSL channel > >>>>>>>>> javax.net.ssl.SSLException: Inbound closed before receiving > peer's > >>>>>>>>> close_notify: possible truncation attack? > >>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > >>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > >>>>>>>>> at > >>>>>>>>> > sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612) > >>>>>>>>> at > io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983) > >>>>>>>>> at > io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > >>>>>>>>> at > >>>>>>>>> > io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045) > >>>>>>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > >>>>>>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > >>>>>>>>> io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb > on channel > >>>>>>>>> io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd > >>>>>>>>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - > >>>>>>>>> Cancelling key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of > >>>>>>>>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 > >>>>>>>>> remote=/127.0.0.1:56858] (same thread) > >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource > io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1 > >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$1 at 11f5487 > >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - > >>>>>>>>> Running task org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083 > >>>>>>>>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - > >>>>>>>>> Invoking listener > io.undertow.server.protocol.http.HttpReadListener at 6b60e713 > >>>>>>>>> on channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137 > >>>>>>>>> 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479 > >>>>>>>>> 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close > - > >>>>>>>>> Closing resource > >>>>>>>>> io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34 > >>>>>>>>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - > Running > >>>>>>>>> task io.undertow.protocols.ssl.SslConduit$2 at 348d6036 > >>>>>>>>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE > org.xnio.nio.selector > >>>>>>>>> - Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt < > matt at matthicks.com> > >>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> Thanks Bill....I don't feel as crazy now. ;) > >>>>>>>>>> > >>>>>>>>>> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil > > >>>>>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Oops I forgot https://localhost:8443. Now it is giving me > >>>>>>>>>>> localhost unexpectedly closed the connection. With no errors. > I also don't > >>>>>>>>>>> have a cert set up but I would think that should throw an > error? > >>>>>>>>>>> > >>>>>>>>>>> The on startup JDK9 issue is still there. > >>>>>>>>>>> > >>>>>>>>>>> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil > >>>>>>>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Matt did you try turning on logging? Here are the two errors I > >>>>>>>>>>>> get. Stuart maybe you can help from this I don't know much > about SSL. > >>>>>>>>>>>> > >>>>>>>>>>>> This error is on server start. I'm running JDK 8. > >>>>>>>>>>>> > >>>>>>>>>>>> java.lang.NoSuchMethodException: > >>>>>>>>>>>> > javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) > >>>>>>>>>>>> at java.lang.Class.getMethod(Class.java:1786) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > >>>>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > >>>>>>>>>>>> at > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > >>>>>>>>>>>> Method) > >>>>>>>>>>>> at > >>>>>>>>>>>> > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > >>>>>>>>>>>> at > >>>>>>>>>>>> > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > >>>>>>>>>>>> at > >>>>>>>>>>>> > java.lang.reflect.Constructor.newInstance(Constructor.java:422) > >>>>>>>>>>>> at java.lang.Class.newInstance(Class.java:442) > >>>>>>>>>>>> at > >>>>>>>>>>>> > java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > >>>>>>>>>>>> at > >>>>>>>>>>>> > java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > >>>>>>>>>>>> at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:67) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:90) > >>>>>>>>>>>> at io.undertow.Undertow.start(Undertow.java:177) > >>>>>>>>>>>> at > com.dartalley.function.Http2Server.main(Http2Server.java:70) > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> The following errors happen on request to the localhost:8443 > >>>>>>>>>>>> from Matt's code which leads to an empty response. > >>>>>>>>>>>> > >>>>>>>>>>>> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - > >>>>>>>>>>>> UT005013: An IOException occurred > >>>>>>>>>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS > >>>>>>>>>>>> data is not a handshake record > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729) > >>>>>>>>>>>> at > >>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567) > >>>>>>>>>>>> at > >>>>>>>>>>>> > org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249) > >>>>>>>>>>>> at > >>>>>>>>>>>> > io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60) > >>>>>>>>>>>> at > >>>>>>>>>>>> > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > >>>>>>>>>>>> at > >>>>>>>>>>>> > org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291) > >>>>>>>>>>>> at > >>>>>>>>>>>> > org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) > >>>>>>>>>>>> at > >>>>>>>>>>>> > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > >>>>>>>>>>>> at > >>>>>>>>>>>> > org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) > >>>>>>>>>>>> at > >>>>>>>>>>>> > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > > > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161213/bf4c824d/attachment-0001.html From matt at matthicks.com Wed Dec 14 18:26:27 2016 From: matt at matthicks.com (Hicks, Matt) Date: Wed, 14 Dec 2016 23:26:27 +0000 Subject: [undertow-dev] Proxying SSL Message-ID: In https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java a LoadBalancingProxyClient and a reverse proxy server are being used to proxy HTTPS, but is all of that necessary? I'm attempting to proxy from my current code: SimpleProxyClientProvider proxyClient = new SimpleProxyClientProvider(uri); ProxyHandler proxyHandler = Handlers.proxyHandler(proxyClient); To add support to proxy SSL. The proxying is local and both the originating server and the server being proxied to are using the exact same SSL certificate. Is there something I can add to this to make it work right, or do I have to create a LoadBalancingProxyClient? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161214/1baa707b/attachment.html From sdouglas at redhat.com Wed Dec 14 18:34:07 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Thu, 15 Dec 2016 10:34:07 +1100 Subject: [undertow-dev] Proxying SSL In-Reply-To: References: Message-ID: In general you are much better off using LoadBalancingProxyClient (even if there is only one server). SimpleProxyClient uses a 1-1 connection mapping, while LoadBalancingProxyClient uses connection pools and in general is much more sophisticated. I am not sure what to do about SimpleProxyClient, I think it should probably just be deprecated and removed in a future release. Stuart On Thu, Dec 15, 2016 at 10:26 AM, Hicks, Matt wrote: > In > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > a LoadBalancingProxyClient and a reverse proxy server are being used to > proxy HTTPS, but is all of that necessary? > > I'm attempting to proxy from my current code: > > SimpleProxyClientProvider proxyClient = new SimpleProxyClientProvider(uri); > ProxyHandler proxyHandler = Handlers.proxyHandler(proxyClient); > > To add support to proxy SSL. The proxying is local and both the originating > server and the server being proxied to are using the exact same SSL > certificate. Is there something I can add to this to make it work right, or > do I have to create a LoadBalancingProxyClient? > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev From matt at matthicks.com Wed Dec 14 18:37:48 2016 From: matt at matthicks.com (Hicks, Matt) Date: Wed, 14 Dec 2016 23:37:48 +0000 Subject: [undertow-dev] Proxying SSL In-Reply-To: References: Message-ID: Thanks for the info Stuart. I'll switch. LoadBalancingProxyClient should just be a drop-in replacement for SimpleProxyClientProvider, right? On Wed, Dec 14, 2016 at 5:34 PM Stuart Douglas wrote: > In general you are much better off using LoadBalancingProxyClient > (even if there is only one server). SimpleProxyClient uses a 1-1 > connection mapping, while LoadBalancingProxyClient uses connection > pools and in general is much more sophisticated. > > I am not sure what to do about SimpleProxyClient, I think it should > probably just be deprecated and removed in a future release. > > Stuart > > On Thu, Dec 15, 2016 at 10:26 AM, Hicks, Matt wrote: > > In > > > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java > > a LoadBalancingProxyClient and a reverse proxy server are being used to > > proxy HTTPS, but is all of that necessary? > > > > I'm attempting to proxy from my current code: > > > > SimpleProxyClientProvider proxyClient = new > SimpleProxyClientProvider(uri); > > ProxyHandler proxyHandler = Handlers.proxyHandler(proxyClient); > > > > To add support to proxy SSL. The proxying is local and both the > originating > > server and the server being proxied to are using the exact same SSL > > certificate. Is there something I can add to this to make it work > right, or > > do I have to create a LoadBalancingProxyClient? > > > > _______________________________________________ > > undertow-dev mailing list > > undertow-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161214/cfa1b0a2/attachment.html From sdouglas at redhat.com Wed Dec 14 18:54:53 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Thu, 15 Dec 2016 10:54:53 +1100 Subject: [undertow-dev] Proxying SSL In-Reply-To: References: Message-ID: Yes, although it you may want to increase connectionsPerThread from its default of 10 depending on how much load you have. In general Undertow will create 1 IO Thread per processor, so you will end up with 10 * CPU's connections per backend. This may be fine, or you may want to increase it if you have a lot of load. You can also adjust maxQueueSize to control how many requests will be queued up if all the backend connections are busy. Stuart On Thu, Dec 15, 2016 at 10:37 AM, Hicks, Matt wrote: > Thanks for the info Stuart. I'll switch. LoadBalancingProxyClient should > just be a drop-in replacement for SimpleProxyClientProvider, right? > > On Wed, Dec 14, 2016 at 5:34 PM Stuart Douglas wrote: >> >> In general you are much better off using LoadBalancingProxyClient >> (even if there is only one server). SimpleProxyClient uses a 1-1 >> connection mapping, while LoadBalancingProxyClient uses connection >> pools and in general is much more sophisticated. >> >> I am not sure what to do about SimpleProxyClient, I think it should >> probably just be deprecated and removed in a future release. >> >> Stuart >> >> On Thu, Dec 15, 2016 at 10:26 AM, Hicks, Matt wrote: >> > In >> > >> > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java >> > a LoadBalancingProxyClient and a reverse proxy server are being used to >> > proxy HTTPS, but is all of that necessary? >> > >> > I'm attempting to proxy from my current code: >> > >> > SimpleProxyClientProvider proxyClient = new >> > SimpleProxyClientProvider(uri); >> > ProxyHandler proxyHandler = Handlers.proxyHandler(proxyClient); >> > >> > To add support to proxy SSL. The proxying is local and both the >> > originating >> > server and the server being proxied to are using the exact same SSL >> > certificate. Is there something I can add to this to make it work >> > right, or >> > do I have to create a LoadBalancingProxyClient? >> > >> > _______________________________________________ >> > undertow-dev mailing list >> > undertow-dev at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/undertow-dev From dieter at bogdoll.net Sat Dec 17 03:29:05 2016 From: dieter at bogdoll.net (Dieter Bogdoll) Date: Sat, 17 Dec 2016 08:29:05 +0000 Subject: [undertow-dev] Question regarding serving a REST API and a WEB UI over the same Undertow instance Message-ID: Hi Steve, first thanks again for your help. I have another question / problem: I have now a running and working REST API using client certificates auth. Now I would also like to provide an UI which makes using the REST API easier for interactive usage. (so the web UI would internally call the REST API) a) I got my java web UI as war file. How can I register that war file programmatically with undertow (which also runs my REST API)? b) Would client certificates also work with web UIs? Would the browser then just ask for the cert or how do I provide in this case the user cert? E.g. when I point right now my browser on an URL of the REST API I just got "Forbidden". c) If b) is not possible or not easy to do, can I use a different security realm and auth method for the web ui, maybe BASIC AUTH instead CLIENT CERT (but just for the web ui?) Best regards, Dieter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161217/e8f4ba16/attachment.html From stevehu at gmail.com Sat Dec 17 06:57:33 2016 From: stevehu at gmail.com (Steve Hu) Date: Sat, 17 Dec 2016 06:57:33 -0500 Subject: [undertow-dev] Question regarding serving a REST API and a WEB UI over the same Undertow instance In-Reply-To: References: Message-ID: Hi Dieter, I use undertow http core only so there is only single page applications served by my server. Here is an example on how to serve REST API as well as Single Page Application like Angular or React. https://github.com/networknt/light-java-example/tree/master/webserver The certificate will work for both web UI and your REST API but I cannot confirm if it works for war file because it is on top of servlet container which I never used. For performance reason, I would recommended to get rid of servlet container as it is dozens times slower than core http. Take a look at this page you can see Light-Java and Spring-Boot with Undertow embedded performance difference. Of course, Spring added a lot of overhead so it is not exactly Undertow core http vs Undertow servlet container. https://github.com/networknt/light-java-example/tree/master/performance Even you have tls enabled, you might still need additional authentication/authorization to protect your resources and basic auth is one of them. Here is an example to use basic auth. https://github.com/networknt/light-oauth2/tree/master/src/main/java/com/networknt/oauth/handler Also, for you REST API, OAuth2 should be leveraged to protect your endpoint. Here is an article that I wrote for that topic. https://networknt.github.io/light-java/architecture/security/ Thanks, Steve On Sat, Dec 17, 2016 at 3:29 AM, Dieter Bogdoll wrote: > Hi Steve, > > first thanks again for your help. > I have another question / problem: I have now a running and working REST > API using client certificates auth. Now I would also like to provide an UI > which makes using the REST API easier for interactive usage. (so the web UI > would internally call the REST API) > > a) I got my java web UI as war file. How can I register that war file > programmatically with undertow (which also runs my REST API)? > > b) Would client certificates also work with web UIs? Would the browser > then just ask for the cert or how do I provide in this case the user cert? > E.g. when I point right now my browser on an URL of the REST API I just got > "Forbidden". > > c) If b) is not possible or not easy to do, can I use a different > security realm and auth method for the web ui, maybe BASIC AUTH instead > CLIENT CERT (but just for the web ui?) > > Best regards, > Dieter > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161217/8163bc94/attachment-0001.html From randomnaja at gmail.com Thu Dec 22 06:16:24 2016 From: randomnaja at gmail.com (tone randomnaja) Date: Thu, 22 Dec 2016 18:16:24 +0700 Subject: [undertow-dev] IO and Worker Thread based on custom preferences Message-ID: Hi there ! Undertow has `IO Thread` and `Worker Thread` configuration ( References: Message-ID: This might be what you are looking for. https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/HttpServerExchange.java#L821 You can change the dispatch executor to your own custom executor before you call dispatch. This will allow you to have different worker pools and configure them per HttpHandler. On Thu, Dec 22, 2016 at 6:16 AM, tone randomnaja wrote: > Hi there ! > > Undertow has `IO Thread` and `Worker Thread` configuration ( xmlns="urn:jboss:domain:io:1.1"> be bounded per Listener ( > In my case I have 1 Listenner (AJP) and 1 Application (EAR), > I'd like to be able to priority and manage Worker Thread base on some > preferences, such as URL path. > > Above for a reason of controlling the load of specific URL (under the same > Web Context). > > Any suggestions or ideas ? > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161222/8e9062db/attachment.html From randomnaja at gmail.com Thu Dec 22 07:55:02 2016 From: randomnaja at gmail.com (tone randomnaja) Date: Thu, 22 Dec 2016 19:55:02 +0700 Subject: [undertow-dev] IO and Worker Thread based on custom preferences In-Reply-To: References: Message-ID: Thanks, And let's say if I had custom executor, how could I set the DispatchExecutor ? (from Wildfly point-of-view) Could it be another module being placed inside system lib of Wildfly ? ps. I'm pretty sure, I'd not have done this within Application (EAR/WAR) itself ? On Thu, Dec 22, 2016 at 6:43 PM, Bill O'Neil wrote: > This might be what you are looking for. > > https://github.com/undertow-io/undertow/blob/master/core/ > src/main/java/io/undertow/server/HttpServerExchange.java#L821 > > You can change the dispatch executor to your own custom executor before > you call dispatch. This will allow you to have different worker pools and > configure them per HttpHandler. > > On Thu, Dec 22, 2016 at 6:16 AM, tone randomnaja > wrote: > >> Hi there ! >> >> Undertow has `IO Thread` and `Worker Thread` configuration (> xmlns="urn:jboss:domain:io:1.1">> be bounded per Listener (> >> In my case I have 1 Listenner (AJP) and 1 Application (EAR), >> I'd like to be able to priority and manage Worker Thread base on some >> preferences, such as URL path. >> >> Above for a reason of controlling the load of specific URL (under the >> same Web Context). >> >> Any suggestions or ideas ? >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161222/ea2150c2/attachment.html From bill at dartalley.com Thu Dec 22 08:07:21 2016 From: bill at dartalley.com (Bill O'Neil) Date: Thu, 22 Dec 2016 08:07:21 -0500 Subject: [undertow-dev] IO and Worker Thread based on custom preferences In-Reply-To: References: Message-ID: I only use undertow directly I haven't looked at Wildfly before so I won't be able to answer your question sorry. On Thu, Dec 22, 2016 at 7:55 AM, tone randomnaja wrote: > Thanks, > > And let's say if I had custom executor, how could I set the > DispatchExecutor ? (from Wildfly point-of-view) > Could it be another module being placed inside system lib of Wildfly ? > > ps. I'm pretty sure, I'd not have done this within Application (EAR/WAR) > itself ? > > On Thu, Dec 22, 2016 at 6:43 PM, Bill O'Neil wrote: > >> This might be what you are looking for. >> >> https://github.com/undertow-io/undertow/blob/master/core/src >> /main/java/io/undertow/server/HttpServerExchange.java#L821 >> >> You can change the dispatch executor to your own custom executor before >> you call dispatch. This will allow you to have different worker pools and >> configure them per HttpHandler. >> >> On Thu, Dec 22, 2016 at 6:16 AM, tone randomnaja >> wrote: >> >>> Hi there ! >>> >>> Undertow has `IO Thread` and `Worker Thread` configuration (>> xmlns="urn:jboss:domain:io:1.1">>> could be bounded per Listener (>> >>> In my case I have 1 Listenner (AJP) and 1 Application (EAR), >>> I'd like to be able to priority and manage Worker Thread base on some >>> preferences, such as URL path. >>> >>> Above for a reason of controlling the load of specific URL (under the >>> same Web Context). >>> >>> Any suggestions or ideas ? >>> >>> _______________________________________________ >>> undertow-dev mailing list >>> undertow-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161222/9ab2b087/attachment-0001.html From sdouglas at redhat.com Thu Dec 22 16:36:16 2016 From: sdouglas at redhat.com (Stuart Douglas) Date: Fri, 23 Dec 2016 08:36:16 +1100 Subject: [undertow-dev] IO and Worker Thread based on custom preferences In-Reply-To: References: Message-ID: You would need to write a custom handler to set the thread pool if you want to do this in Wildfly, however if you just want to limit the number of active requests in a given path you may want to just use the request limiting handler instead. In WEB-INF/undertow-handlers.conf try adding something like the following: path-prefix(/mypath) -> request-limit(10) This will limit the number of requests that can be active in /mypath/* to 10. If you actually need to use a thread pool and the request limit is not sufficient let me know and I can point you in the right direction. Stuart On Fri, Dec 23, 2016 at 12:07 AM, Bill O'Neil wrote: > I only use undertow directly I haven't looked at Wildfly before so I won't > be able to answer your question sorry. > > On Thu, Dec 22, 2016 at 7:55 AM, tone randomnaja > wrote: > >> Thanks, >> >> And let's say if I had custom executor, how could I set the >> DispatchExecutor ? (from Wildfly point-of-view) >> Could it be another module being placed inside system lib of Wildfly ? >> >> ps. I'm pretty sure, I'd not have done this within Application (EAR/WAR) >> itself ? >> >> On Thu, Dec 22, 2016 at 6:43 PM, Bill O'Neil wrote: >> >>> This might be what you are looking for. >>> >>> https://github.com/undertow-io/undertow/blob/master/core/src >>> /main/java/io/undertow/server/HttpServerExchange.java#L821 >>> >>> You can change the dispatch executor to your own custom executor before >>> you call dispatch. This will allow you to have different worker pools and >>> configure them per HttpHandler. >>> >>> On Thu, Dec 22, 2016 at 6:16 AM, tone randomnaja >>> wrote: >>> >>>> Hi there ! >>>> >>>> Undertow has `IO Thread` and `Worker Thread` configuration (>>> xmlns="urn:jboss:domain:io:1.1">>>> could be bounded per Listener (>>> >>>> In my case I have 1 Listenner (AJP) and 1 Application (EAR), >>>> I'd like to be able to priority and manage Worker Thread base on some >>>> preferences, such as URL path. >>>> >>>> Above for a reason of controlling the load of specific URL (under the >>>> same Web Context). >>>> >>>> Any suggestions or ideas ? >>>> >>>> _______________________________________________ >>>> undertow-dev mailing list >>>> undertow-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>> >>> >>> >> > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161223/41bf32e7/attachment.html From matt at matthicks.com Tue Dec 27 09:52:17 2016 From: matt at matthicks.com (Hicks, Matt) Date: Tue, 27 Dec 2016 14:52:17 +0000 Subject: [undertow-dev] Resource Handling Revisited Message-ID: Previously I've asked about streaming a single file back to the client and got some good insight as to how to accomplish this with `transferFrom`, but this misses out on all the extra features like resuming transfers, cached content, etc. It would be very nice Undertow offered a static utility method to serve up File, Path, and URL providing all of this functionality that is currently contained in ResourceHandler ( https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java#L155 ). I don't think it would be difficult to extract all of that out of the private method and simply have ResourceHandler call the static method. Stuart, what do you think? I'd even be willing to do the leg-work if you'd be willing to accept a PR for it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161227/f9aa7393/attachment.html From randomnaja at gmail.com Wed Dec 28 03:46:53 2016 From: randomnaja at gmail.com (tone randomnaja) Date: Wed, 28 Dec 2016 15:46:53 +0700 Subject: [undertow-dev] IO and Worker Thread based on custom preferences In-Reply-To: References: Message-ID: Hi Stuart, Request limit might be insufficient, could you share how to implement the custom handler and possibly how to deploy this custom handler to Wildfly ? Regards, On Dec 23, 2016 04:36, "Stuart Douglas" wrote: > You would need to write a custom handler to set the thread pool if you > want to do this in Wildfly, however if you just want to limit the number of > active requests in a given path you may want to just use the request > limiting handler instead. > > In WEB-INF/undertow-handlers.conf try adding something like the following: > > path-prefix(/mypath) -> request-limit(10) > > This will limit the number of requests that can be active in /mypath/* to > 10. > > If you actually need to use a thread pool and the request limit is not > sufficient let me know and I can point you in the right direction. > > Stuart > > > On Fri, Dec 23, 2016 at 12:07 AM, Bill O'Neil wrote: > >> I only use undertow directly I haven't looked at Wildfly before so I >> won't be able to answer your question sorry. >> >> On Thu, Dec 22, 2016 at 7:55 AM, tone randomnaja >> wrote: >> >>> Thanks, >>> >>> And let's say if I had custom executor, how could I set the >>> DispatchExecutor ? (from Wildfly point-of-view) >>> Could it be another module being placed inside system lib of Wildfly ? >>> >>> ps. I'm pretty sure, I'd not have done this within Application (EAR/WAR) >>> itself ? >>> >>> On Thu, Dec 22, 2016 at 6:43 PM, Bill O'Neil wrote: >>> >>>> This might be what you are looking for. >>>> >>>> https://github.com/undertow-io/undertow/blob/master/core/src >>>> /main/java/io/undertow/server/HttpServerExchange.java#L821 >>>> >>>> You can change the dispatch executor to your own custom executor before >>>> you call dispatch. This will allow you to have different worker pools and >>>> configure them per HttpHandler. >>>> >>>> On Thu, Dec 22, 2016 at 6:16 AM, tone randomnaja >>>> wrote: >>>> >>>>> Hi there ! >>>>> >>>>> Undertow has `IO Thread` and `Worker Thread` configuration (>>>> xmlns="urn:jboss:domain:io:1.1">>>>> could be bounded per Listener (>>>> >>>>> In my case I have 1 Listenner (AJP) and 1 Application (EAR), >>>>> I'd like to be able to priority and manage Worker Thread base on some >>>>> preferences, such as URL path. >>>>> >>>>> Above for a reason of controlling the load of specific URL (under the >>>>> same Web Context). >>>>> >>>>> Any suggestions or ideas ? >>>>> >>>>> _______________________________________________ >>>>> undertow-dev mailing list >>>>> undertow-dev at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>>> >>>> >>>> >>> >> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161228/e638197a/attachment-0001.html From zhai-xiaobin at hotmail.com Thu Dec 29 01:56:50 2016 From: zhai-xiaobin at hotmail.com (=?gb2312?B?tdQg0KGx8w==?=) Date: Thu, 29 Dec 2016 06:56:50 +0000 Subject: [undertow-dev] get response content in HttpHandler Message-ID: How to get the response body in undertow HttpHandler ? I need to modify response content in the httpHandler. thanks all. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161229/59b2ed00/attachment.html From bill at dartalley.com Thu Dec 29 08:04:49 2016 From: bill at dartalley.com (Bill O'Neil) Date: Thu, 29 Dec 2016 08:04:49 -0500 Subject: [undertow-dev] get response content in HttpHandler In-Reply-To: References: Message-ID: Here is Stuarts response from a similar question. You need to implement org.xnio.conduits.StreamSinkConduit and add io. > undertow.server.HttpServerExchange#addResponseWrapper > > There is no simple in memory representation of the response, because it > may be to large for the server to buffer (or more likely the server does > not want to buffer it for performance reasons). Implementing this will > allow you to modify the response as it is being written. > > > Stuart > On Thu, Dec 29, 2016 at 1:56 AM, ? ?? wrote: > How to get the response body in undertow HttpHandler ? > > I need to modify response content in the httpHandler. > > > thanks all. > > > > _______________________________________________ > undertow-dev mailing list > undertow-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161229/6b7eda81/attachment.html