[undertow-dev] SSL Documentation

Hicks, Matt matt at matthicks.com
Fri Dec 9 17:00:51 EST 2016 

Michael, where are you getting SSLContextFactory from?  I assumed it was
something built-in or available in Undertow.

On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt <matt at matthicks.com> wrote:

> Thanks guys.  Michael, I'll try your code here in a bit to see if it makes
> any difference.
>
> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove <mike at stardog.com> wrote:
>
> Prematurely hit send!
>
> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove <mike at stardog.com> wrote:
>
>
>
> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt <matt at matthicks.com> wrote:
>
> Hi Michael, thanks for the response.  What version of Undertow are you
> using?
>
>
> I'm using 1.3.20, so I'm a bit behind.
>
>
> Are you overriding the SSL certificate storage or using the example's?
>
>
> I'm just creating the SSLContext that's passed to the builder via
> addHttpsListener directly from the standard JVM properties, eg
> javax.net.ssl.keyStore
>
>
> This is the basic code for that:
>
> public static SSLContext createSSLContext(final Options theOptions) throws
> SSLException {
> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions.
> KEY_STORE_TYPE),
> theOptions.get(ServerOptions.KEY_STORE),
> theOptions.get(ServerOptions.KEY_STORE_PASSWD),
> theOptions.get(ServerOptions.TRUST_STORE_TYPE),
> theOptions.get(ServerOptions.TRUST_STORE),
> theOptions.get(ServerOptions.TRUST_STORE_PASSWD));
> }
>
> I tweak the XNIO properties for SSL in the event the user needs client
> auth:
>
> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE,
> SslClientAuthMode.REQUIRED);
>
> At that point, it works nicely.
>
>
>
>
>
> Would you mind terribly trying the exact code snippet and see if it works
> for you?  This is very confusing if it's a problem on my end...especially
> since HTTP works fine.
>
>
> I can try to run it over the weekend, I'm a bit swamped with day to day
> stuff atm.
>
> Cheers,
>
> Mike
>
>
>
> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove <mike at stardog.com> wrote:
>
> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt <matt at matthicks.com> wrote:
>
> Yeah, I'm pretty sure Undertow's support for SSL is broken!
>
>
> It's working fine for me, and I'm using a setup almost exactly like what's
> shown in the examples.
>
>
> I copied and pasted the example into my project and am getting the same
> results.  I modified it to not do any proxying, but the server isn't
> responding properly and my anonymous HttpHandler is never invoked:
>
> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7
>
> This is incredibly frustrating.  Stuart, tell me if I shouldn't be using
> Undertow for SSL support and I'll start migrating to wrap with nginx.
>
> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas <sdouglas at redhat.com> wrote:
>
> Here is an example:
>
>
> https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java
>
> Looks like you have run into a bug, with regard to the
> ClassCastException, you need to use the version that takes an
> SslContext for now, although this should be fixed later today.
>
> Stuart
>
> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt <matt at matthicks.com> wrote:
> > Well, I switched to using the signature that takes the KeyManagers array
> and
> > TrustManagers array and now I'm at least getting an error:
> >
> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection
> cannot be
> > cast to io.undertow.protocols.ssl.UndertowSslConnection at
> >
> io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141)
> >
> > This seems like a really flimsy implementation.  Am I better offer just
> > wrapping Undertow with Apache or Nginx?
> >
> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil <bill at dartalley.com> wrote:
> >>
> >> Hmm I'm not sure. I SSL terminate before I hit undertow.
> >>
> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt <matt at matthicks.com> wrote:
> >>>
> >>> Also, to clarify, the HttpHandler's handleRequest is never being
> called.
> >>>
> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt <matt at matthicks.com> wrote:
> >>>>
> >>>> It was worth a try, but no change.  Thanks for the suggestion though.
> >>>>
> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil <bill at dartalley.com>
> wrote:
> >>>>>
> >>>>> Try the constructor with 4 args where you also pass a handler.
> >>>>>
> >>>>>         public Builder addHttpsListener(int port, String host,
> >>>>> SSLContext sslContext, HttpHandler rootHandler) {
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt <matt at matthicks.com>
> wrote:
> >>>>>>
> >>>>>> I've made some progress.  After adding the following to the builder:
> >>>>>>
> >>>>>> val password = config.https.password.get.toCharArray
> >>>>>> val keyStore = KeyStore.getInstance("JKS")
> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get
> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the
> >>>>>> location: ${keyStoreFile.getAbsolutePath}")
> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile)
> >>>>>> keyStore.load(keyStoreInput, password)
> >>>>>> val keyManagerFactory =
> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
> >>>>>> keyManagerFactory.init(keyStore, password)
> >>>>>> val trustManagerFactory =
> >>>>>>
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
> >>>>>> trustManagerFactory.init(keyStore)
> >>>>>> val sslContext = SSLContext.getInstance("TLS")
> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers,
> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom)
> >>>>>> builder.addHttpsListener(config.https.port.get,
> config.https.host.get,
> >>>>>> sslContext)
> >>>>>>
> >>>>>> Everything starts as expected, no errors, but when I hit
> >>>>>> localhost:8443 with the browser it says "localhost didn't send any
> data".
> >>>>>>
> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as
> >>>>>> well?
> >>>>>>
> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt <matt at matthicks.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> Is there any documentation for configuring SSL on my server?  I was
> >>>>>>> looking through the online docs and found nothing (apart from
> "Assembling a
> >>>>>>> Server Manually").
> >>>>>>>
> >>>>>>> Any assistance would be appreciated.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> undertow-dev mailing list
> >>>>>> undertow-dev at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
> >>>>>
> >>>>>
> >>
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161209/aca1ec83/attachment-0001.html

More information about the undertow-dev mailing list