[undertow-dev] SSL Documentation

Fri Dec 9 17:30:05 EST 2016

I just released 1.4.7.Final that should fix the ClassCastException that you
were seeing.

Your example code should work. What version of Undertow are you using, and
do you have the JCE unlimited strength ciphers installed?

Some versions of Undertow would attempt to enable HTTP/2 even if the
required ciphers were not installed, which would result in a connection
error as HTTP/2 would be negotiated with an incorrect cipher, and the
browser will kill the connection as a result. This could be fixed by either
installing the JCE unlimited strength policy files, or by disabling HTTP/2.

Stuart

On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt <matt at matthicks.com> wrote:

> Michael, where are you getting SSLContextFactory from?  I assumed it was
> something built-in or available in Undertow.
>
> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt <matt at matthicks.com> wrote:
>
>> Thanks guys.  Michael, I'll try your code here in a bit to see if it
>> makes any difference.
>>
>> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove <mike at stardog.com> wrote:
>>
>> Prematurely hit send!
>>
>> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove <mike at stardog.com> wrote:
>>
>>
>>
>> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt <matt at matthicks.com> wrote:
>>
>> Hi Michael, thanks for the response.  What version of Undertow are you
>> using?
>>
>>
>> I'm using 1.3.20, so I'm a bit behind.
>>
>>
>> Are you overriding the SSL certificate storage or using the example's?
>>
>>
>> I'm just creating the SSLContext that's passed to the builder via
>> addHttpsListener directly from the standard JVM properties, eg
>> javax.net.ssl.keyStore
>>
>>
>> This is the basic code for that:
>>
>> public static SSLContext createSSLContext(final Options theOptions)
>> throws SSLException {
>> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions.
>> KEY_STORE_TYPE),
>> theOptions.get(ServerOptions.KEY_STORE),
>> theOptions.get(ServerOptions.KEY_STORE_PASSWD),
>> theOptions.get(ServerOptions.TRUST_STORE_TYPE),
>> theOptions.get(ServerOptions.TRUST_STORE),
>> theOptions.get(ServerOptions.TRUST_STORE_PASSWD));
>> }
>>
>> I tweak the XNIO properties for SSL in the event the user needs client
>> auth:
>>
>> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE,
>> SslClientAuthMode.REQUIRED);
>>
>> At that point, it works nicely.
>>
>>
>>
>>
>>
>> Would you mind terribly trying the exact code snippet and see if it works
>> for you?  This is very confusing if it's a problem on my end...especially
>> since HTTP works fine.
>>
>>
>> I can try to run it over the weekend, I'm a bit swamped with day to day
>> stuff atm.
>>
>> Cheers,
>>
>> Mike
>>
>>
>>
>> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove <mike at stardog.com> wrote:
>>
>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt <matt at matthicks.com> wrote:
>>
>> Yeah, I'm pretty sure Undertow's support for SSL is broken!
>>
>>
>> It's working fine for me, and I'm using a setup almost exactly like
>> what's shown in the examples.
>>
>>
>> I copied and pasted the example into my project and am getting the same
>> results.  I modified it to not do any proxying, but the server isn't
>> responding properly and my anonymous HttpHandler is never invoked:
>>
>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7
>>
>> This is incredibly frustrating.  Stuart, tell me if I shouldn't be using
>> Undertow for SSL support and I'll start migrating to wrap with nginx.
>>
>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas <sdouglas at redhat.com>
>> wrote:
>>
>> Here is an example:
>>
>> https://github.com/undertow-io/undertow/blob/master/
>> examples/src/main/java/io/undertow/examples/http2/Http2Server.java
>>
>> Looks like you have run into a bug, with regard to the
>> ClassCastException, you need to use the version that takes an
>> SslContext for now, although this should be fixed later today.
>>
>> Stuart
>>
>> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt <matt at matthicks.com> wrote:
>> > Well, I switched to using the signature that takes the KeyManagers
>> array and
>> > TrustManagers array and now I'm at least getting an error:
>> >
>> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection
>> cannot be
>> > cast to io.undertow.protocols.ssl.UndertowSslConnection at
>> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(
>> UndertowXnioSsl.java:141)
>> >
>> > This seems like a really flimsy implementation.  Am I better offer just
>> > wrapping Undertow with Apache or Nginx?
>> >
>> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil <bill at dartalley.com> wrote:
>> >>
>> >> Hmm I'm not sure. I SSL terminate before I hit undertow.
>> >>
>> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt <matt at matthicks.com>
>> wrote:
>> >>>
>> >>> Also, to clarify, the HttpHandler's handleRequest is never being
>> called.
>> >>>
>> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt <matt at matthicks.com>
>> wrote:
>> >>>>
>> >>>> It was worth a try, but no change.  Thanks for the suggestion though.
>> >>>>
>> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil <bill at dartalley.com>
>> wrote:
>> >>>>>
>> >>>>> Try the constructor with 4 args where you also pass a handler.
>> >>>>>
>> >>>>>         public Builder addHttpsListener(int port, String host,
>> >>>>> SSLContext sslContext, HttpHandler rootHandler) {
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt <matt at matthicks.com>
>> wrote:
>> >>>>>>
>> >>>>>> I've made some progress.  After adding the following to the
>> builder:
>> >>>>>>
>> >>>>>> val password = config.https.password.get.toCharArray
>> >>>>>> val keyStore = KeyStore.getInstance("JKS")
>> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get
>> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the
>> >>>>>> location: ${keyStoreFile.getAbsolutePath}")
>> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile)
>> >>>>>> keyStore.load(keyStoreInput, password)
>> >>>>>> val keyManagerFactory =
>> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.
>> getDefaultAlgorithm)
>> >>>>>> keyManagerFactory.init(keyStore, password)
>> >>>>>> val trustManagerFactory =
>> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory.
>> getDefaultAlgorithm)
>> >>>>>> trustManagerFactory.init(keyStore)
>> >>>>>> val sslContext = SSLContext.getInstance("TLS")
>> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers,
>> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom)
>> >>>>>> builder.addHttpsListener(config.https.port.get,
>> config.https.host.get,
>> >>>>>> sslContext)
>> >>>>>>
>> >>>>>> Everything starts as expected, no errors, but when I hit
>> >>>>>> localhost:8443 with the browser it says "localhost didn't send any
>> data".
>> >>>>>>
>> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as
>> >>>>>> well?
>> >>>>>>
>> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt <matt at matthicks.com>
>> >>>>>> wrote:
>> >>>>>>>
>> >>>>>>> Is there any documentation for configuring SSL on my server?  I
>> was
>> >>>>>>> looking through the online docs and found nothing (apart from
>> "Assembling a
>> >>>>>>> Server Manually").
>> >>>>>>>
>> >>>>>>> Any assistance would be appreciated.
>> >>>>>>>
>> >>>>>>> Thanks
>> >>>>>>
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> undertow-dev mailing list
>> >>>>>> undertow-dev at lists.jboss.org
>> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>> >>>>>
>> >>>>>
>> >>
>> >
>> > _______________________________________________
>> > undertow-dev mailing list
>> > undertow-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/f957658e/attachment-0001.html 