[undertow-dev] SSL Documentation

Sat Dec 10 10:51:29 EST 2016

Oops I forgot https://localhost:8443. Now it is giving me localhost
unexpectedly closed the connection. With no errors. I also don't have a
cert set up but I would think that should throw an error?

The on startup JDK9 issue is still there.

On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil <bill at dartalley.com> wrote:

> Matt did you try turning on logging? Here are the two errors I get. Stuart
> maybe you can help from this I don't know much about SSL.
>
> This error is on server start. I'm running JDK 8.
>
> java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.
> setApplicationProtocols([Ljava.lang.String;)
> at java.lang.Class.getMethod(Class.java:1786)
> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(
> JDK9AlpnProvider.java:47)
> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(
> JDK9AlpnProvider.java:43)
> at java.security.AccessController.doPrivileged(Native Method)
> at io.undertow.protocols.alpn.JDK9AlpnProvider.<clinit>(
> JDK9AlpnProvider.java:43)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
> NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
> DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at java.lang.Class.newInstance(Class.java:442)
> at java.util.ServiceLoader$LazyIterator.nextService(
> ServiceLoader.java:380)
> at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
> at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
> at io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40)
> at io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35)
> at io.undertow.server.protocol.http.AlpnOpenListener.<init>(
> AlpnOpenListener.java:67)
> at io.undertow.server.protocol.http.AlpnOpenListener.<init>(
> AlpnOpenListener.java:90)
> at io.undertow.Undertow.start(Undertow.java:177)
> at com.dartalley.function.Http2Server.main(Http2Server.java:70)
>
>
> The following errors happen on request to the localhost:8443 from Matt's
> code which leads to an empty response.
>
> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An
> IOException occurred
> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
> not a handshake record
> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.
> exploreClientHello(ALPNHackClientHelloExplorer.java:84)
> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(
> ALPNHackSSLEngine.java:205)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729)
> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
> at org.xnio.conduits.ConduitStreamSourceChannel.read(
> ConduitStreamSourceChannel.java:127)
> at io.undertow.server.protocol.http.AlpnOpenListener$
> AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280)
> at io.undertow.server.protocol.http.AlpnOpenListener.
> handleEvent(AlpnOpenListener.java:249)
> at io.undertow.server.protocol.http.AlpnOpenListener.
> handleEvent(AlpnOpenListener.java:60)
> at org.xnio.ChannelListeners.invokeChannelListener(
> ChannelListeners.java:92)
> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
> at org.xnio.ChannelListeners.invokeChannelListener(
> ChannelListeners.java:92)
> at org.xnio.ChannelListeners$DelegatingChannelListener.
> handleEvent(ChannelListeners.java:1092)
> at org.xnio.ChannelListeners.invokeChannelListener(
> ChannelListeners.java:92)
> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An
> IOException occurred
> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
> not a handshake record
> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.
> exploreClientHello(ALPNHackClientHelloExplorer.java:84)
> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(
> ALPNHackSSLEngine.java:205)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(
> SslConduit.java:1097)
> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An
> IOException occurred
> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
> not a handshake record
> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.
> exploreClientHello(ALPNHackClientHelloExplorer.java:84)
> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(
> ALPNHackSSLEngine.java:205)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(
> SslConduit.java:1097)
> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>
>
> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt <matt at matthicks.com> wrote:
>
>> I've updated to 1.4.7.Final, I switched to passing an Array of
>> keyManagers and an Array of trustManagers, I've tried commenting out
>> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's
>> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try
>> to connect to https://localhost:8443
>>
>> If I connect to http://localhost:8080 then I get the expected "Hello,
>> World!".  If someone could just test that snippet and tell me if they can
>> repeat the problem it would be greatly appreciated.
>>
>> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt <matt at matthicks.com> wrote:
>>
>>> Stuart, I don't think I have the JCE Unlimited Strength policy files
>>> installed.  I'll look into seeing if that's the problem.  I am currently
>>> using 1.4.6.Final.  I commented out enabling of HTTP2 but I'm still getting
>>> the same problem.  It will probably be tomorrow before I can get the JCE
>>> Unlimited Strength installed, but either way I should be seeing an error
>>> but I am not.
>>>
>>> Can you check that code snippet I posted?  It's a simplified version of
>>> the example you sent me previously that just outputs "Hello, World!".  If
>>> you're able to run it and it works then perhaps there's something wrong in
>>> my machine configuration, but I'd like some confirmation.
>>>
>>> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas <sdouglas at redhat.com>
>>> wrote:
>>>
>>> I just released 1.4.7.Final that should fix the ClassCastException that
>>> you were seeing.
>>>
>>> Your example code should work. What version of Undertow are you using,
>>> and do you have the JCE unlimited strength ciphers installed?
>>>
>>> Some versions of Undertow would attempt to enable HTTP/2 even if the
>>> required ciphers were not installed, which would result in a connection
>>> error as HTTP/2 would be negotiated with an incorrect cipher, and the
>>> browser will kill the connection as a result. This could be fixed by either
>>> installing the JCE unlimited strength policy files, or by disabling HTTP/2.
>>>
>>> Stuart
>>>
>>> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Michael, where are you getting SSLContextFactory from?  I assumed it was
>>> something built-in or available in Undertow.
>>>
>>> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Thanks guys.  Michael, I'll try your code here in a bit to see if it
>>> makes any difference.
>>>
>>> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove <mike at stardog.com> wrote:
>>>
>>> Prematurely hit send!
>>>
>>> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove <mike at stardog.com> wrote:
>>>
>>>
>>>
>>> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Hi Michael, thanks for the response.  What version of Undertow are you
>>> using?
>>>
>>>
>>> I'm using 1.3.20, so I'm a bit behind.
>>>
>>>
>>> Are you overriding the SSL certificate storage or using the example's?
>>>
>>>
>>> I'm just creating the SSLContext that's passed to the builder via
>>> addHttpsListener directly from the standard JVM properties, eg
>>> javax.net.ssl.keyStore
>>>
>>>
>>> This is the basic code for that:
>>>
>>> public static SSLContext createSSLContext(final Options theOptions)
>>> throws SSLException {
>>> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions.
>>> KEY_STORE_TYPE),
>>> theOptions.get(ServerOptions.KEY_STORE),
>>> theOptions.get(ServerOptions.KEY_STORE_PASSWD),
>>> theOptions.get(ServerOptions.TRUST_STORE_TYPE),
>>> theOptions.get(ServerOptions.TRUST_STORE),
>>> theOptions.get(ServerOptions.TRUST_STORE_PASSWD));
>>> }
>>>
>>> I tweak the XNIO properties for SSL in the event the user needs client
>>> auth:
>>>
>>> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE,
>>> SslClientAuthMode.REQUIRED);
>>>
>>> At that point, it works nicely.
>>>
>>>
>>>
>>>
>>>
>>> Would you mind terribly trying the exact code snippet and see if it
>>> works for you?  This is very confusing if it's a problem on my
>>> end...especially since HTTP works fine.
>>>
>>>
>>> I can try to run it over the weekend, I'm a bit swamped with day to day
>>> stuff atm.
>>>
>>> Cheers,
>>>
>>> Mike
>>>
>>>
>>>
>>> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove <mike at stardog.com> wrote:
>>>
>>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Yeah, I'm pretty sure Undertow's support for SSL is broken!
>>>
>>>
>>> It's working fine for me, and I'm using a setup almost exactly like
>>> what's shown in the examples.
>>>
>>>
>>> I copied and pasted the example into my project and am getting the same
>>> results.  I modified it to not do any proxying, but the server isn't
>>> responding properly and my anonymous HttpHandler is never invoked:
>>>
>>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7
>>>
>>> This is incredibly frustrating.  Stuart, tell me if I shouldn't be using
>>> Undertow for SSL support and I'll start migrating to wrap with nginx.
>>>
>>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas <sdouglas at redhat.com>
>>> wrote:
>>>
>>> Here is an example:
>>>
>>> https://github.com/undertow-io/undertow/blob/master/examples
>>> /src/main/java/io/undertow/examples/http2/Http2Server.java
>>>
>>> Looks like you have run into a bug, with regard to the
>>> ClassCastException, you need to use the version that takes an
>>> SslContext for now, although this should be fixed later today.
>>>
>>> Stuart
>>>
>>> On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt <matt at matthicks.com> wrote:
>>> > Well, I switched to using the signature that takes the KeyManagers
>>> array and
>>> > TrustManagers array and now I'm at least getting an error:
>>> >
>>> > java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection
>>> cannot be
>>> > cast to io.undertow.protocols.ssl.UndertowSslConnection at
>>> > io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(Unde
>>> rtowXnioSsl.java:141)
>>> >
>>> > This seems like a really flimsy implementation.  Am I better offer just
>>> > wrapping Undertow with Apache or Nginx?
>>> >
>>> > On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil <bill at dartalley.com> wrote:
>>> >>
>>> >> Hmm I'm not sure. I SSL terminate before I hit undertow.
>>> >>
>>> >> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt <matt at matthicks.com>
>>> wrote:
>>> >>>
>>> >>> Also, to clarify, the HttpHandler's handleRequest is never being
>>> called.
>>> >>>
>>> >>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt <matt at matthicks.com>
>>> wrote:
>>> >>>>
>>> >>>> It was worth a try, but no change.  Thanks for the suggestion
>>> though.
>>> >>>>
>>> >>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil <bill at dartalley.com>
>>> wrote:
>>> >>>>>
>>> >>>>> Try the constructor with 4 args where you also pass a handler.
>>> >>>>>
>>> >>>>>         public Builder addHttpsListener(int port, String host,
>>> >>>>> SSLContext sslContext, HttpHandler rootHandler) {
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt <matt at matthicks.com>
>>> wrote:
>>> >>>>>>
>>> >>>>>> I've made some progress.  After adding the following to the
>>> builder:
>>> >>>>>>
>>> >>>>>> val password = config.https.password.get.toCharArray
>>> >>>>>> val keyStore = KeyStore.getInstance("JKS")
>>> >>>>>> val keyStoreFile = config.https.keyStoreLocation.get
>>> >>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the
>>> >>>>>> location: ${keyStoreFile.getAbsolutePath}")
>>> >>>>>> val keyStoreInput = new FileInputStream(keyStoreFile)
>>> >>>>>> keyStore.load(keyStoreInput, password)
>>> >>>>>> val keyManagerFactory =
>>> >>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAl
>>> gorithm)
>>> >>>>>> keyManagerFactory.init(keyStore, password)
>>> >>>>>> val trustManagerFactory =
>>> >>>>>> TrustManagerFactory.getInstance(TrustManagerFactory.getDefau
>>> ltAlgorithm)
>>> >>>>>> trustManagerFactory.init(keyStore)
>>> >>>>>> val sslContext = SSLContext.getInstance("TLS")
>>> >>>>>> sslContext.init(keyManagerFactory.getKeyManagers,
>>> >>>>>> trustManagerFactory.getTrustManagers, new SecureRandom)
>>> >>>>>> builder.addHttpsListener(config.https.port.get,
>>> config.https.host.get,
>>> >>>>>> sslContext)
>>> >>>>>>
>>> >>>>>> Everything starts as expected, no errors, but when I hit
>>> >>>>>> localhost:8443 with the browser it says "localhost didn't send
>>> any data".
>>> >>>>>>
>>> >>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as
>>> >>>>>> well?
>>> >>>>>>
>>> >>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt <matt at matthicks.com>
>>> >>>>>> wrote:
>>> >>>>>>>
>>> >>>>>>> Is there any documentation for configuring SSL on my server?  I
>>> was
>>> >>>>>>> looking through the online docs and found nothing (apart from
>>> "Assembling a
>>> >>>>>>> Server Manually").
>>> >>>>>>>
>>> >>>>>>> Any assistance would be appreciated.
>>> >>>>>>>
>>> >>>>>>> Thanks
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> _______________________________________________
>>> >>>>>> undertow-dev mailing list
>>> >>>>>> undertow-dev at lists.jboss.org
>>> >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>> >>>>>
>>> >>>>>
>>> >>
>>> >
>>> > _______________________________________________
>>> > undertow-dev mailing list
>>> > undertow-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>
>>>
>>> _______________________________________________
>>> undertow-dev mailing list
>>> <undertow-dev at lists.jboss.org>
>>>
>>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161210/2a912a05/attachment-0001.html 