[undertow-dev] SSL Documentation

Stuart Douglas sdouglas at redhat.com
Sat Dec 10 18:44:56 EST 2016 

I also failed to run the example, until I realized that the code does not
validate that the keystore is loaded correctly (passing 'null' into
KeyStore.load apparently works without error).

Are you sure you are actually loading the keystore correctly (maybe add a
null check into the loading code)?

Stuart

On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil <bill at dartalley.com> wrote:

> Here is the trace occurs with Http2 true and false. Issue seems to be
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
>
>
> 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch.
> ServerSocketChannelImpl[/127.0.0.1:8443]
> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64
> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener Delegating channel listener -> Accepting listener for
> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP
> server (NIO) <13f5555f>
> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch.
> ServerSocketChannelImpl[/127.0.0.1:8443]
> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener Accepting listener for io.undertow.server.protocol.
> http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.
> UndertowAcceptingSslChannel at 328f1eb6
> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on
> channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92
> 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b
> 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened
> connection with /127.0.0.1:56854
> 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64
> 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout)
> 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
> listener Delegating channel listener -> Accepting listener for
> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP
> server (NIO) <13f5555f>
> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
> listener Accepting listener for io.undertow.server.protocol.
> http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.
> UndertowAcceptingSslChannel at 328f1eb6
> 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on
> channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450
> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened
> connection with /127.0.0.1:56856
> 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for java.nio.channels.SocketChannel[connected
> local=/127.0.0.1:8443 remote=/127.0.0.1:56854]
> 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout)
> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on
> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad
> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout)
> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b
> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207
> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59
> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io -
> Exception closing read side of SSL channel
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(
> SslConduit.java:612)
> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983)
> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
> 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io -
> Exception closing read side of SSL channel
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(
> SslConduit.java:612)
> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983)
> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
> 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063
> on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450
> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317
> on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92
> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing
> resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc
> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing
> resource org.xnio.nio.NioSocketStreamConnection at 4196fbe
> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling key
> sun.nio.ch.SelectionKeyImpl at 4805f11b of java.nio.channels.SocketChannel[connected
> local=/127.0.0.1:8443 remote=/127.0.0.1:56856] (same thread)
> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key
> sun.nio.ch.SelectionKeyImpl at 673b2384 of java.nio.channels.SocketChannel[connected
> local=/127.0.0.1:8443 remote=/127.0.0.1:56854] (same thread)
> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing
> resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450
> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing
> resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92
> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task
> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083
> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$1 at 77593ca5
> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac
> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task
> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083
> 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on
> channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494
> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on
> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad
> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close - Closing
> resource io.undertow.server.protocol.http.HttpServerConnection at 6cdbf711
> 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing
> resource io.undertow.server.protocol.http.HttpServerConnection at 4bcc5cdf
> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$2 at 52d9523b
> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$2 at 320a217a
> 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b
> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
> 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch.
> ServerSocketChannelImpl[/127.0.0.1:8443]
> 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
> 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64
> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener Delegating channel listener -> Accepting listener for
> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel TCP
> server (NIO) <13f5555f>
> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener Accepting listener for io.undertow.server.protocol.
> http.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.
> UndertowAcceptingSslChannel at 328f1eb6
> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on
> channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1
> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened
> connection with /127.0.0.1:56858
> 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout)
> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01
> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io -
> Exception closing read side of SSL channel
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(
> SslConduit.java:612)
> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983)
> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb
> on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1
> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing
> resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd
> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling key
> sun.nio.ch.SelectionKeyImpl at 7da1dc1a of java.nio.channels.SocketChannel[connected
> local=/127.0.0.1:8443 remote=/127.0.0.1:56858] (same thread)
> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing
> resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1
> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$1 at 11f5487
> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task
> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083
> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
> listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on
> channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137
> 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
> 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close - Closing
> resource io.undertow.server.protocol.http.HttpServerConnection at 4f4dae34
> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
> io.undertow.protocols.ssl.SslConduit$2 at 348d6036
> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>
>
> On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt <matt at matthicks.com> wrote:
>
>> Thanks Bill....I don't feel as crazy now. ;)
>>
>> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil <bill at dartalley.com> wrote:
>>
>>> Oops I forgot https://localhost:8443. Now it is giving me localhost
>>> unexpectedly closed the connection. With no errors. I also don't have a
>>> cert set up but I would think that should throw an error?
>>>
>>> The on startup JDK9 issue is still there.
>>>
>>> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil <bill at dartalley.com>
>>> wrote:
>>>
>>> Matt did you try turning on logging? Here are the two errors I get.
>>> Stuart maybe you can help from this I don't know much about SSL.
>>>
>>> This error is on server start. I'm running JDK 8.
>>>
>>> java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se
>>> tApplicationProtocols([Ljava.lang.String;)
>>> at java.lang.Class.getMethod(Class.java:1786)
>>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr
>>> ovider.java:47)
>>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr
>>> ovider.java:43)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at io.undertow.protocols.alpn.JDK9AlpnProvider.<clinit>(JDK9Alp
>>> nProvider.java:43)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>> ConstructorAccessorImpl.java:62)
>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>> legatingConstructorAccessorImpl.java:45)
>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>> at java.lang.Class.newInstance(Class.java:442)
>>> at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoad
>>> er.java:380)
>>> at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>>> at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>>> at io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40)
>>> at io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35)
>>> at io.undertow.server.protocol.http.AlpnOpenListener.<init>(Alp
>>> nOpenListener.java:67)
>>> at io.undertow.server.protocol.http.AlpnOpenListener.<init>(Alp
>>> nOpenListener.java:90)
>>> at io.undertow.Undertow.start(Undertow.java:177)
>>> at com.dartalley.function.Http2Server.main(Http2Server.java:70)
>>>
>>>
>>> The following errors happen on request to the localhost:8443 from Matt's
>>> code which leads to an empty response.
>>>
>>> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An
>>> IOException occurred
>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
>>> not a handshake record
>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor
>>> eClientHello(ALPNHackClientHelloExplorer.java:84)
>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS
>>> SLEngine.java:205)
>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729)
>>> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
>>> at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStr
>>> eamSourceChannel.java:127)
>>> at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnec
>>> tionListener.handleEvent(AlpnOpenListener.java:280)
>>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven
>>> t(AlpnOpenListener.java:249)
>>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven
>>> t(AlpnOpenListener.java:60)
>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe
>>> ners.java:92)
>>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
>>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe
>>> ners.java:92)
>>> at org.xnio.ChannelListeners$DelegatingChannelListener.handleEv
>>> ent(ChannelListeners.java:1092)
>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe
>>> ners.java:92)
>>> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
>>> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An
>>> IOException occurred
>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
>>> not a handshake record
>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor
>>> eClientHello(ALPNHackClientHelloExplorer.java:84)
>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS
>>> SLEngine.java:205)
>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
>>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
>>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.
>>> readReady(SslConduit.java:1097)
>>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An
>>> IOException occurred
>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
>>> not a handshake record
>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor
>>> eClientHello(ALPNHackClientHelloExplorer.java:84)
>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS
>>> SLEngine.java:205)
>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
>>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
>>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.
>>> readReady(SslConduit.java:1097)
>>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>
>>>
>>> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt <matt at matthicks.com>
>>> wrote:
>>>
>>> I've updated to 1.4.7.Final, I switched to passing an Array of
>>> keyManagers and an Array of trustManagers, I've tried commenting out
>>> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's
>>> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try
>>> to connect to https://localhost:8443
>>>
>>> If I connect to http://localhost:8080 then I get the expected "Hello,
>>> World!".  If someone could just test that snippet and tell me if they can
>>> repeat the problem it would be greatly appreciated.
>>>
>>> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Stuart, I don't think I have the JCE Unlimited Strength policy files
>>> installed.  I'll look into seeing if that's the problem.  I am currently
>>> using 1.4.6.Final.  I commented out enabling of HTTP2 but I'm still getting
>>> the same problem.  It will probably be tomorrow before I can get the JCE
>>> Unlimited Strength installed, but either way I should be seeing an error
>>> but I am not.
>>>
>>> Can you check that code snippet I posted?  It's a simplified version of
>>> the example you sent me previously that just outputs "Hello, World!".  If
>>> you're able to run it and it works then perhaps there's something wrong in
>>> my machine configuration, but I'd like some confirmation.
>>>
>>> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas <sdouglas at redhat.com>
>>> wrote:
>>>
>>> I just released 1.4.7.Final that should fix the ClassCastException that
>>> you were seeing.
>>>
>>> Your example code should work. What version of Undertow are you using,
>>> and do you have the JCE unlimited strength ciphers installed?
>>>
>>> Some versions of Undertow would attempt to enable HTTP/2 even if the
>>> required ciphers were not installed, which would result in a connection
>>> error as HTTP/2 would be negotiated with an incorrect cipher, and the
>>> browser will kill the connection as a result. This could be fixed by either
>>> installing the JCE unlimited strength policy files, or by disabling HTTP/2.
>>>
>>> Stuart
>>>
>>> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Michael, where are you getting SSLContextFactory from?  I assumed it was
>>> something built-in or available in Undertow.
>>>
>>> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Thanks guys.  Michael, I'll try your code here in a bit to see if it
>>> makes any difference.
>>>
>>> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove <mike at stardog.com> wrote:
>>>
>>> Prematurely hit send!
>>>
>>> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove <mike at stardog.com> wrote:
>>>
>>>
>>>
>>> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Hi Michael, thanks for the response.  What version of Undertow are you
>>> using?
>>>
>>>
>>> I'm using 1.3.20, so I'm a bit behind.
>>>
>>>
>>> Are you overriding the SSL certificate storage or using the example's?
>>>
>>>
>>> I'm just creating the SSLContext that's passed to the builder via
>>> addHttpsListener directly from the standard JVM properties, eg
>>> javax.net.ssl.keyStore
>>>
>>>
>>> This is the basic code for that:
>>>
>>> public static SSLContext createSSLContext(final Options theOptions)
>>> throws SSLException {
>>> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions.
>>> KEY_STORE_TYPE),
>>> theOptions.get(ServerOptions.KEY_STORE),
>>> theOptions.get(ServerOptions.KEY_STORE_PASSWD),
>>> theOptions.get(ServerOptions.TRUST_STORE_TYPE),
>>> theOptions.get(ServerOptions.TRUST_STORE),
>>> theOptions.get(ServerOptions.TRUST_STORE_PASSWD));
>>> }
>>>
>>> I tweak the XNIO properties for SSL in the event the user needs client
>>> auth:
>>>
>>> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE,
>>> SslClientAuthMode.REQUIRED);
>>>
>>> At that point, it works nicely.
>>>
>>>
>>>
>>>
>>>
>>> Would you mind terribly trying the exact code snippet and see if it
>>> works for you?  This is very confusing if it's a problem on my
>>> end...especially since HTTP works fine.
>>>
>>>
>>> I can try to run it over the weekend, I'm a bit swamped with day to day
>>> stuff atm.
>>>
>>> Cheers,
>>>
>>> Mike
>>>
>>>
>>>
>>> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove <mike at stardog.com> wrote:
>>>
>>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt <matt at matthicks.com> wrote:
>>>
>>> Yeah, I'm pretty sure Undertow's support for SSL is broken!
>>>
>>>
>>> It's working fine for me, and I'm using a setup almost exactly like
>>> what's shown in the examples.
>>>
>>>
>>> I copied and pasted the example into my project and am getting the same
>>> results.  I modified it to not do any proxying, but the server isn't
>>> responding properly and my anonymous HttpHandler is never invoked:
>>>
>>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7
>>>
>>> This is incredibly frustrating.  Stuart, tell me if I shouldn't be using
>>> Undertow for SSL support and I'll start migrating to wrap with nginx.
>>>
>>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas <sdouglas at redhat.com>
>>> wrote:
>>>
>>> Here is an example:
>>>
>>> https://github.com/undertow-io/undertow/blob/master/examples
>>> /src/main/java/io/undertow/examples/http2/Http2Server.java
>>>
>>> Looks like you have run into a bug, with regard to the
>>> ClassCastException, you need to use the version that take
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161211/eb3b07fd/attachment-0001.html

More information about the undertow-dev mailing list