[undertow-dev] SSL Documentation

Stuart Douglas sdouglas at redhat.com
Sun Dec 11 19:48:50 EST 2016 

I have modified the example so it will now blow up if the keystore cannot
be loaded:
https://github.com/undertow-io/undertow/commit/d142748f138bb7416b8f5ff003f03c4af746678b

Stuart

On Sun, Dec 11, 2016 at 10:44 AM, Stuart Douglas <sdouglas at redhat.com>
wrote:

> I also failed to run the example, until I realized that the code does not
> validate that the keystore is loaded correctly (passing 'null' into
> KeyStore.load apparently works without error).
>
> Are you sure you are actually loading the keystore correctly (maybe add a
> null check into the loading code)?
>
> Stuart
>
> On Sun, Dec 11, 2016 at 3:05 AM, Bill O'Neil <bill at dartalley.com> wrote:
>
>> Here is the trace occurs with Http2 true and false. Issue seems to be
>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>> close_notify: possible truncation attack?
>>
>>
>> 2016-12-10 11:03:03.669 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch
>> .ServerSocketChannelImpl[/127.0.0.1:8443]
>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.670 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64
>> 2016-12-10 11:03:03.670 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener Delegating channel listener -> Accepting listener for
>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel
>> TCP server (NIO) <13f5555f>
>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch
>> .ServerSocketChannelImpl[/127.0.0.1:8443]
>> 2016-12-10 11:03:03.671 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener Accepting listener for io.undertow.server.protocol.ht
>> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.Unde
>> rtowAcceptingSslChannel at 328f1eb6
>> 2016-12-10 11:03:03.671 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.674 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on
>> channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92
>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b
>> 2016-12-10 11:03:03.675 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened
>> connection with /127.0.0.1:56854
>> 2016-12-10 11:03:03.676 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
>> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64
>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout)
>> 2016-12-10 11:03:03.681 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
>> listener Delegating channel listener -> Accepting listener for
>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel
>> TCP server (NIO) <13f5555f>
>> 2016-12-10 11:03:03.683 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
>> listener Accepting listener for io.undertow.server.protocol.ht
>> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.Unde
>> rtowAcceptingSslChannel at 328f1eb6
>> 2016-12-10 11:03:03.685 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on
>> channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450
>> 2016-12-10 11:03:03.688 [XNIO-1 I/O-2] TRACE io.undertow.request - Opened
>> connection with /127.0.0.1:56856
>> 2016-12-10 11:03:03.690 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Selected key sun.nio.ch.SelectionKeyImpl at 673b2384 for
>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/
>> 127.0.0.1:56854]
>> 2016-12-10 11:03:03.691 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b (with timeout)
>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on
>> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad
>> 2016-12-10 11:03:03.692 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout)
>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 49c6180b
>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$5$1 at 32b59207
>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$5$1 at 7c204b59
>> 2016-12-10 11:03:03.696 [XNIO-1 I/O-2] TRACE io.undertow.request.io -
>> Exception closing read side of SSL channel
>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>> close_notify: possible truncation attack?
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
>> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
>> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslCon
>> duit.java:612)
>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983)
>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078)
>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799)
>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045)
>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-4] TRACE io.undertow.request.io -
>> Exception closing read side of SSL channel
>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>> close_notify: possible truncation attack?
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
>> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
>> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslCon
>> duit.java:612)
>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983)
>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078)
>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799)
>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045)
>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
>> 2016-12-10 11:03:03.697 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.AbstractServerConnection$CloseSetter at 55df2063
>> on channel io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450
>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.AbstractServerConnection$CloseSetter at 42277317
>> on channel io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92
>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.safe-close -
>> Closing resource org.xnio.nio.NioSocketStreamConnection at 50bf3bfc
>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.safe-close -
>> Closing resource org.xnio.nio.NioSocketStreamConnection at 4196fbe
>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-2] TRACE org.xnio.nio - Cancelling
>> key sun.nio.ch.SelectionKeyImpl at 4805f11b of
>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/
>> 127.0.0.1:56856] (same thread)
>> 2016-12-10 11:03:03.698 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling
>> key sun.nio.ch.SelectionKeyImpl at 673b2384 of
>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/
>> 127.0.0.1:56854] (same thread)
>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.safe-close -
>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 3ac7f450
>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-4] TRACE org.xnio.safe-close -
>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at 53f69e92
>> 2016-12-10 11:03:03.699 [XNIO-1 Accept] TRACE org.xnio.nio - Running task
>> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083
>> 2016-12-10 11:03:03.699 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$1 at 77593ca5
>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$1 at 3548b3ac
>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio - Running task
>> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083
>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-2] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.protocol.http.HttpReadListener at 6962bde3 on
>> channel org.xnio.conduits.ConduitStreamSourceChannel at 45125494
>> 2016-12-10 11:03:03.700 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.protocol.http.HttpReadListener at 255c6481 on
>> channel org.xnio.conduits.ConduitStreamSourceChannel at 1b4554ad
>> 2016-12-10 11:03:03.700 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.safe-close -
>> Closing resource io.undertow.server.protocol.ht
>> tp.HttpServerConnection at 6cdbf711
>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-4] TRACE org.xnio.safe-close -
>> Closing resource io.undertow.server.protocol.ht
>> tp.HttpServerConnection at 4bcc5cdf
>> 2016-12-10 11:03:03.701 [XNIO-1 I/O-2] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$2 at 52d9523b
>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$2 at 320a217a
>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-2] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 49c6180b
>> 2016-12-10 11:03:03.702 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>> 2016-12-10 11:03:03.714 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.715 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected key sun.nio.ch.SelectionKeyImpl at 611889f4 for sun.nio.ch
>> .ServerSocketChannelImpl[/127.0.0.1:8443]
>> 2016-12-10 11:03:03.716 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.717 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>> 2016-12-10 11:03:03.718 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> org.xnio.nio.QueuedNioTcpServer$1 at 52c85f64
>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener Delegating channel listener -> Accepting listener for
>> io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on channel
>> TCP server (NIO) <13f5555f>
>> 2016-12-10 11:03:03.719 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener Accepting listener for io.undertow.server.protocol.ht
>> tp.HttpOpenListener at 56f7c1e5 on channel io.undertow.protocols.ssl.Unde
>> rtowAcceptingSslChannel at 328f1eb6
>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.protocol.http.HttpOpenListener at 56f7c1e5 on
>> channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1
>> 2016-12-10 11:03:03.721 [XNIO-1 I/O-4] TRACE io.undertow.request - Opened
>> connection with /127.0.0.1:56858
>> 2016-12-10 11:03:03.724 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95 (with timeout)
>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>> 2016-12-10 11:03:03.728 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$5$1 at 47e5be01
>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE io.undertow.request.io -
>> Exception closing read side of SSL channel
>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>> close_notify: possible truncation attack?
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
>> at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
>> at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslCon
>> duit.java:612)
>> at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:983)
>> at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1078)
>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:799)
>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1045)
>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.AbstractServerConnection$CloseSetter at 3457fbeb
>> on channel io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1
>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.safe-close -
>> Closing resource org.xnio.nio.NioSocketStreamConnection at 1fd60afd
>> 2016-12-10 11:03:03.729 [XNIO-1 I/O-4] TRACE org.xnio.nio - Cancelling
>> key sun.nio.ch.SelectionKeyImpl at 7da1dc1a of
>> java.nio.channels.SocketChannel[connected local=/127.0.0.1:8443 remote=/
>> 127.0.0.1:56858] (same thread)
>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.safe-close -
>> Closing resource io.undertow.protocols.ssl.UndertowSslConnection at d84c5d1
>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Selected on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$1 at 11f5487
>> 2016-12-10 11:03:03.730 [XNIO-1 Accept] TRACE org.xnio.nio - Running task
>> org.xnio.nio.QueuedNioTcpServer$2 at 1ce2a083
>> 2016-12-10 11:03:03.730 [XNIO-1 I/O-4] TRACE org.xnio.listener - Invoking
>> listener io.undertow.server.protocol.http.HttpReadListener at 6b60e713 on
>> channel org.xnio.conduits.ConduitStreamSourceChannel at 60e3d137
>> 2016-12-10 11:03:03.731 [XNIO-1 Accept] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 342f8479
>> 2016-12-10 11:03:03.731 [XNIO-1 I/O-4] TRACE org.xnio.safe-close -
>> Closing resource io.undertow.server.protocol.ht
>> tp.HttpServerConnection at 4f4dae34
>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio - Running task
>> io.undertow.protocols.ssl.SslConduit$2 at 348d6036
>> 2016-12-10 11:03:03.732 [XNIO-1 I/O-4] TRACE org.xnio.nio.selector -
>> Beginning select on sun.nio.ch.KQueueSelectorImpl at 5c0faa95
>>
>>
>> On Sat, Dec 10, 2016 at 10:58 AM, Hicks, Matt <matt at matthicks.com> wrote:
>>
>>> Thanks Bill....I don't feel as crazy now. ;)
>>>
>>> On Sat, Dec 10, 2016 at 9:51 AM Bill O'Neil <bill at dartalley.com> wrote:
>>>
>>>> Oops I forgot https://localhost:8443. Now it is giving me localhost
>>>> unexpectedly closed the connection. With no errors. I also don't have a
>>>> cert set up but I would think that should throw an error?
>>>>
>>>> The on startup JDK9 issue is still there.
>>>>
>>>> On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil <bill at dartalley.com>
>>>> wrote:
>>>>
>>>> Matt did you try turning on logging? Here are the two errors I get.
>>>> Stuart maybe you can help from this I don't know much about SSL.
>>>>
>>>> This error is on server start. I'm running JDK 8.
>>>>
>>>> java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.se
>>>> tApplicationProtocols([Ljava.lang.String;)
>>>> at java.lang.Class.getMethod(Class.java:1786)
>>>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr
>>>> ovider.java:47)
>>>> at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnPr
>>>> ovider.java:43)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at io.undertow.protocols.alpn.JDK9AlpnProvider.<clinit>(JDK9Alp
>>>> nProvider.java:43)
>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>> Method)
>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>>> ConstructorAccessorImpl.java:62)
>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>>> legatingConstructorAccessorImpl.java:45)
>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>>> at java.lang.Class.newInstance(Class.java:442)
>>>> at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoad
>>>> er.java:380)
>>>> at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>>>> at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>>>> at io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40)
>>>> at io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35)
>>>> at io.undertow.server.protocol.http.AlpnOpenListener.<init>(Alp
>>>> nOpenListener.java:67)
>>>> at io.undertow.server.protocol.http.AlpnOpenListener.<init>(Alp
>>>> nOpenListener.java:90)
>>>> at io.undertow.Undertow.start(Undertow.java:177)
>>>> at com.dartalley.function.Http2Server.main(Http2Server.java:70)
>>>>
>>>>
>>>> The following errors happen on request to the localhost:8443 from
>>>> Matt's code which leads to an empty response.
>>>>
>>>> 10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013:
>>>> An IOException occurred
>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
>>>> not a handshake record
>>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor
>>>> eClientHello(ALPNHackClientHelloExplorer.java:84)
>>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS
>>>> SLEngine.java:205)
>>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729)
>>>> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
>>>> at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStr
>>>> eamSourceChannel.java:127)
>>>> at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnec
>>>> tionListener.handleEvent(AlpnOpenListener.java:280)
>>>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven
>>>> t(AlpnOpenListener.java:249)
>>>> at io.undertow.server.protocol.http.AlpnOpenListener.handleEven
>>>> t(AlpnOpenListener.java:60)
>>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe
>>>> ners.java:92)
>>>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
>>>> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
>>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe
>>>> ners.java:92)
>>>> at org.xnio.ChannelListeners$DelegatingChannelListener.handleEv
>>>> ent(ChannelListeners.java:1092)
>>>> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListe
>>>> ners.java:92)
>>>> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
>>>> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
>>>> 10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An
>>>> IOException occurred
>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
>>>> not a handshake record
>>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor
>>>> eClientHello(ALPNHackClientHelloExplorer.java:84)
>>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS
>>>> SLEngine.java:205)
>>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
>>>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.
>>>> java:645)
>>>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>>>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.rea
>>>> dReady(SslConduit.java:1097)
>>>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>> 10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An
>>>> IOException occurred
>>>> javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is
>>>> not a handshake record
>>>> at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.explor
>>>> eClientHello(ALPNHackClientHelloExplorer.java:84)
>>>> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackS
>>>> SLEngine.java:205)
>>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>>>> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
>>>> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.
>>>> java:645)
>>>> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
>>>> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.rea
>>>> dReady(SslConduit.java:1097)
>>>> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>
>>>>
>>>> On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt <matt at matthicks.com>
>>>> wrote:
>>>>
>>>> I've updated to 1.4.7.Final, I switched to passing an Array of
>>>> keyManagers and an Array of trustManagers, I've tried commenting out
>>>> ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's
>>>> being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try
>>>> to connect to https://localhost:8443
>>>>
>>>> If I connect to http://localhost:8080 then I get the expected "Hello,
>>>> World!".  If someone could just test that snippet and tell me if they can
>>>> repeat the problem it would be greatly appreciated.
>>>>
>>>> On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt <matt at matthicks.com> wrote:
>>>>
>>>> Stuart, I don't think I have the JCE Unlimited Strength policy files
>>>> installed.  I'll look into seeing if that's the problem.  I am currently
>>>> using 1.4.6.Final.  I commented out enabling of HTTP2 but I'm still getting
>>>> the same problem.  It will probably be tomorrow before I can get the JCE
>>>> Unlimited Strength installed, but either way I should be seeing an error
>>>> but I am not.
>>>>
>>>> Can you check that code snippet I posted?  It's a simplified version of
>>>> the example you sent me previously that just outputs "Hello, World!".  If
>>>> you're able to run it and it works then perhaps there's something wrong in
>>>> my machine configuration, but I'd like some confirmation.
>>>>
>>>> On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas <sdouglas at redhat.com>
>>>> wrote:
>>>>
>>>> I just released 1.4.7.Final that should fix the ClassCastException that
>>>> you were seeing.
>>>>
>>>> Your example code should work. What version of Undertow are you using,
>>>> and do you have the JCE unlimited strength ciphers installed?
>>>>
>>>> Some versions of Undertow would attempt to enable HTTP/2 even if the
>>>> required ciphers were not installed, which would result in a connection
>>>> error as HTTP/2 would be negotiated with an incorrect cipher, and the
>>>> browser will kill the connection as a result. This could be fixed by either
>>>> installing the JCE unlimited strength policy files, or by disabling HTTP/2.
>>>>
>>>> Stuart
>>>>
>>>> On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt <matt at matthicks.com>
>>>> wrote:
>>>>
>>>> Michael, where are you getting SSLContextFactory from?  I assumed it
>>>> was something built-in or available in Undertow.
>>>>
>>>> On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt <matt at matthicks.com> wrote:
>>>>
>>>> Thanks guys.  Michael, I'll try your code here in a bit to see if it
>>>> makes any difference.
>>>>
>>>> On Fri, Dec 9, 2016 at 12:49 PM Michael Grove <mike at stardog.com> wrote:
>>>>
>>>> Prematurely hit send!
>>>>
>>>> On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove <mike at stardog.com> wrote:
>>>>
>>>>
>>>>
>>>> On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt <matt at matthicks.com> wrote:
>>>>
>>>> Hi Michael, thanks for the response.  What version of Undertow are you
>>>> using?
>>>>
>>>>
>>>> I'm using 1.3.20, so I'm a bit behind.
>>>>
>>>>
>>>> Are you overriding the SSL certificate storage or using the example's?
>>>>
>>>>
>>>> I'm just creating the SSLContext that's passed to the builder via
>>>> addHttpsListener directly from the standard JVM properties, eg
>>>> javax.net.ssl.keyStore
>>>>
>>>>
>>>> This is the basic code for that:
>>>>
>>>> public static SSLContext createSSLContext(final Options theOptions)
>>>> throws SSLException {
>>>> return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions.
>>>> KEY_STORE_TYPE),
>>>> theOptions.get(ServerOptions.KEY_STORE),
>>>> theOptions.get(ServerOptions.KEY_STORE_PASSWD),
>>>> theOptions.get(ServerOptions.TRUST_STORE_TYPE),
>>>> theOptions.get(ServerOptions.TRUST_STORE),
>>>> theOptions.get(ServerOptions.TRUST_STORE_PASSWD));
>>>> }
>>>>
>>>> I tweak the XNIO properties for SSL in the event the user needs client
>>>> auth:
>>>>
>>>> aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE,
>>>> SslClientAuthMode.REQUIRED);
>>>>
>>>> At that point, it works nicely.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Would you mind terribly trying the exact code snippet and see if it
>>>> works for you?  This is very confusing if it's a problem on my
>>>> end...especially since HTTP works fine.
>>>>
>>>>
>>>> I can try to run it over the weekend, I'm a bit swamped with day to day
>>>> stuff atm.
>>>>
>>>> Cheers,
>>>>
>>>> Mike
>>>>
>>>>
>>>>
>>>> On Fri, Dec 9, 2016 at 11:59 AM Michael Grove <mike at stardog.com> wrote:
>>>>
>>>> On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt <matt at matthicks.com>
>>>> wrote:
>>>>
>>>> Yeah, I'm pretty sure Undertow's support for SSL is broken!
>>>>
>>>>
>>>> It's working fine for me, and I'm using a setup almost exactly like
>>>> what's shown in the examples.
>>>>
>>>>
>>>> I copied and pasted the example into my project and am getting the same
>>>> results.  I modified it to not do any proxying, but the server isn't
>>>> responding properly and my anonymous HttpHandler is never invoked:
>>>>
>>>> https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7
>>>>
>>>> This is incredibly frustrating.  Stuart, tell me if I shouldn't be
>>>> using Undertow for SSL support and I'll start migrating to wrap with nginx.
>>>>
>>>> On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas <sdouglas at redhat.com>
>>>> wrote:
>>>>
>>>> Here is an example:
>>>>
>>>> https://github.com/undertow-io/undertow/blob/master/examples
>>>> /src/main/java/io/undertow/examples/http2/Http2Server.java
>>>>
>>>> Looks like you have run into a bug, with regard to the
>>>> ClassCastException, you need to use the version that take
>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161212/0f9c1d4f/attachment-0001.html

More information about the undertow-dev mailing list