Oops I forgot https://localhost:8443. Now it is giving me localhost unexpectedly closed the connection. With no errors. I also don't have a cert set up but I would think that should throw an error?

The on startup JDK9 issue is still there.

On Sat, Dec 10, 2016 at 10:45 AM, Bill O'Neil <bill@dartalley.com> wrote:
Matt did you try turning on logging? Here are the two errors I get. Stuart maybe you can help from this I don't know much about SSL.

This error is on server start. I'm running JDK 8.

java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;)
at java.lang.Class.getMethod(Class.java:1786)
at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47)
at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43)
at java.security.AccessController.doPrivileged(Native Method)
at io.undertow.protocols.alpn.JDK9AlpnProvider.<clinit>(JDK9AlpnProvider.java:43)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at java.lang.Class.newInstance(Class.java:442)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40)
at io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35)
at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:67)
at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:90)
at io.undertow.Undertow.start(Undertow.java:177)
at com.dartalley.function.Http2Server.main(Http2Server.java:70)


The following errors happen on request to the localhost:8443 from Matt's code which leads to an empty response.

10:42:29.083 [XNIO-1 I/O-2] DEBUG io.undertow.request.io - UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record
at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84)
at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205)
at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:729)
at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:280)
at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:249)
at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
10:42:29.091 [XNIO-1 I/O-4] DEBUG io.undertow.request - UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record
at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84)
at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
10:42:29.100 [XNIO-1 I/O-2] DEBUG io.undertow.request - UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: UT000140: Initial SSL/TLS data is not a handshake record
at io.undertow.protocols.ssl.ALPNHackClientHelloExplorer.exploreClientHello(ALPNHackClientHelloExplorer.java:84)
at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:205)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:748)
at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:645)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1097)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)


On Sat, Dec 10, 2016 at 10:15 AM, Hicks, Matt <matt@matthicks.com> wrote:
I've updated to 1.4.7.Final, I switched to passing an Array of keyManagers and an Array of trustManagers, I've tried commenting out ENABLE_HTTP2, I've installed the JCE Unlimited Strength (and verified it's being used) and I'm consistently getting ERR_CONNECTION_CLOSED when I try to connect to https://localhost:8443

If I connect to http://localhost:8080 then I get the expected "Hello, World!".  If someone could just test that snippet and tell me if they can repeat the problem it would be greatly appreciated.

On Fri, Dec 9, 2016 at 5:30 PM Hicks, Matt <matt@matthicks.com> wrote:
Stuart, I don't think I have the JCE Unlimited Strength policy files installed.  I'll look into seeing if that's the problem.  I am currently using 1.4.6.Final.  I commented out enabling of HTTP2 but I'm still getting the same problem.  It will probably be tomorrow before I can get the JCE Unlimited Strength installed, but either way I should be seeing an error but I am not.

Can you check that code snippet I posted?  It's a simplified version of the example you sent me previously that just outputs "Hello, World!".  If you're able to run it and it works then perhaps there's something wrong in my machine configuration, but I'd like some confirmation.

On Fri, Dec 9, 2016 at 4:30 PM Stuart Douglas <sdouglas@redhat.com> wrote:
I just released 1.4.7.Final that should fix the ClassCastException that you were seeing.

Your example code should work. What version of Undertow are you using, and do you have the JCE unlimited strength ciphers installed?

Some versions of Undertow would attempt to enable HTTP/2 even if the required ciphers were not installed, which would result in a connection error as HTTP/2 would be negotiated with an incorrect cipher, and the browser will kill the connection as a result. This could be fixed by either installing the JCE unlimited strength policy files, or by disabling HTTP/2.

Stuart

On Sat, Dec 10, 2016 at 9:00 AM, Hicks, Matt <matt@matthicks.com> wrote:
Michael, where are you getting SSLContextFactory from?  I assumed it was something built-in or available in Undertow.

On Fri, Dec 9, 2016 at 1:08 PM Hicks, Matt <matt@matthicks.com> wrote:
Thanks guys.  Michael, I'll try your code here in a bit to see if it makes any difference.

On Fri, Dec 9, 2016 at 12:49 PM Michael Grove <mike@stardog.com> wrote:
Prematurely hit send!

On Fri, Dec 9, 2016 at 1:43 PM, Michael Grove <mike@stardog.com> wrote:


On Fri, Dec 9, 2016 at 1:11 PM, Hicks, Matt <matt@matthicks.com> wrote:
Hi Michael, thanks for the response.  What version of Undertow are you using? 

I'm using 1.3.20, so I'm a bit behind.
 
Are you overriding the SSL certificate storage or using the example's? 

I'm just creating the SSLContext that's passed to the builder via addHttpsListener directly from the standard JVM properties, eg javax.net.ssl.keyStore

This is the basic code for that:

public static SSLContext createSSLContext(final Options theOptions) throws SSLException {
return SSLContextFactory.createSSLContext(theOptions.get(ServerOptions.KEY_STORE_TYPE),
theOptions.get(ServerOptions.KEY_STORE),
theOptions.get(ServerOptions.KEY_STORE_PASSWD),
theOptions.get(ServerOptions.TRUST_STORE_TYPE),
theOptions.get(ServerOptions.TRUST_STORE),
theOptions.get(ServerOptions.TRUST_STORE_PASSWD));
}

I tweak the XNIO properties for SSL in the event the user needs client auth:

aBuilder.setWorkerOption(org.xnio.Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);

At that point, it works nicely.

 
 
Would you mind terribly trying the exact code snippet and see if it works for you?  This is very confusing if it's a problem on my end...especially since HTTP works fine.

I can try to run it over the weekend, I'm a bit swamped with day to day stuff atm.

Cheers,

Mike
 

On Fri, Dec 9, 2016 at 11:59 AM Michael Grove <mike@stardog.com> wrote:
On Fri, Dec 9, 2016 at 10:24 AM, Hicks, Matt <matt@matthicks.com> wrote:
Yeah, I'm pretty sure Undertow's support for SSL is broken!

It's working fine for me, and I'm using a setup almost exactly like what's shown in the examples.


I copied and pasted the example into my project and am getting the same results.  I modified it to not do any proxying, but the server isn't responding properly and my anonymous HttpHandler is never invoked:

https://gist.github.com/darkfrog26/e17c1efb0d5606caeb56e903bff970a7

This is incredibly frustrating.  Stuart, tell me if I shouldn't be using Undertow for SSL support and I'll start migrating to wrap with nginx.

On Thu, Dec 8, 2016 at 8:00 PM Stuart Douglas <sdouglas@redhat.com> wrote:
Here is an example:

https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java

Looks like you have run into a bug, with regard to the
ClassCastException, you need to use the version that takes an
SslContext for now, although this should be fixed later today.

Stuart

On Fri, Dec 9, 2016 at 12:30 PM, Hicks, Matt <matt@matthicks.com> wrote:
> Well, I switched to using the signature that takes the KeyManagers array and
> TrustManagers array and now I'm at least getting an error:
>
> java.lang.ClassCastException: org.xnio.ssl.JsseSslStreamConnection cannot be
> cast to io.undertow.protocols.ssl.UndertowSslConnection at
> io.undertow.protocols.ssl.UndertowXnioSsl.getSslConduit(UndertowXnioSsl.java:141)
>
> This seems like a really flimsy implementation.  Am I better offer just
> wrapping Undertow with Apache or Nginx?
>
> On Thu, Dec 8, 2016 at 7:26 PM Bill O'Neil <bill@dartalley.com> wrote:
>>
>> Hmm I'm not sure. I SSL terminate before I hit undertow.
>>
>> On Thu, Dec 8, 2016 at 8:16 PM, Hicks, Matt <matt@matthicks.com> wrote:
>>>
>>> Also, to clarify, the HttpHandler's handleRequest is never being called.
>>>
>>> On Thu, Dec 8, 2016 at 7:14 PM Hicks, Matt <matt@matthicks.com> wrote:
>>>>
>>>> It was worth a try, but no change.  Thanks for the suggestion though.
>>>>
>>>> On Thu, Dec 8, 2016 at 7:12 PM Bill O'Neil <bill@dartalley.com> wrote:
>>>>>
>>>>> Try the constructor with 4 args where you also pass a handler.
>>>>>
>>>>>         public Builder addHttpsListener(int port, String host,
>>>>> SSLContext sslContext, HttpHandler rootHandler) {
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Dec 8, 2016 at 8:06 PM, Hicks, Matt <matt@matthicks.com> wrote:
>>>>>>
>>>>>> I've made some progress.  After adding the following to the builder:
>>>>>>
>>>>>> val password = config.https.password.get.toCharArray
>>>>>> val keyStore = KeyStore.getInstance("JKS")
>>>>>> val keyStoreFile = config.https.keyStoreLocation.get
>>>>>> assert(keyStoreFile.exists(), s"No keystore file was found at the
>>>>>> location: ${keyStoreFile.getAbsolutePath}")
>>>>>> val keyStoreInput = new FileInputStream(keyStoreFile)
>>>>>> keyStore.load(keyStoreInput, password)
>>>>>> val keyManagerFactory =
>>>>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
>>>>>> keyManagerFactory.init(keyStore, password)
>>>>>> val trustManagerFactory =
>>>>>> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
>>>>>> trustManagerFactory.init(keyStore)
>>>>>> val sslContext = SSLContext.getInstance("TLS")
>>>>>> sslContext.init(keyManagerFactory.getKeyManagers,
>>>>>> trustManagerFactory.getTrustManagers, new SecureRandom)
>>>>>> builder.addHttpsListener(config.https.port.get, config.https.host.get,
>>>>>> sslContext)
>>>>>>
>>>>>> Everything starts as expected, no errors, but when I hit
>>>>>> localhost:8443 with the browser it says "localhost didn't send any data".
>>>>>>
>>>>>> Should it use what I've set with "builder.setHandler" for HTTPS as
>>>>>> well?
>>>>>>
>>>>>> On Thu, Dec 8, 2016 at 10:53 AM Hicks, Matt <matt@matthicks.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Is there any documentation for configuring SSL on my server?  I was
>>>>>>> looking through the online docs and found nothing (apart from "Assembling a
>>>>>>> Server Manually").
>>>>>>>
>>>>>>> Any assistance would be appreciated.
>>>>>>>
>>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> undertow-dev mailing list
>>>>>> undertow-dev@lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>>
>>>>>
>>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev

_______________________________________________
undertow-dev mailing list

_______________________________________________
undertow-dev mailing list
undertow-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev