Jetty behaves differently in 8u60?
Question
I'm trying to track down an issue where our application breaks when using SSL in 8u60, but not in previous Java versions. In 8u60, when trying to make an HTTPS connection, we get javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) , and putting breakpoints at the appropriate places, I see that the list of cipher suites is indeed empty, while it's populated with the values I expect when the same code is run in 8u45 or earlier.
A SSCCE that shows this behavior (assuming that you've got a certificate keystore in the right relative path...) I'm using Jetty 9.3.0 in the SSCCE, but our app is using 9.2.x, fwiw:
public class HelloWorldSSL extends AbstractHandler {
private static final int HTTP_PORT = 9999;
private static final int SSL_PORT = 9998;
public void handle(String s, Request request, HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse) throws IOException, ServletException {
httpServletResponse.setContentType("text/html;charset=utf-8");
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
request.setHandled(true);
httpServletResponse.getWriter().println("<h1>Hello World</h1>");
}
public static void main(String[] args) throws Exception
{
Server server = new Server();
// HTTP Configuration
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setSecureScheme("https");
httpConfig.setSecurePort(SSL_PORT);
// HTTP Connector
ServerConnector httpConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
httpConnector.setPort(HTTP_PORT);
server.addConnector(httpConnector);
// SSL Configuration
String keystorePath = "src/main/resources/keystore.jks";
File keyStoreFile = new File(keystorePath);
if (keyStoreFile.exists()) {
SslContextFactory sslContextFactory = new SslContextFactory(keystorePath);
sslContextFactory.setKeyStorePassword("123456");
String[] defaultCiphers = new String[] { "TLS_RSA_WITH_RC4_128_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-AES256-SHA384",
"AES256-SHA-256", "SSL_RSA_WITH_RC4_128_SHA", "TLS_KRB5_WITH_RC4_128_SHA" };
sslContextFactory.setIncludeCipherSuites(defaultCiphers);
HttpConfiguration sslConfig = new HttpConfiguration(httpConfig);
sslConfig.addCustomizer(new SecureRequestCustomizer());
ServerConnector sslConnector = new ServerConnector(server, sslContextFactory,
new HttpConnectionFactory(sslConfig));
sslConnector.setPort(SSL_PORT);
sslConnector.setAcceptQueueSize(5);
server.addConnector(sslConnector);
}
HandlerList handlers = new HandlerList();
handlers.addHandler(new HelloWorldSSL());
server.setHandler(handlers);
server.start();
server.join();
}
}
Is there anything obvious we're doing wrong that would explain why it works in 8u45 and not in 8u60? Looking at the 8u60 change logs hasn't been helpful. (And trying to navigate the bug reports for Jetty has been a nightmare. sigh )
[edit] Reading through Java bug reports led me to try taking out the line sslContextFactory.setIncludeCipherSuites(defaultCiphers); , and now the code works in 8u60. Still hoping someone has an insight as to why this is...
1 answers
solution1
0 2015-07-10 14:23:08
Found the answer through experimenting and some help from the Jetty folks. Looks like Java's list of acceptable ciphers has changed from 8u45 to 8u60, and none of the ciphers in the array above are on the new acceptable list, leading to an empty list of acceptable ciphers.
Changing from adding a list of default ciphers to adding a default protocol (TLSv1.2) makes everything work in both 8u60 and prior versions, and is more secure to boot.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.