Jetty behaves differently in 8u60?
I am trying to track down an issue where our application crashes when using SSL in 8u60 but not in previous Java versions. In 8u60, when we try to make an HTTPS connection, we get javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
and put breakpoints in the appropriate places, I see that the list of cipher suites is really empty, while it is filled with values ββthat I expect when the same code is run in 8u45, or earlier.
SSCCE that shows this behavior (assuming you have the certificate keystore in the correct relative path ...) I am using Jetty 9.3.0 in SSCCE, but our application is using 9.2.x, fwiw
public class HelloWorldSSL extends AbstractHandler {
private static final int HTTP_PORT = 9999;
private static final int SSL_PORT = 9998;
public void handle(String s, Request request, HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse) throws IOException, ServletException {
httpServletResponse.setContentType("text/html;charset=utf-8");
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
request.setHandled(true);
httpServletResponse.getWriter().println("<h1>Hello World</h1>");
}
public static void main(String[] args) throws Exception
{
Server server = new Server();
// HTTP Configuration
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setSecureScheme("https");
httpConfig.setSecurePort(SSL_PORT);
// HTTP Connector
ServerConnector httpConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
httpConnector.setPort(HTTP_PORT);
server.addConnector(httpConnector);
// SSL Configuration
String keystorePath = "src/main/resources/keystore.jks";
File keyStoreFile = new File(keystorePath);
if (keyStoreFile.exists()) {
SslContextFactory sslContextFactory = new SslContextFactory(keystorePath);
sslContextFactory.setKeyStorePassword("123456");
String[] defaultCiphers = new String[] { "TLS_RSA_WITH_RC4_128_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-AES256-SHA384",
"AES256-SHA-256", "SSL_RSA_WITH_RC4_128_SHA", "TLS_KRB5_WITH_RC4_128_SHA" };
sslContextFactory.setIncludeCipherSuites(defaultCiphers);
HttpConfiguration sslConfig = new HttpConfiguration(httpConfig);
sslConfig.addCustomizer(new SecureRequestCustomizer());
ServerConnector sslConnector = new ServerConnector(server, sslContextFactory,
new HttpConnectionFactory(sslConfig));
sslConnector.setPort(SSL_PORT);
sslConnector.setAcceptQueueSize(5);
server.addConnector(sslConnector);
}
HandlerList handlers = new HandlerList();
handlers.addHandler(new HelloWorldSSL());
server.setHandler(handlers);
server.start();
server.join();
}
}
Is there something obvious we're doing wrong that explains why it works in 8u45 and not 8u60? Looking at the 8u60 changelogs did not help. (And trying to navigate the error messages for Jetty was a nightmare. Sigh)
[edit] Reading Java error reports led me to try to output a string sslContextFactory.setIncludeCipherSuites(defaultCiphers);
and the code now works in 8u60. Still hoping that someone has an idea as to why this ...
source to share
Found the answer by experimenting and helping the Jetty people. It looks like the Java valid cipher list has changed from 8u45 to 8u60 and none of the ciphers in the above array are in the new acceptable list, resulting in empty valid cipher lists.
Moving from adding the default cipher list to adding the default protocol (TLSv1.2) makes everything work in both 8u60 and previous versions and boot more securely.
source to share