配置Jetty上的SSL

huangapple go评论80阅读模式
英文:

Configuring SSL on Jetty

问题

我正在尝试配置我的Jetty环境,以便能够建立一个安全连接。

我按照官方Jetty文档中描述的步骤进行了操作:https://www.eclipse.org/jetty/documentation/9.4.31.v20200723/jetty-ssl-distribution.html,但没有成功。

重现步骤:

  1. 运行命令:java -jar start.jar --create-startd --add-to-start=ssl
  2. 运行命令:java -jar start.jar --add-to-start=ssl,conscrypt
  3. 运行命令:java -jar start.jar --add-to-startd=ssl,https
  4. 更新start.d/ssl.ini文件中的值如下:
--module=ssl
jetty.ssl.host=0.0.0.0
jetty.ssl.port=8583
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=OBF:
jetty.sslContext.keyManagerPassword=OBF:
jetty.sslContext.trustStorePassword=OBF:
 #Enable client certificate authentication.
jetty.sslContext.needClientAuth=true

生成密钥库的步骤如下:

openssl genrsa -des3 -out jetty.key
openssl req -new -x509 -key jetty.key -out jetty.crt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
openssl req -new -key jetty.key -out jetty.csr
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

作为最后一步,我已经对密码进行了混淆,并更新到start.d/ssl.ini文件中。

问题:

我遇到了一个错误,大致是这样的:

2020-09-28 13:51:46.896:INFO::main: Logging initialized @523ms to org.eclipse.jetty.util.log.StdErrLog
2020-09-28 13:51:47.387:WARN:oejs.HomeBaseWarning:main: This instance of Jetty is not running from a separate {jetty.base} directory, this is not recommended.  See documentation at http://www.eclipse.org/jetty/documentation/current/startup.html
2020-09-28 13:51:47.414:INFO:oejs.Server:main: jetty-9.4.31.v20200723; built: 2020-07-23T17:57:36.812Z; git: 450ba27947e13e66baa8cd1ce7e85a4461cacc1d; jvm 11.0.8+10-LTS
2020-09-28 13:51:47.460:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/jetty-distribution-9.4.31.v20200723/webapps/] at interval 1
2020-09-28 13:51:47.796:INFO:oejus.SslContextFactory:main: x509=X509@6853425f(jetty,h=[jettyhttp2sample.organicdesign.org],w=[]) for Server@5a9f4771[provider=Conscrypt,keyStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore,trustStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore]
2020-09-28 13:51:47.799:INFO:oejus.SslContextFactory:main: Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
2020-09-28 13:51:47.882:INFO:oejs.AbstractConnector:main: Started ServerConnector@46c1a1fc{SSL, (ssl, http/1.1)}{localhost:8443}
2020-09-28 13:51:47.886:INFO:oejs.AbstractConnector:main: Started ServerConnector@7b205dbd{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2020-09-28 13:51:47.887:INFO:oejs.Server:main: Started @1514ms

Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default

感谢任何帮助。

英文:

I'm trying to configure my jetty environment to be able to have a secure connection.

I've run the steps described on the official jetty documentation :https://www.eclipse.org/jetty/documentation/9.4.31.v20200723/jetty-ssl-distribution.html. but with no success..

Steps to recreate:

  1. java -jar start.jar --create-startd --add-to-start=ssl
  2. java -jar start.jar --add-to-start=ssl,conscrypt
  3. java -jar start.jar --add-to-startd=ssl,https
  4. update start.d/ssl.ini with the values:
--module=ssl
jetty.ssl.host=0.0.0.0
jetty.ssl.port=8583
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=OBF:
jetty.sslContext.keyManagerPassword=OBF:
jetty.sslContext.trustStorePassword=OBF:
 #Enable client certificate authentication.
jetty.sslContext.needClientAuth=true

For generating the keystore I followed the steps:

openssl genrsa -des3 -out jetty.key
openssl req -new -x509 -key jetty.key -out jetty.crt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
openssl req -new -key jetty.key -out jetty.csr
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

As last step I've obfuscated the password and updated it into start.d/ssl.ini file.

ISSUE

I'm facing with an error which say something like

2020-09-28 13:51:46.896:INFO::main: Logging initialized @523ms to org.eclipse.jetty.util.log.StdErrLog
2020-09-28 13:51:47.387:WARN:oejs.HomeBaseWarning:main: This instance of Jetty is not running from a separate {jetty.base} directory, this is not recommended.  See documentation at http://www.eclipse.org/jetty/documentation/current/startup.html
2020-09-28 13:51:47.414:INFO:oejs.Server:main: jetty-9.4.31.v20200723; built: 2020-07-23T17:57:36.812Z; git: 450ba27947e13e66baa8cd1ce7e85a4461cacc1d; jvm 11.0.8+10-LTS
2020-09-28 13:51:47.460:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/jetty-distribution-9.4.31.v20200723/webapps/] at interval 1
2020-09-28 13:51:47.796:INFO:oejus.SslContextFactory:main: x509=X509@6853425f(jetty,h=[jettyhttp2sample.organicdesign.org],w=[]) for Server@5a9f4771[provider=Conscrypt,keyStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore,trustStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore]
2020-09-28 13:51:47.799:INFO:oejus.SslContextFactory:main: Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
2020-09-28 13:51:47.882:INFO:oejs.AbstractConnector:main: Started ServerConnector@46c1a1fc{SSL, (ssl, http/1.1)}{localhost:8443}
2020-09-28 13:51:47.886:INFO:oejs.AbstractConnector:main: Started ServerConnector@7b205dbd{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2020-09-28 13:51:47.887:INFO:oejs.Server:main: Started @1514ms

Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default

Any help is appreciated

Thanks.

答案1

得分: 1

这里没有报告任何错误,这是备用提供程序(在您的情况下为conscrypt)的正常回退操作。

Conscrypt安全提供程序不支持KeyManagerFactorySunX509算法,因此它会回退到JVM默认实现。

此外,请不要直接编辑jetty-home / jetty-distribution中的文件,这是一个更严重的警告,正确使用分发版本,并根据警告消息中链接的文档将jetty-home与jetty-base分开。在Jetty 10和Jetty 11中,已彻底删除了管理Jetty独立配置的这种古老技术!

英文:

There's no error being reported here, this is normal fallback operations for alternate providers (conscrypt in your case).

The Conscrypt security provider doesn't support the SunX509 algorithm for KeyManagerFactory, so it falls back to the JVM default implementation.

Also, don't edit files in your jetty-home / jetty-distribution directly, that's a much bigger WARN, use the distribution correctly and separate your jetty-home from your jetty-base per the documentation linked in that WARN message. This ancient technique for managing the configuration of Jetty standalone has been completely removed in Jetty 10 and Jetty 11!

huangapple
  • 本文由 发表于 2020年9月28日 19:49:49
  • 转载请务必保留本文链接:https://go.coder-hub.com/64101617.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定