Old Embedded Jetty Code (SSL) no longer working

huangapple go评论51阅读模式
英文:

Old Embedded Jetty Code (SSL) no longer working

问题

这个样本已经有几年了,一直都运行正常。尝试再次使用时,现在出现了一个协议错误。

对于这个 API,我不够熟悉,无法确定是否有任何更改,这也是为什么一段时间前复制了这个示例。再次搜索并找到另一个类似代码的示例,但它也返回相同的错误,这让我相信可能是这个 API 有新的要求。

在客户端 web 浏览器上调用时,出现了以下错误:https://MyServer:8443

鉴于此代码之前正常工作过,您有什么建议,可能发生了什么更改,或者需要进行额外的调用吗?另外,使用的证书与另一个应用程序相同,因此我认为这不是与证书相关的问题。

英文:

Had this sample for a few years and it worked fine.
Attempted to use it again and it now returns a Protocol Error.

Not familiar enough with this API to know if anything has changed which is why this sample was copied a while back. Searched again and found another sample with similar code but that too returned the same error which leads me to believe there is possibly a new requirement with this API.

> cat EmbeddedJettyHTTPS.java
import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.servlet.ServletHandler;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.server.handler.AbstractHandler;

public class EmbeddedJettyHTTPS
{
    public static void main(String[] args) throws Exception {
       Server server = new Server();
       server.setHandler ( new HelloServlet());
       ServerConnector connector = new ServerConnector(server);
       connector.setPort(9999);

        HttpConfiguration https = new HttpConfiguration();
        https.addCustomizer(new SecureRequestCustomizer());

        SslContextFactory sslContextFactory = new SslContextFactory("/myDirecotry/mykeystore");
        sslContextFactory.setKeyStorePassword("myPassword");

        ServerConnector sslConnector = new ServerConnector(server,
                        new SslConnectionFactory(sslContextFactory, "http/1.1"),
                        new HttpConnectionFactory(https));
        sslConnector.setPort(8443);
        sslConnector.setIdleTimeout(50000);

        server.setConnectors(new Connector[]{ sslConnector });

        server.start();
        server.join();

    }

    public static class HelloServlet extends AbstractHandler
    {
            @Override
        public void handle( String target,
                        Request baseRequest,
                        HttpServletRequest request,
                        HttpServletResponse response ) throws IOException,
                                                      ServletException
            {
            // Declare response encoding and types
                response.setContentType("text/html; charset=utf-8");

                // Declare response status code
            response.setStatus(HttpServletResponse.SC_OK);

                // Write back response
                response.getWriter().println("<h1>Hello World</h1>");

            // Inform jetty that this request has now been handled
                baseRequest.setHandled(true);
        }
    }
 }

The following is the error which appears within the client web browser when called via
https://MyServer:8443

Old Embedded Jetty Code (SSL) no longer working

Since this code has worked fine previously, any recommendation as to what may have changed or what extra call needs to be made?

On a side note, the certificate being used is the same for another application so I would think that indicates it is not a certificate related issue.

答案1

得分: 2

以下是翻译好的内容:

首先,这个代码块...

SslContextFactory sslContextFactory = new SslContextFactory("/myDirecotry/mykeystore");
sslContextFactory.setKeyStorePassword("myPassword");

...指向一个不再受支持的旧版本的Jetty。 (升级)

Jetty的当前稳定和受支持的版本现在具有针对客户端/服务器的特定SslContextFactory实现。 (这是由于JVM行为变化而引入的更改)

请查看embedded-jetty-cookbook项目中的SecuredRedirectHandlerExample

接下来,请检查您在密钥库中使用的证书,您可能正在使用某些证书技术,这些技术已不再受JVM或浏览器支持。 (例如:密钥长度的最低要求,加密的最低要求等)

有关JVM加密更改的详细信息,请参见https://www.java.com/en/jre-jdk-cryptoroadmap.html。

您还可以使用keytool来识别这些类型的证书问题。

$ keytool -list -keystore src/main/resources/ssl/keystore -storepass storepwd
密钥库类型: JKS
密钥库提供程序: SUN

您的密钥库包含1个条目

jetty, Nov 6, 2008, PrivateKeyEntry, 
证书指纹 (SHA-256): 3D:75:8E:56:77:42:01:C7:D3:C3:E9:DF:8C:1B:21:03:19:70:78:A9:27:9E:F1:E4:78:B9:73:F5:F6:CA:EF:C2

警告:
<jetty> 使用被视为安全风险且已禁用的MD5withRSA签名算法。
<jetty> 使用被视为安全风险的1024位RSA密钥。此密钥大小将在将来的更新中被禁用。
JKS密钥库使用专有格式。建议迁移到PKCS12,这是一种使用"keytool -importkeystore -srckeystore src/main/resources/ssl/keystore -destkeystore src/main/resources/ssl/keystore -deststoretype pkcs12"的行业标准格式。

这个证书所做的第一件正确的事情是它是SHA-256,而不是JVM当前不推荐的其他加密技术。

但有2个警告应该通过创建新证书和密钥库来解决。

英文:

First, this block of code ...

SslContextFactory sslContextFactory = new SslContextFactory(&quot;/myDirecotry/mykeystore&quot;);
        sslContextFactory.setKeyStorePassword(&quot;myPassword&quot;);

... points to a old version of Jetty that is no longer supported. (Upgrade)

The current stable and supported versions of Jetty have Client/Server specific implementations of SslContextFactory now. (a change that was brought onto Jetty due to JVM behavior changes)

See SecuredRedirectHandlerExample from the embedded-jetty-cookbook project.

Next, check the certificates you are using in your keystore, you are likely using some technique with your certificate that is no longer supported by your JVM or your Browser. (eg: key length minimum requirements, crypto minimum requirements, etc)

See https://www.java.com/en/jre-jdk-cryptoroadmap.html for details about JVM crypto changes.

You can use the keytool to identify these kinds of certificate issues as well.

$ keytool -list -keystore src/main/resources/ssl/keystore -storepass storepwd
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

jetty, Nov 6, 2008, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 3D:75:8E:56:77:42:01:C7:D3:C3:E9:DF:8C:1B:21:03:19:70:78:A9:27:9E:F1:E4:78:B9:73:F5:F6:CA:EF:C2

Warning:
&lt;jetty&gt; uses the MD5withRSA signature algorithm which is considered a security risk and is disabled.
&lt;jetty&gt; uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using &quot;keytool -importkeystore -srckeystore src/main/resources/ssl/keystore -destkeystore src/main/resources/ssl/keystore -deststoretype pkcs12&quot;.

First thing that this certificate is doing right is that it's SHA-256 and not one of the other crypto techniques currently deprecated by the JVM.

But there are 2 warnings that should be addressed by creating a new certificate + keystore.

huangapple
  • 本文由 发表于 2023年3月21日 02:37:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/75794096-2.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定