0

I am using embedded Jetty 9, where I want to allow https access, but no http.

I know I can easily configure a redirect in Jetty web.xml, but I don't have that file in the embedded version. I know I can use any file and point to it from the embedded version, but this should be easier.

So I searched and found this here http://blog.anvard.org/articles/2013/10/05/jetty-ssl-server.html where the author states "Of course, we could force the use of HTTP/S by just removing the HTTP connector."

So I did exactly this:

    Server server = new Server();

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
    sslContextFactory.setKeyStorePassword(Keys.DOMAIN_CERTIFICATE_JKS_KEYSTORE_PASSWORD);
    sslContextFactory.setKeyManagerPassword(Keys.DOMAIN_CERTIFICATE_KEY_MANAGER_PASSWORD);

    HttpConfiguration httpsConfiguration = new HttpConfiguration();
    SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
    httpsConfiguration.addCustomizer(secureRequestCustomizer);

    ServerConnector serverConnector = new ServerConnector(server,
            new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
            new HttpConnectionFactory(httpsConfiguration));
    serverConnector.setHost("192.168.0.5");
    serverConnector.setPort(9443);
    serverConnector.setIdleTimeout(15000);

    server.setConnectors(new Connector[] { serverConnector });

Problem: It doesn't seem to work. https is working fine, but when I access http, I get 200 OK response with junk in the body (instead of the expected json response). So the server seems to process the request, but encrypt wrong, whatever. Or have I overlooked anything and my configuration is bad?

--

http wireshark response

Johnny V
  • 795
  • 5
  • 14
Oliver Hausler
  • 4,900
  • 4
  • 35
  • 70
  • When you say "I access http" does that mean you are using plaintext http over 9443? – Johnny V Aug 10 '16 at 02:53
  • Yes. I entered `http://...` into the browser and received something encrypted back. Is it normal when there is no redirect to the non-http port? – Oliver Hausler Aug 11 '16 at 16:15
  • Was it `http://xxxxx:9443`? Because that would be totally expected to receive the encryption handshake or a notice that plaintext is not supported. – Johnny V Aug 11 '16 at 22:45
  • Yes, it was `http://xxxxx:9443`. I imagined it was the handshake that I received, but wanted to make sure. [@JohnnyV Thanks for answering and if you want post this as an answer so you get your points :) ] – Oliver Hausler Aug 13 '16 at 03:28
  • Can you pastebin the entire request / response? The fact that you got a 200 OK reply is odd since literally everything should be encrypted. I want to double check before I have you thinking it is one thing or the other. – Johnny V Aug 13 '16 at 12:15
  • Here is what I could grab with Postman's chrome extension/interceptor but somehow it won't give me the raw request/response. I hope this is helpful: https://gist.github.com/oliverhausler/2690e2e2aff928eb0d37403bc99ecfdb [note that Github kicked out the non-printable characters, so I posted the url encoded http answer as well (or whatever that is)] – Oliver Hausler Aug 14 '16 at 04:03
  • I was looking specifically for if the HTTP response contained a correct HTTP response header. You can always use Fiddler or Wireshark to capture packets. – Johnny V Aug 14 '16 at 11:24
  • I think it does not. I attached a screenshot from wireshark above, and to me it looks like I only receive a few bytes. Is this capture helpful? – Oliver Hausler Aug 14 '16 at 23:15

1 Answers1

1

As far as I can tell, you did everything correctly. Connecting to the SSL port and sending regular HTTP (w/o the SSL handshaking) is returning an SSL Alert message. Your HTTP client (for some reason) is giving you the 200 OK message despite not even receiving an HTTP response.

What you are receiving is an SSL Alert message.

15 03 03 00 02 02 50 // response

15 = ALERT
03 03 = SSL version (TLS 1.x)
00 02 = Message Length
02 50 = Message
Johnny V
  • 795
  • 5
  • 14