0

Application is not starting on https port - 8443, facing issue at client side (browser) and getting below stacktrace:

oejs.HttpChannel:qtp2134607032-16: handleException /favicon.ico
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:402)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:663)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:398)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:538)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:387)
    at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at org.eclipse.jetty.io.SocketChannelEndPoint$1.run(SocketChannelEndPoint.java:101)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:378)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
    at java.base/java.lang.Thread.run(Thread.java:829)

Below are the steps followed:

openssl genrsa -des3 -out jcg.key
openssl req -new -x509 -key jcg.key -out jcg.crt
openssl pkcs12 -inkey jcg.key -in jcg.crt -export -out jcg.pkcs12
cp jcg.pkcs12 JETTY_BASE/etc/
jdk/bin/keytool -importkeystore -srckeystore jcg.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

jdk/bin/java -cp $JETTY_BASE/lib/jetty-util-10.jar org.eclipse.jetty.util.security.Password <Your Password>

Change in ssl.ini for keystore, keymanage passwords
Sangam Belose
  • 4,262
  • 8
  • 26
  • 48
Appu2506
  • 1
  • 2
  • There is no such thing as `jetty-hightide` anymore ("hightide" ended as a concept back in 2010 last release being Jetty 6.1). Wherever you got that distribution from is a scam and I would not trust it. – Joakim Erdfelt Oct 13 '22 at 11:31

1 Answers1

0

Don't use RSA (even with DES3), both of those are insecure and not supported by Java itself anymore. (That combination is disabled by Java itself)

See https://www.java.com/en/jre-jdk-cryptoroadmap.html

Also, be aware of the TLS level you are using to connect to your server, as TLS 1.1 has a different set of supported certificates than TLS 1.2 or TLS 1.3.

If you are setting up a server from scratch, ONLY look at TLS 1.3 and limit your choices of certificates to what is supported by TLS 1.3 and your version of Java (see roadmap link above for details on your version of Java)

When you test with a browser, or an HTTP client, you have to test with a hostname (not an IP address or anything related to localhost)

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136