SlideShare a Scribd company logo

Jetty TLS troubleshooting

Roman Tereschenko
Roman Tereschenko

This document provides an overview of the Jetty web server and servlet container. It discusses: - Jetty's ability to function as an HTTP server, HTTP client, and servlet container. It is open source and embeddable with a small memory footprint. - The asynchronous nature of Jetty which never blocks for I/O activity. - Supported Java versions for different Jetty versions ranging from Java 1.6 to 1.8. - Information on configuration files, modules, and commands for starting Jetty.

Software
1 of 25
Download to read offline
• HTTP server, HTTP client, servlet container • Open source and commercially usable • Embeddable • Composable with small memory footprint • Asynchronous (never blocks for I/O activity) Jetty 9.3.x Java 1.8 Jetty 9.0.x Java 1.7 Jetty 8.x Java 1.6 JVM Requirements Created by Roman Tereschenko
Jetty 9.3.x Java 1.8 Jetty 9.0.x Java 1.7 Jetty 8.x Java 1.6 JVM Requirements Created by Roman Tereschenko java.lang.UnsupportedClassVersionError: Unsupported major.minor version 52.0 JSE 8 = 52 JSE 7 = 51 JSE 6 = 50 • HTTP server, HTTP client, servlet container • Open source and commercially usable • Embeddable • Composable with small memory footprint • Asynchronous (never blocks for I/O activity)
TLS Logging AGENDA Overview Troubleshooting
Server Handler ThreadPool accept HTTP connections processes requests from the connections and produce responses serves as Executor service that other Jetty server components use OVERVIEW Connector
RUNNING To start Jetty from $JETTY_HOME, run: java -jar start.jar Usage: java -jar start.jar [options] [properties] [configs] java -jar start.jar --module=logging -Dorg.eclipse.jetty.server.LEVEL=ALL --list-config java -jar start.jar --add-to-start=logging start.ini etcXML libmod Configuration Files
--list-config start.jar command
ALL DEBUG INFO WARN IGNORE LOGGING does not natively use any existing Java logging framework prints messages to the console uses built-in org.eclipse.jetty.util.log.StdErrLog implementation Logging layer priorities: 1. Classpath resource jetty-logging.properties 2. System properties 3. If org.slf4j.Logger exists in the classpath use Slf4jLog Logging LevelsFrameworks Log4j Logback SLF4 JUL Jetty
LOGGING Jetty's internal org.eclipse.jetty.util.log.StdErrLog implementation: java -jar /opt/jetty/start.jar --module=logging yyyy_mm_dd.stderrout.log: 2015-10-14 03:23:29.726:INFO:oejs.ServerConnector:main: Started ServerConnector@24a67{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} 2015-10-14 03:30:46.580:INFO:oejs.ServerConnector:Thread-1: Stopped ServerConnector@24a67{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} ALL DEBUG INFO WARN IGNORE Logging Levels
2015-10-17 13:15:16.286:DBUG:oejs.Server:qtp14650762-19: REQUEST on HttpChannelOverHttp@6f509d{r=1,c=false,a=DISPATCHED,uri=//ua-rteresch-lt:8080/} POST //ua-rteresch-lt:8080/ 2015-10-17 13:15:16.294:DBUG:oejs.Server:qtp14650762-19: RESPONSE for / h=true 404 null LOGGING URL Search criteria REQUEST/RESPONSE traces
1. Download required libraries: slf4j-api, logback-core, logback-classic. 2. Under resources/ folder create jetty-logging.properties file, containing Slf4jLog logger implementation: org.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.Slf4jLog 3. Create logback configuration in /resources/logback.xml 4. Add --module=logging command in start.ini file LOGGING Logback logging configuration via SLf4j facade
TLS 1.0 1999 TLS 1.1 2006 TLS 1.2 2008 Protocol version Encapsulate Application Layer Protocol Encryption types Authentication types symmetric key (shared secret key) Simple asymmetric key (public-private key) Mutual Transport Layer Security allows client-server applications to communicate securely across a network by authenticating peers and encrypting data. TLS supersedes SSL 3.0. TLS
HTTPS is simply HTTP with a layer of data encryption TLS
1. Negotiation 2. Certificate exchange 3. Identity verification session key calculation 4. Sends encrypted Finished message 5. Sends corresponding Finished message. Handshake phase Negotiation Highest TLS version Supported cipher suites Encryption key length Session ID Random number Certificate contains: Certificate authority (CA) Public encryption key Owner’s identity <------- Application Data ------->
CA is a trusted third party - by both the subject (owner) of the certificate and by the party relying upon the certificate. Certificates are verified using a chain of trust. Public key Subject Issuer CA signature Certificate Chain of Trust Issued To Issued By TLS
foo.cer bar.pem cert.p12 Cert Formats JDK Keytool OpenSSL Tools PKCS12 JSSE keystore Keystore Types Jetty uses JSSE keystore. keystore.jks - certificates repository in java format. keystore - to provide credential. truststore - to verify credentials. Default JVM truststore: $JAVA_HOME/lib/security/cacerts TLS
To configure SSL Connector and Port go to jetty-ssl.xml: <Call name="addConnector"> <Set name="port"><Property name="jetty.ssl.port" default="8443" /></Set> jetty-ssl.xml Instantiates a ServerConnector that accepts SSL/TLS connections. jetty-ssl-context.xml jetty-ssl.xml jetty-https.xml Conf filesConfiguration SslContextFactory SslConnectionFactory TLS Configuring Jetty Connectors Through connectors Jetty accepts network connections for various protocols
Generate public private key pair: keytool -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg SHA256withRSA Generate a CSR: keytool -certreq -alias jetty -keystore keystore -file jetty.csr Import Signed/Root/Intermediate Certificate into a JSSE keystore: keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts Generate a keystore and self-signed certificate: keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password Check certificates in Java keystore: keytool -list -v -keystore keystore.jks JDK Keytool commands TLS
TLS Recommendations Fully disable SSLv2 and SSLv3 TLS versions: 1.1 and 1.2 Public/private RSA encryption keys should be 2048 bit of size Prefer key Exchange Algorithm: ECDHE Cipher suites with SHA-256 DH Parameter size: 2048 TLS
Troubleshooting NET I/O TLS What?
Common startup problems java.net.BindException: Address already in use java.lang.OutOfMemoryError: Java heap space org.xml.sax.SAXParseException specified port is occupied by another process Analyze the heap dump -XX:+HeapDumpOnOutOfMemoryError Increase heap size -Xmx -Xms if required XML parsing error, check configuration and syntax in XML file --debug --start-log-file Startup debugging Troubleshooting
WRITE READ SEND ALERT messages sent by Client messages sent by Server warning fatal fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack? SEND TLSv1.2 ALERT: fatal, description = internal_error SEND TLSv1.2 ALERT: warning, description = close_notify Troubleshooting TLS debugging -Djavax.net.debug=all ssl handshake trustmanager SunJSSE has a built-in debug facility activated by system property javax.net.debug Options: *** Search criteria
*** found key for : jetty Subject: CN=ua-rteresch-dt, OU=Jetty, O=Jetty, L=Kiev, ST=Kiev, C=UA Issuer: CN=Symantec Trial Secure Server CA - G3 Multiple certificates may be linked in a certificate chain. First one chain [0] always sender’s certificate. *** Certificate chain chain [1] = [ chain [2] = [ Subject: CN=Symantec Trial Secure Server CA - G3 Subject: CN=VeriSign Trial Secure Server Root CA Troubleshooting TLS debugging -Djavax.net.debug=ssl handshake trustmanager SunJSSE has a built-in debug facility activated by system property javax.net.debug Options: *** Search criteria
Certificate verification succeeded, client recognises the certificate. *** Found trusted certificate If TLS handshake is completed successfully server sends Change Cipher Spec/Finished thread_name, WRITE: TLSv1.2 Change Cipher Spec, length = 105 <-- client message *** Finished thread_name, READ: TLSv1.2 Change Cipher Spec, length = 74 <-- server message *** Finished Troubleshooting TLS debugging -Djavax.net.debug=ssl handshake trustmanager SunJSSE has a built-in debug facility activated by system property javax.net.debug Options: *** Search criteria
Common TLS problems sun.security.validator.ValidatorException: PKIX path building failed client does not trust the certificate presented by the server javax.net.ssl.SSLException: hostname in certificate didn't match hostname/TLS certificate CN mismatch java.security.cert.CertificateException: No subject alternative names present IP address is used in CN, no Subject Alternative Name field javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? attempt to establish TLS connection with non secure endpoint (port) Troubleshooting
QA Thank you

Recommended

Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Michal Balinski
 
Rapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINARapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINAtrustinlee
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 

Recommended

Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Michal Balinski
 
Rapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINARapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINAtrustinlee
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
Lecture10
Lecture10Lecture10
Lecture10vantinhkhuc
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Squid Server
Squid ServerSquid Server
Squid ServerSumant Garg
 
Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006Martin Kobetic
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)Anatoliy Okhotnikov
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
50 tips50minutes
50 tips50minutes50 tips50minutes
50 tips50minutesBhakti Mehta
 
Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS TroubleshootingRomanTeresch
 
Netty 4-based RPC System Development
Netty 4-based RPC System DevelopmentNetty 4-based RPC System Development
Netty 4-based RPC System DevelopmentAllan Huang
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 

More Related Content

What's hot

Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006Martin Kobetic
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 

What's hot (19)

Lecture10
Lecture10Lecture10
Lecture10
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Squid Server
Squid ServerSquid Server
Squid Server
 
Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
 
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
50 tips50minutes
50 tips50minutes50 tips50minutes
50 tips50minutes
 

Similar to Jetty TLS troubleshooting

Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS TroubleshootingRomanTeresch
 
Netty 4-based RPC System Development
Netty 4-based RPC System DevelopmentNetty 4-based RPC System Development
Netty 4-based RPC System DevelopmentAllan Huang
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
Protocol
ProtocolProtocol
Protocolm_bahba
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...ghorilemin
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptghorilemin
 
Xmpp presentation
Xmpp presentationXmpp presentation
Xmpp presentationJava Pro
 
XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxSamitAnwer2
 
Introduction to Thrift
Introduction to ThriftIntroduction to Thrift
Introduction to ThriftDvir Volk
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Renaun Erickson
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)Marcel Cattaneo
 

Similar to Jetty TLS troubleshooting (20)

Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS Troubleshooting
 
Netty 4-based RPC System Development
Netty 4-based RPC System DevelopmentNetty 4-based RPC System Development
Netty 4-based RPC System Development
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Protocol
ProtocolProtocol
Protocol
 
XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
03-SSL (1).ppt
03-SSL (1).ppt03-SSL (1).ppt
03-SSL (1).ppt
 
03-SSL (2).ppt
03-SSL (2).ppt03-SSL (2).ppt
03-SSL (2).ppt
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is ppt
 
Xmpp presentation
Xmpp presentationXmpp presentation
Xmpp presentation
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptx
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Introduction to Thrift
Introduction to ThriftIntroduction to Thrift
Introduction to Thrift
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)
 
Java security
Java securityJava security
Java security
 
Xmpp presentation
Xmpp presentationXmpp presentation
Xmpp presentation
 

Recently uploaded

How To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfHow To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfayushiqss
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownloadvrstrong314
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfMeon Technology
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzisteffenkarlsson2
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessWSO2
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAlluxio, Inc.
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareinfo611746
 

Recently uploaded (20)

How To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfHow To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 

Jetty TLS troubleshooting

  • 1. • HTTP server, HTTP client, servlet container • Open source and commercially usable • Embeddable • Composable with small memory footprint • Asynchronous (never blocks for I/O activity) Jetty 9.3.x Java 1.8 Jetty 9.0.x Java 1.7 Jetty 8.x Java 1.6 JVM Requirements Created by Roman Tereschenko
  • 2. Jetty 9.3.x Java 1.8 Jetty 9.0.x Java 1.7 Jetty 8.x Java 1.6 JVM Requirements Created by Roman Tereschenko java.lang.UnsupportedClassVersionError: Unsupported major.minor version 52.0 JSE 8 = 52 JSE 7 = 51 JSE 6 = 50 • HTTP server, HTTP client, servlet container • Open source and commercially usable • Embeddable • Composable with small memory footprint • Asynchronous (never blocks for I/O activity)
  • 4. Server Handler ThreadPool accept HTTP connections processes requests from the connections and produce responses serves as Executor service that other Jetty server components use OVERVIEW Connector
  • 5. RUNNING To start Jetty from $JETTY_HOME, run: java -jar start.jar Usage: java -jar start.jar [options] [properties] [configs] java -jar start.jar --module=logging -Dorg.eclipse.jetty.server.LEVEL=ALL --list-config java -jar start.jar --add-to-start=logging start.ini etcXML libmod Configuration Files
  • 7. ALL DEBUG INFO WARN IGNORE LOGGING does not natively use any existing Java logging framework prints messages to the console uses built-in org.eclipse.jetty.util.log.StdErrLog implementation Logging layer priorities: 1. Classpath resource jetty-logging.properties 2. System properties 3. If org.slf4j.Logger exists in the classpath use Slf4jLog Logging LevelsFrameworks Log4j Logback SLF4 JUL Jetty
  • 8. LOGGING Jetty's internal org.eclipse.jetty.util.log.StdErrLog implementation: java -jar /opt/jetty/start.jar --module=logging yyyy_mm_dd.stderrout.log: 2015-10-14 03:23:29.726:INFO:oejs.ServerConnector:main: Started ServerConnector@24a67{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} 2015-10-14 03:30:46.580:INFO:oejs.ServerConnector:Thread-1: Stopped ServerConnector@24a67{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} ALL DEBUG INFO WARN IGNORE Logging Levels
  • 9. 2015-10-17 13:15:16.286:DBUG:oejs.Server:qtp14650762-19: REQUEST on HttpChannelOverHttp@6f509d{r=1,c=false,a=DISPATCHED,uri=//ua-rteresch-lt:8080/} POST //ua-rteresch-lt:8080/ 2015-10-17 13:15:16.294:DBUG:oejs.Server:qtp14650762-19: RESPONSE for / h=true 404 null LOGGING URL Search criteria REQUEST/RESPONSE traces
  • 10. 1. Download required libraries: slf4j-api, logback-core, logback-classic. 2. Under resources/ folder create jetty-logging.properties file, containing Slf4jLog logger implementation: org.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.Slf4jLog 3. Create logback configuration in /resources/logback.xml 4. Add --module=logging command in start.ini file LOGGING Logback logging configuration via SLf4j facade
  • 11. TLS 1.0 1999 TLS 1.1 2006 TLS 1.2 2008 Protocol version Encapsulate Application Layer Protocol Encryption types Authentication types symmetric key (shared secret key) Simple asymmetric key (public-private key) Mutual Transport Layer Security allows client-server applications to communicate securely across a network by authenticating peers and encrypting data. TLS supersedes SSL 3.0. TLS
  • 12. HTTPS is simply HTTP with a layer of data encryption TLS
  • 13. 1. Negotiation 2. Certificate exchange 3. Identity verification session key calculation 4. Sends encrypted Finished message 5. Sends corresponding Finished message. Handshake phase Negotiation Highest TLS version Supported cipher suites Encryption key length Session ID Random number Certificate contains: Certificate authority (CA) Public encryption key Owner’s identity <------- Application Data ------->
  • 14. CA is a trusted third party - by both the subject (owner) of the certificate and by the party relying upon the certificate. Certificates are verified using a chain of trust. Public key Subject Issuer CA signature Certificate Chain of Trust Issued To Issued By TLS
  • 15. foo.cer bar.pem cert.p12 Cert Formats JDK Keytool OpenSSL Tools PKCS12 JSSE keystore Keystore Types Jetty uses JSSE keystore. keystore.jks - certificates repository in java format. keystore - to provide credential. truststore - to verify credentials. Default JVM truststore: $JAVA_HOME/lib/security/cacerts TLS
  • 16. To configure SSL Connector and Port go to jetty-ssl.xml: <Call name="addConnector"> <Set name="port"><Property name="jetty.ssl.port" default="8443" /></Set> jetty-ssl.xml Instantiates a ServerConnector that accepts SSL/TLS connections. jetty-ssl-context.xml jetty-ssl.xml jetty-https.xml Conf filesConfiguration SslContextFactory SslConnectionFactory TLS Configuring Jetty Connectors Through connectors Jetty accepts network connections for various protocols
  • 17. Generate public private key pair: keytool -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg SHA256withRSA Generate a CSR: keytool -certreq -alias jetty -keystore keystore -file jetty.csr Import Signed/Root/Intermediate Certificate into a JSSE keystore: keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts Generate a keystore and self-signed certificate: keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password Check certificates in Java keystore: keytool -list -v -keystore keystore.jks JDK Keytool commands TLS
  • 18. TLS Recommendations Fully disable SSLv2 and SSLv3 TLS versions: 1.1 and 1.2 Public/private RSA encryption keys should be 2048 bit of size Prefer key Exchange Algorithm: ECDHE Cipher suites with SHA-256 DH Parameter size: 2048 TLS
  • 20. Common startup problems java.net.BindException: Address already in use java.lang.OutOfMemoryError: Java heap space org.xml.sax.SAXParseException specified port is occupied by another process Analyze the heap dump -XX:+HeapDumpOnOutOfMemoryError Increase heap size -Xmx -Xms if required XML parsing error, check configuration and syntax in XML file --debug --start-log-file Startup debugging Troubleshooting
  • 21. WRITE READ SEND ALERT messages sent by Client messages sent by Server warning fatal fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack? SEND TLSv1.2 ALERT: fatal, description = internal_error SEND TLSv1.2 ALERT: warning, description = close_notify Troubleshooting TLS debugging -Djavax.net.debug=all ssl handshake trustmanager SunJSSE has a built-in debug facility activated by system property javax.net.debug Options: *** Search criteria
  • 22. *** found key for : jetty Subject: CN=ua-rteresch-dt, OU=Jetty, O=Jetty, L=Kiev, ST=Kiev, C=UA Issuer: CN=Symantec Trial Secure Server CA - G3 Multiple certificates may be linked in a certificate chain. First one chain [0] always sender’s certificate. *** Certificate chain chain [1] = [ chain [2] = [ Subject: CN=Symantec Trial Secure Server CA - G3 Subject: CN=VeriSign Trial Secure Server Root CA Troubleshooting TLS debugging -Djavax.net.debug=ssl handshake trustmanager SunJSSE has a built-in debug facility activated by system property javax.net.debug Options: *** Search criteria
  • 23. Certificate verification succeeded, client recognises the certificate. *** Found trusted certificate If TLS handshake is completed successfully server sends Change Cipher Spec/Finished thread_name, WRITE: TLSv1.2 Change Cipher Spec, length = 105 <-- client message *** Finished thread_name, READ: TLSv1.2 Change Cipher Spec, length = 74 <-- server message *** Finished Troubleshooting TLS debugging -Djavax.net.debug=ssl handshake trustmanager SunJSSE has a built-in debug facility activated by system property javax.net.debug Options: *** Search criteria
  • 24. Common TLS problems sun.security.validator.ValidatorException: PKIX path building failed client does not trust the certificate presented by the server javax.net.ssl.SSLException: hostname in certificate didn't match hostname/TLS certificate CN mismatch java.security.cert.CertificateException: No subject alternative names present IP address is used in CN, no Subject Alternative Name field javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? attempt to establish TLS connection with non secure endpoint (port) Troubleshooting