[jetty-users] Jetty 9.4.44, Java 11 and own Keystore in SslContextFactor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] Jetty 9.4.44, Java 11 and own Keystore in SslContextFactory$Server lead to SSL_ERROR_INTERNAL_ERROR_ALERT

From: Lothar Kimmeringer <job@xxxxxxxxxxxxxx>
Date: Mon, 28 Feb 2022 17:01:23 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1

Hi,

I've got a HSM with a certificate and private key that I pass as
a KeyStore to an SslContextFactory:

    <!-- ============================================================= -->
    <!-- Configure a TLS (SSL) Context Factory                         -->
    <!-- ============================================================= -->
    <!-- -->
    <New id="testksSslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
        <Set name="keyStore"><Call class="mypackage.CryptoTools" name="getKeyStore">
            <Arg>testks</Arg>
        </Call></Set>
        <Set name="CertAlias">testhsmcert</Set>
        [...]
    </New>

The passed KeyStore is a PKCS11-keystore (in this particular case an
OpenSC-based one but another one shows the same behavior).

When starting the server using Java 8, everything works and I can
establish a TLS-connection where the server uses the HSM's certificate.

When starting the server using Java 11, the browser gets an
SSL_ERROR_INTERNAL_ERROR_ALERT and Wireshark shows that the server
is sending a ServerHello and a Certificate TLS packet. After that
the server sends a TLS alert with code 80 (internal error).

The server logs shows no error message (incl. jetty debug enabled), so
I'm not sure what's happening here.

Are there any known issues with PKCS11-keystores, Java 11 and Jetty?


Thanks and cheers, Lothar

Follow-Ups:
- Re: [jetty-users] Jetty 9.4.44, Java 11 and own Keystore in SslContextFactory$Server lead to SSL_ERROR_INTERNAL_ERROR_ALERT
  - From: Brian Reichert

Prev by Date: Re: [jetty-users] Can't edit files, locked by server
Next by Date: Re: [jetty-users] Jetty 9.4.44, Java 11 and own Keystore in SslContextFactory$Server lead to SSL_ERROR_INTERNAL_ERROR_ALERT
Previous by thread: [jetty-users] Can't edit files, locked by server
Next by thread: Re: [jetty-users] Jetty 9.4.44, Java 11 and own Keystore in SslContextFactory$Server lead to SSL_ERROR_INTERNAL_ERROR_ALERT
Index(es):
- Date
- Thread

Breadcrumbs