Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
Thanks for the answers so far, my current setup is working until the service loader starts to search for ALPN processors.
2022-11-23T15:14:49,690 | WARN  | paxweb-config-1-thread-1 | XmlConfiguration                 | 86 - org.eclipse.jetty.util - 9.4.18.v20190429 | Config error at <Call id="wanhttpsConnector" name="addConnector"><Arg> 

Caused by: java.lang.IllegalStateException: No Server ALPNProcessors!
To make it even more difficult I am on an OSGi environment so I am adding SPI FLY at the moment so the ALPNServerConnectionFactory can find my ACME ALPN processor. If I understood correctly any call without an acme-tls/1 protocol header (but with the default http/1.1 protocol) will just continue in the chain into the handlers? 

    <Call id="wanhttpsConnector" name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.ServerConnector">
                <Arg name="server">
                    <Ref refid="Server" />
                </Arg>
                <Arg name="acceptors" type="int">
                    <Property name="ssl.acceptors" default="-1"/>
                </Arg>
                <Arg name="selectors" type="int">
                    <Property name="ssl.selectors" default="-1"/>
                </Arg>
                <Arg name="factories">
                    <Array type="org.eclipse.jetty.server.ConnectionFactory"> 
                        <Item>
                            <New class="org.eclipse.jetty.server.SslConnectionFactory"> 
                                <Arg name="next">alpn</Arg>
                                <Arg name="sslContextFactory">
                                    <Ref refid="wansslContextFactory"/>
                                </Arg>
                            </New>
                        </Item>
                        <Item>
                            <New id="alpn" class="org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory"> 
                                <Arg type="String">
                                    <Property name="jetty.alpn.protocols" default="acme-tls/1, http/1.1"/> 
                                </Arg>
                                <Set name="defaultProtocol">
                                    <Property name="jetty.alpn.defaultProtocol" default="http/1.1"/> 
                                </Set>
                            </New>
                        </Item>
                        <Item>
                            <New class="org.eclipse.jetty.server.SslConnectionFactory"> 
                                <Arg name="next">http/1.1</Arg>
                                <Arg name="sslContextFactory">
                                    <Ref refid="wansslContextFactory"/>
                                </Arg>
                            </New>
                        </Item>
                        <Item>
                            <New class="org.eclipse.jetty.server.HttpConnectionFactory"> 
                                <Arg name="config">
                                    <Ref refid="httpConfig"/>
                                </Arg>
                            </New>
                        </Item>
                    </Array>
                </Arg>
                <Set name="name">0.0.0.0:443</Set>
                <Set name="host">
                    <Property name="jetty.host" default="0.0.0.0"/>
                </Set>
                <Set name="port">
                    <Property name="https.port" default="443"/>
                </Set>
                <Set name="idleTimeout">
                    <Property name="https.timeout" default="30000"/>
                </Set>
                <Set name="acceptorPriorityDelta">
                    <Property name="ssl.acceptorPriorityDelta" default="0"/> 
                </Set>
                <Set name="acceptQueueSize">
                    <Property name="https.acceptQueueSize" default="0"/>
                </Set>
            </New>
        </Arg>
    </Call>


On 23/11/2022 15:25, Simone Bordet wrote:

Hi,

On Wed, Nov 23, 2022 at 12:55 PM Simone Bordet <sbordet@xxxxxxxxxxx> wrote:

Hi,

On Wed, Nov 23, 2022 at 10:13 AM Info <info@xxxxxxxxxx> wrote:

Dear community,


I am looking into the Lets Encrypt TLS-ALPN-01 challenge and want to create a ALPN TLS extension for Jetty 9.
Does anybody already have any experience with this or even already created an open source connection factory?

I am looking into the HTTP2 configurations I can find online for inspiration, can I stack the ALPN challange ontop of the default SSL/TLS connection?

It should be enough to use the configuration for http2 and http/1.1,
add "acme-tls/1" to the list of ALPN protocols.

When the ACME client connects, Jetty will select the "acme-tls/1"
ConnectionFactory, complete the TLS handshake, find that the
"acme-tls/1" has no correspondent ConnectionFactory and close the
connection (which is expected).

So:

$ java -jar $JETTY_HOME/start.jar --add-modules=http2
$ java -jar $JETTY_HOME/start.jar jetty.alpn.protocols=acme-tls/1,h2,http/1.1

I did not try, so let us know if it works.

I did try to setup only h2 on the server, and force curl to send
http/1.1, and correctly Jetty completes the TLS handshake and then
closes the connection.
You will see this log line at INFO level similar to this one:

2022-11-23 15:24:27.359:INFO
:oejs.NegotiatingServerConnection:qtp1408652377-53:
ALPNServerConnection@332adb96::DecryptedEndPoint@290b9c76[{l=/127.0.0.1:8443,r=/127.0.0.1:39912,OPEN,fill=-,flush=-,to=34/30000}]
application selected protocol 'http/1.1', but no correspondent
org.eclipse.jetty.server.ConnectionFactory has been configured

That is to say that it already works out of the box.

If you want to avoid that log line, you can write your own
ConnectionFactory and close the EndPoint from onOpen().

Back to the top