Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange

From: Info <info@xxxxxxxxxx>
Date: Thu, 24 Nov 2022 15:37:48 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0

Hi, Simone,

I do need to create my own ALPNServerConnectionFactory because onstartup of the OSGi environment the SPI FLY might be too early detectingALPN processors.My ALPNServerConnectionFactory implementation now has a OSGiServiceTracker for ALPN processors dealing with the OSGi livecycle andinitializing and adding any ALPNProcessor.Server services found.The bundle implementing the ALPNServerConnectionFactory and theALPNServerConnection is set on pax-web-jetty as a bundle fragment toexpand its classpath so pax-web can execute the jetty.xml:


<Item>

<New id="alpn"class="eu.abeel.platform.security.acme.api.JettyAlpnServerConnectionFactory">

        <Arg type="String">

<Property name="jetty.alpn.protocols" default="acme-tls/1,http/1.1"/>

        </Arg>
        <Set name="defaultProtocol">

<Property name="jetty.alpn.defaultProtocol"default="http/1.1"/>

         </Set>
    </New>
</Item>

Within the ALPNProcessor I was now expecting to solve the ACME(acme-tls/1) challenge, or am I mistaken about this handshake flow withLets Encrypt?



On 24/11/2022 09:49, Simone Bordet wrote:

Hi,

On Wed, Nov 23, 2022 at 3:53 PM Info <info@xxxxxxxxxx> wrote:

Thanks for the answers so far, my current setup is working until the
service loader starts to search for ALPN processors.

2022-11-23T15:14:49,690 | WARN  | paxweb-config-1-thread-1 |
XmlConfiguration                 | 86 - org.eclipse.jetty.util -
9.4.18.v20190429 | Config error at <Call id="wanhttpsConnector"
name="addConnector"><Arg>

Caused by: java.lang.IllegalStateException: No Server ALPNProcessors!

To make it even more difficult I am on an OSGi environment so I am
adding SPI FLY at the moment so the ALPNServerConnectionFactory can find
my ACME ALPN processor.

You don't need to write your own ALPN processor.

If I understood correctly any call without an acme-tls/1 protocol header
(but with the default http/1.1 protocol) will just continue in the chain
into the handlers?

You just specify jetty.alpn.protocols=acme-tls/1, http/1.1.

A connection attempt that carries the TLS ALPN extension of
"acme-tls/1" will complete the TLS handshake, but then it won't find a
ConnectionFactory, so the connection will be closed.

A connection attempt that carries the TLS ALPN extension of "http/1.1"
will complete the TLS handshake, find the HttpConnectionFactory, and
proceed handling HTTP requests that arrive on the connection.

Follow-Ups:
- Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
  - From: Simone Bordet

References:
- [jetty-users] TLS ALPN ACME Lets Encrypt challange
  - From: Info
- Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
  - From: Simone Bordet
- Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
  - From: Simone Bordet
- Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
  - From: Info
- Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
Next by Date: Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
Previous by thread: Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
Next by thread: Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange
Index(es):
- Date
- Thread

Breadcrumbs