I forgot about a detail I came across when I originally set up
the server. It was shortly after SNI support was released in
9.3.3.
I changed the certificate's private key password; it is now the
same as the keystore password. And Jetty loads, and Qualys is
giving the site an A grade. It's complaining about an anchor in
the certificate chain, and I could probably get to A+ if I fix
that, but it's easy enough to fix (I have to fix it on my Apache
servers too - just need to remove Comodo's AddTrustExternalCARoot
from the chain).
Thank you Simone, and everyone else who has contributed.
One remaining issue: The Qualys tests are still not able to
negotiate a TLS 1.0 connection, only 1.2. My current config is:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<!--
=============================================================
-->
<!-- SSL ContextFactory
configuration -->
<!--
=============================================================
-->
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set
name="KeyStorePath">/var/whatever</Set>
<Set
name="KeyStorePassword">somePassword</Set>
<Set name="NeedClientAuth">false</Set>
<Set name="WantClientAuth">false</Set>
<Call name="setIncludeCipherSuites">
<Arg>
<Array type="String">
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,</Item>
<Item>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</Item>
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item>
<Item>SSL_RSA_WITH_NULL_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item>
<Item>SSL_RSA_WITH_NULL_MD5</Item>
<Item>TLS_KRB5_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_KRB5_WITH_3DES_EDE_CBC_MD5</Item>
<Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
<Item>TLS_KRB5_WITH_DES_CBC_MD5</Item>
<Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
<Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>
<!-- these following ciphers not supported by default
so we add them -->
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
<!-- end additions -->
</Array>
</Arg>
</Call>
<Set name="useCipherSuitesOrder"><Property
name="jetty.sslContext.useCipherSuitesOrder"
default="true"/></Set>
</Configure>
Thanks again. Very close to success now :)
On 4/22/2016 4:09 PM, Simone Bordet
wrote:
Hi,
On Sat, Apr 23, 2016 at 12:54 AM, Steve Sobol - Lobos Studios
<steve@xxxxxxxxxxxxxxxx> wrote:
Hm - I followed these directions
"all *.pem files into one pem file, like all.pem Then create keystore in p12
format with private key + all.pem
openssl pkcs12 -export -inkey private.key -in all.pem -name test -out
test.p12
Then export p12 into jks
keytool -importkeystore -srckeystore test.p12 -srcstoretype pkcs12
-destkeystore test.jks"
from
http://serverfault.com/questions/483465/import-of-pem-certificate-chain-and-key-to-java-keystore
and in Keystore Explorer I could see the entire chain, but
Do you have a "Certificate chain length" > 1 or not for all your
entries of type "PrivateKeyEntry" ?
2016-04-22 18:52:37.682:INFO:oejus.SslContextFactory:main:
x509=X509@51c929ae(test,h=[admin.bamidbarconnect.com,
www.admin.bamidbarconnect.com],w=[]) for
SslContextFactory@3c8bdd5b(file:///home/sjsobol/test.jks,null)
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
at org.eclipse.jetty.start.Main.start(Main.java:457)
at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: java.lang.NullPointerException
at
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1067)
This seems a missing password in the configuration.
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx