Thanks both. (And good to know Simone )
Jetty9 server: Bits of my start.ini (installed as windows service) are being ignored, like send server version, and now javax.net.debug=all. In prunmgr however adding -Djavax.net.debug=all made the logging very active indeed.
For every :443/../rest call this is repeated:
qtp999661724-87, fatal error: 10: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
qtp999661724-87, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
qtp999661724-87, WRITE: TLSv1.2 Alert, length = 2
qtp999661724-87, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
HttpClient-332, called closeInbound()
HttpClient-332, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
HttpClient-332, SEND TLSv1.2 ALERT: fatal, description = internal_error
HttpClient-332, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 50 ......P
HttpClient-332, called closeInbound()
HttpClient-332, closeInboundInternal()
HttpClient-332, called closeInbound()
HttpClient-332, closeInboundInternal()
2017-02-01 17:30:30.515:WARN:oejc.HttpExchange:HttpClient-332: EXCEPTION adapter1@6787ac61=GET//domain:443/geoserver/rest#WAITING(0ms)->EXCEPTED(0ms)sent=0ms
org.eclipse.jetty.io.EofException: early EOF
Right now TLS 1.0, 1.1 and 1.2 are accepted, no SSL version.