Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange


On Wed, Nov 23, 2022 at 12:55 PM Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
> Hi,
> On Wed, Nov 23, 2022 at 10:13 AM Info <info@xxxxxxxxxx> wrote:
> >
> > Dear community,
> >
> >
> > I am looking into the Lets Encrypt TLS-ALPN-01 challenge and want to create a ALPN TLS extension for Jetty 9.
> > Does anybody already have any experience with this or even already created an open source connection factory?
> >
> > I am looking into the HTTP2 configurations I can find online for inspiration, can I stack the ALPN challange ontop of the default SSL/TLS connection?
> It should be enough to use the configuration for http2 and http/1.1,
> add "acme-tls/1" to the list of ALPN protocols.
> When the ACME client connects, Jetty will select the "acme-tls/1"
> ConnectionFactory, complete the TLS handshake, find that the
> "acme-tls/1" has no correspondent ConnectionFactory and close the
> connection (which is expected).
> So:
> $ java -jar $JETTY_HOME/start.jar --add-modules=http2
> $ java -jar $JETTY_HOME/start.jar jetty.alpn.protocols=acme-tls/1,h2,http/1.1
> I did not try, so let us know if it works.

I did try to setup only h2 on the server, and force curl to send
http/1.1, and correctly Jetty completes the TLS handshake and then
closes the connection.
You will see this log line at INFO level similar to this one:

2022-11-23 15:24:27.359:INFO
application selected protocol 'http/1.1', but no correspondent
org.eclipse.jetty.server.ConnectionFactory has been configured

That is to say that it already works out of the box.

If you want to avoid that log line, you can write your own
ConnectionFactory and close the EndPoint from onOpen().
Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top