Hi,
On Wed, Mar 3, 2021 at 4:04 PM Steve Millidge (Payara)
<steve.millidge@xxxxxxxxxxx> wrote:
I doubt anybody has written any code for TLS13 in GlassFish?
I think it would switch to TLSv1.3 automatically and transparently.
I have to check again, but I'm pretty sure Payara when I worked on it in
mid 2019 switched to TLSv1.3 on JDK 11. That's why I added this
switch here:
https://github.com/javaee-samples/javaee7-samples/blob/master/servlet/security-clientcert/src/test/java/org/javaee7/servlet/security/clientcert/SecureServletTest.java#L107
<https://github.com/javaee-samples/javaee7-samples/blob/master/servlet/security-clientcert/src/test/java/org/javaee7/servlet/security/clientcert/SecureServletTest.java#L107>
Kind regards,
Arjan Tijms
____
__ __
Steve____
__ __
*From:*jakartaee-platform-dev
<jakartaee-platform-dev-bounces@xxxxxxxxxxx
<mailto:jakartaee-platform-dev-bounces@xxxxxxxxxxx>> *On Behalf Of
*arjan tijms
*Sent:* 03 March 2021 10:23
*To:* servlet developer discussions <servlet-dev@xxxxxxxxxxx
<mailto:servlet-dev@xxxxxxxxxxx>>
*Cc:* glassfish developer discussions <glassfish-dev@xxxxxxxxxxx
<mailto:glassfish-dev@xxxxxxxxxxx>>; jakartaee-platform developer
discussions <jakartaee-platform-dev@xxxxxxxxxxx
<mailto:jakartaee-platform-dev@xxxxxxxxxxx>>
*Subject:* Re: [jakartaee-platform-dev] [servlet-dev] Help please --
Servlet TCK test issue____
__ __
Hi,____
__ __
On Wed, Mar 3, 2021 at 10:15 AM Stuart Douglas <sdouglas@xxxxxxxxxx
<mailto:sdouglas@xxxxxxxxxx>> wrote:____
I don't think the TCK should limit the client to TLS <=1.2.
I think the
server should do that if it can't support TLS 1.3 with
post-handshake
authentication.____
__ __
Maybe just change the TCK limit the client for that test to TLS
1.2.____
__ __
That's what I did a few years ago to make client-cert work in
practice, just setting the client to TLS 1.2 via:____
__ __
System.setProperty("jdk.tls.client.protocols", "TLSv1.2");____
__ __
Interestingly, debugging GlassFish 6.1.0-SNAPSHOT today, it
responded with TLSv1.2 as the only server protocol:____
__ __
__ __
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.303
CET|ServerHello.java:871|Consuming ServerHello handshake message (____
"ServerHello": {____
"server version" : "TLSv1.2",____
"random" : "A1 BB 8C 0B 12 A1 C8 DC F5 54 43 86 5C
0F AA 9C 6E 23 DE CE CC 8D A9 9F B4 58 70 6D 15 D5 AA 0A",____
"session id" : "26 E3 0A F0 C7 72 3A C4 65 2D A9 8C D4
B6 49 F6 1D EF E1 84 B2 08 6C 75 FD 0E B6 09 16 98 15 03",____
"cipher suite" :
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",____
"compression methods" : "00",____
"extensions" : [____
"extended_master_secret (23)": {____
<empty>____
},____
"renegotiation_info (65,281)": {____
"renegotiated connection": [53 FA 52 AF B1 F6 7A 53 7C 4D 32
D5 7A C2 61 EC 1F EB 88 42 4A C5 E2 BE]____
}____
]____
}____
__ __
TLSv1.2 is then negotiated, and GlassFish responds with its usual
request for a certificate:____
__ __
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.309
CET|CertificateRequest.java:671|Consuming CertificateRequest
handshake message (____
"CertificateRequest": {____
"certificate types": [ecdsa_sign, rsa_sign, dss_sign]____
"supported signature algorithms": [ecdsa_secp256r1_sha256,
ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224,
rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]____
"certificate authorities": [CN=localhost-instance, OU=GlassFish,
O=Eclipse.org Foundation Inc, L=Ottawa, ST=Ontario, C=CA,
CN=localhost, OU=GlassFish, O=Eclipse.org Foundation Inc, L=Ottawa,
ST=Ontario, C=CA]____
}____
)____
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
CET|X509Authentication.java:213|No X.509 cert selected for EC____
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309
CET|CertificateRequest.java:764|Unavailable authentication scheme:
ecdsa_secp256r1_sha256____
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
CET|X509Authentication.java:213|No X.509 cert selected for EC____
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309
CET|CertificateRequest.java:764|Unavailable authentication scheme:
ecdsa_secp384r1_sha384____
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
CET|X509Authentication.java:213|No X.509 cert selected for EC____
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.310
CET|CertificateRequest.java:764|Unavailable authentication scheme:
ecdsa_secp512r1_sha512____
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.310
CET|X509Authentication.java:213|No X.509 cert selected for RSA____
[...]____
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312
CET|X509Authentication.java:213|No X.509 cert selected for RSA____
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
CET|CertificateRequest.java:764|Unavailable authentication scheme:
rsa_pkcs1_sha1____
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312
CET|X509Authentication.java:213|No X.509 cert selected for DSA____
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
CET|CertificateRequest.java:764|Unavailable authentication scheme:
dsa_sha1____
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
CET|CertificateRequest.java:774|No available authentication scheme____
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
CET|ServerHelloDone.java:151|Consuming ServerHelloDone handshake
message (____
<empty>____
)____
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
CET|CertificateMessage.java:290|No X.509 certificate for client
authentication, use empty Certificate message instead____
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
CET|CertificateMessage.java:321|Produced client Certificate
handshake message (____
"Certificates": <empty list>____
)____
__ __
This then obviously fails. I'm not sure why GlassFish responds with
TLSv1.2 only now, but might be some setting in its HTTPS connector
config. The full (formatted) start command for GlassFish was:____
__ __
/Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java ____
-cp glassfish/modules/glassfish.jar ____
-XX:+UnlockDiagnosticVMOptions ____
-XX:NewRatio=2 ____
-Xmx512m ____
-Xbootclasspath/a:glassfish/lib/grizzly-npn-api.jar ____
-Xbootclasspath/a:glassfish/lib/resolver.jar ____
--add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED ____
--add-opens=java.base/sun.net.www.protocol.jrt=ALL-UNNAMED ____
--add-opens=java.base/java.lang=ALL-UNNAMED ____
--add-opens=java.base/java.util=ALL-UNNAMED ____
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED ____
-javaagent:glassfish/lib/monitor/flashlight-agent.jar ____
-Djava.awt.headless=true ____
-Djdk.corba.allowOutputStreamSubclass=true ____
____
-Djdk.tls.rejectClientInitiatedRenegotiation=true ____
-Djavax.net.ssl.keyStore=/glassfish/domains/domain1/config/keystore.jks
____
-Djavax.net.ssl.trustStore=/glassfish/domains/domain1/config/cacerts.jks
____
-Djava.security.policy=/glassfish/domains/domain1/config/server.policy
____
-Djava.security.auth.login.config=/glassfish/domains/domain1/config/login.conf
____
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as ____
____
-Djavax.xml.accessExternalSchema=all ____
-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver ____
-DANTLR_USE_DIRECT_CLASS_LOADING=true ____
-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory
____
____
-Dorg.glassfish.additionalOSGiBundlesToStart=org.apache.felix.shell,org.apache.felix.gogo.runtime,org.apache.felix.gogo.shell,org.apache.felix.gogo.command,org.apache.felix.shell.remote,org.apache.felix.fileinstall
____
-Dosgi.shell.telnet.port=6666 ____
-Dosgi.shell.telnet.maxconn=1 ____
-Dosgi.shell.telnet.ip=127.0.0.1 ____
-Dgosh.args=--nointeractive ____
-Dfelix.fileinstall.dir=/glassfish/modules/autostart/ ____
-Dfelix.fileinstall.poll=5000 -Dfelix.fileinstall.log.level=2 ____
-Dfelix.fileinstall.bundles.new.start=true ____
-Dfelix.fileinstall.bundles.startTransient=true ____
-Dfelix.fileinstall.disableConfigSave=false ____
____
-Dcom.ctc.wstx.returnNullForDefaultNamespace=true ____
-Dcom.sun.aas.instanceRoot=/glassfish/domains/domain1 ____
-Dcom.sun.aas.installRoot=/glassfish ____
-Djava.library.path=/glassfish/lib:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:/ee9-tck/servlet/security-clientcert
____
__ __
com.sun.enterprise.glassfish.bootstrap.ASMain ____
__ __
-upgrade false ____
-domaindir /glassfish/domains/domain1 \____
-read-stdin true ____
-asadmin-args
--host,,,localhost,,,--port,,,4848,,,--secure=false,,,--terse=true,,,--echo=false,,,--interactive=false,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,glassfish/domains,,,domain1
____
-domainname domain1 ____
-instancename server -type DAS -verbose false ____
-asadmin-classpath /glassfish/modules/admin-cli.jar ____
-debug false ____
-asadmin-classname com.sun.enterprise.admin.cli.AdminMain____
__ __
Kind regards,____
Arjan Tijms____
__ __
_______________________________________________
glassfish-dev mailing list
glassfish-dev@xxxxxxxxxxx <mailto:glassfish-dev@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/glassfish-dev
<https://www.eclipse.org/mailman/listinfo/glassfish-dev>
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev