Application is not starting on https port - 8443, facing issue at client side (browser) and getting below stacktrace:
oejs.HttpChannel:qtp2134607032-16: handleException /favicon.ico
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:402)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:663)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:398)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:538)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:387)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SocketChannelEndPoint$1.run(SocketChannelEndPoint.java:101)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:378)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
at java.base/java.lang.Thread.run(Thread.java:829)
Below are the steps followed:
openssl genrsa -des3 -out jcg.key
openssl req -new -x509 -key jcg.key -out jcg.crt
openssl pkcs12 -inkey jcg.key -in jcg.crt -export -out jcg.pkcs12
cp jcg.pkcs12 JETTY_BASE/etc/
jdk/bin/keytool -importkeystore -srckeystore jcg.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
jdk/bin/java -cp $JETTY_BASE/lib/jetty-util-10.jar org.eclipse.jetty.util.security.Password <Your Password>
Change in ssl.ini for keystore, keymanage passwords
Don't use
RSA(even withDES3), both of those are insecure and not supported by Java itself anymore. (That combination is disabled by Java itself)See https://www.java.com/en/jre-jdk-cryptoroadmap.html
Also, be aware of the TLS level you are using to connect to your server, as TLS 1.1 has a different set of supported certificates than TLS 1.2 or TLS 1.3.
If you are setting up a server from scratch, ONLY look at TLS 1.3 and limit your choices of certificates to what is supported by TLS 1.3 and your version of Java (see roadmap link above for details on your version of Java)
When you test with a browser, or an HTTP client, you have to test with a hostname (not an IP address or anything related to localhost)