使用 Jetty 9 配置 SSL

Configuring SSL with Jetty 9

我一天中的大部分时间都花在了这上面,但到目前为止还无法将 Jetty 9 配置为正确地通过 HTTPS 提供服务。这仅用于开发目的,因此我生成了一个我试图与 Jetty 一起使用的密钥库文件。

我正在这样生成证书:

keytool -keystore jetty.keystore -alias jetty -genkey -keyalg RSA

这是来自 https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html 的 Jetty 说明。

来自mvn -X jetty:run的输出:

[DEBUG] XML new org.eclipse.jetty.util.ssl.SslContextFactory
[DEBUG] using normal mapping
[DEBUG] XML SslContextFactory@765df79d(null,null).setKeyStore(./src/main/resources/jetty-ssl.keystore)
[WARNING] Config error at <Set name="KeyStore"><Property name="jetty.home" default="."/>/src/main/resources/jetty-ssl.keystore</Set>
[WARNING] Config error at <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"><Set name="KeyStore"><Property name="jetty.home" default="."/>/src/main/resources/jetty-ssl.keystore</Set><Set name="KeyStorePassword">password</Set><Set name="TrustStore"><Property name="jetty.home" default="."/>/src/main/resources/jetty-ssl.keystore</Set><Set name="TrustStorePassword">password</Set></New>
[INFO] Jetty server exiting.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.090 s
[INFO] Finished at: 2016-01-29T13:28:06-05:00
[INFO] Final Memory: 17M/309M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.eclipse.jetty:jetty-maven-plugin:9.3.6.v20151106:run (default-cli) on project commerce: Failure: class org.eclipse.jetty.util.ssl.SslContextFactory.setKeyStore(class java.lang.String) -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.eclipse.jetty:jetty-maven-plugin:9.3.6.v20151106:run (default-cli) on project commerce: Failure
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Failure
    at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.startJetty(AbstractJettyMojo.java:488)
    at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.execute(AbstractJettyMojo.java:328)
    at org.eclipse.jetty.maven.plugin.JettyRunMojo.execute(JettyRunMojo.java:170)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
    ... 20 more
Caused by: java.lang.NoSuchMethodException: class org.eclipse.jetty.util.ssl.SslContextFactory.setKeyStore(class java.lang.String)
    at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.set(XmlConfiguration.java:591)
    at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:411)
    at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:799)
    at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:423)
    at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:358)
    at org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:259)
    at org.eclipse.jetty.maven.plugin.ServerSupport.applyXmlConfigurations(ServerSupport.java:211)
    at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.applyJettyXml(AbstractJettyMojo.java:404)
    at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.startJetty(AbstractJettyMojo.java:427)
    ... 24 more
[ERROR] 
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

根据下面 mjlan 的回答,我修复了 TrustStorePat 的问题,但现在我得到了与不匹配的密码套件相关的异常:

[DEBUG] Selector loop woken up from select, 0/0 selected
[DEBUG] EPR Prod/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7 produced org.eclipse.jetty.io.ManagedSelector@29708265
[DEBUG] EPR Pend/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7 dispatch
[DEBUG] queue EPR Pend/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7
[DEBUG] EPR Pend/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7 run org.eclipse.jetty.io.ManagedSelector@29708265
[DEBUG] run EPR Pend/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7
[DEBUG] EPR Pend/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7 run
[DEBUG] EPR Prod/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7 produce enter
[DEBUG] EPR Prod/org.eclipse.jetty.io.ManagedSelector$SelectorProducer@7a33cfd7 producing
[DEBUG] Selector loop waiting on select
[DEBUG] Destroyed SelectChannelEndPoint@472fea98{/0:0:0:0:0:0:0:1:64926<->8443,CLOSED,ISHUT,OSHUT,-,-,10/30000,SslConnection}{io=0/0,kio=-1,kro=-1}
javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:509)
    at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:313)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:223)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:192)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
    at org.eclipse.jetty.io.SelectChannelEndPoint.run(SelectChannelEndPoint.java:75)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.run(QueuedThreadPool.java:572)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
    at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1014)
    at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:731)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.run(Handshaker.java:919)
    at sun.security.ssl.Handshaker.run(Handshaker.java:916)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:613)
    ... 13 more

我找不到任何关于在配置文件中设置密钥库位置的文档。我不断收到上述异常(已通过 TrustStorePath 修复修复)。

如果我删除密钥库规范,一切都会正常构建,但是当我转到 https://localhost:8443 时,我在浏览器中收到一条错误消息:

这是我 pom.xml 的相关部分:

...
<plugin>
    <groupId>org.eclipse.jetty</groupId>
    <artifactId>jetty-maven-plugin</artifactId>
    <version>9.3.6.v20151106</version>
    <configuration>                       
        <jettyXml>src/main/resources/jetty.xml,src/main/resources/jetty-
            ssl.xml,src/main/resources/jetty-https.xml,src/main/resources/jetty-ssl-context.xml</jettyXml>
    </configuration>
</plugin>
...

这是我的 jetty.xml:

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">

    <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Set name="secureScheme">https</Set>
        <Set name="securePort"><Property name="jetty.secure.port" default="8443" /></Set>
        <Set name="outputBufferSize">32768</Set>
        <Set name="requestHeaderSize">8192</Set>
        <Set name="responseHeaderSize">8192</Set>
        <Set name="sendServerVersion">true</Set>
        <Set name="sendDateHeader">false</Set>
        <Set name="headerCacheSize">512</Set>
    </New>
</Configure>

jetty-ssl.xml

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

    <!-- =========================================================== -->
    <!-- Add a SSL Connector with no protocol factories              -->
    <!-- =========================================================== -->
    <Call  name="addConnector">
        <Arg>
            <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
                <Arg name="server"><Ref refid="Server" /></Arg>
                <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecated="ssl.acceptors" default="-1"/></Arg>
                <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecated="ssl.selectors" default="-1"/></Arg>
                <Arg name="factories">
                    <Array type="org.eclipse.jetty.server.ConnectionFactory">
                        <!-- uncomment to support proxy protocol
                        <Item>
                          <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
                        </Item>-->
                    </Array>
                </Arg>

                <Set name="host"><Property name="jetty.ssl.host" deprecated="jetty.host" /></Set>
                <Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="8443" /></Set>

                <Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.timeout" default="30000"/></Set>
                <Set name="soLingerTime"><Property name="jetty.ssl.soLingerTime" deprecated="ssl.soLingerTime" default="-1"/></Set>
                <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
                <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize" default="0"/></Set>
            </New>
        </Arg>
    </Call>

    <!-- =========================================================== -->
    <!-- Create a TLS specific HttpConfiguration based on the        -->
    <!-- common HttpConfiguration defined in jetty.xml               -->
    <!-- Add a SecureRequestCustomizer to extract certificate and    -->
    <!-- session information                                         -->
    <!-- =========================================================== -->
    <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Arg><Ref refid="httpConfig"/></Arg>
        <Call name="addCustomizer">
            <Arg>
                <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
                    <Arg type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
                </New>
            </Arg>
        </Call>
    </New>
</Configure>

jetty-https.xml

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Configure a HTTPS connector.                                  -->
<!-- This configuration must be used in conjunction with jetty.xml -->
<!-- and jetty-ssl.xml.                                            -->
<!-- ============================================================= -->
<Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">

    <Call name="addIfAbsentConnectionFactory">
        <Arg>

            <New class="org.eclipse.jetty.server.SslConnectionFactory">
                <Arg name="next">http/1.1</Arg>
                <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
            </New>
        </Arg>
    </Call>

    <Call name="addConnectionFactory">
        <Arg>
            <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
            </New>
        </Arg>
    </Call>
</Configure>

jetty-ssl-context.xml

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath"><Property name="jetty.home" default="." />/src/main/resources/jetty.keystore</Set>
        <Set name="KeyStorePassword">password</Set>
        <Set name="KeyManagerPassword">password</Set>
        <Set name="TrustStorePath"><Property name="jetty.home" default="." />/src/main/resources/jetty.keystore</Set>
        <Set name="TrustStorePassword">password</Set>

        <Set name="IncludeCipherSuites">
            <Array type="String">
                <!-- Just include all until this is working... -->
                <Item>*</Item>
            </Array>
        </Set>
    </New>
</Configure>

根据 this documentation,您在 jetty-context.xml 文件中使用了不正确的 属性。

setKeyStore() 实际上接受一个 java java.security.KeyStore 对象,而不是一个字符串。您需要将属性更改为相应的 "XXPath" 属性。所以改为:

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
    <Set name="KeyStorePath"><Property name="jetty.home" default="." />/src/main/resources/jetty-ssl.keystore</Set>
    <Set name="KeyStorePassword">password</Set>
    <Set name="TrustStorePath"><Property name="jetty.home" default="." />/src/main/resources/jetty-ssl.keystore</Set>
    <Set name="TrustStorePassword">password</Set>
</New>