Jetty ssl 端口没有为安全的 JSR-356 websockets 打开
Jetty ssl port not open for secure JSR-356 websockets
我正在编写一个服务器应用程序,它使用嵌入式 Jetty 9.3.0.M2 使用安全的 websockets。当我 运行 它没有安全套接字时,一切都很糟糕,但是当我启用安全套接字时,我的客户端连接被拒绝并且 nmap 显示端口已关闭。服务器端的日志中没有错误。
我相信我的 .jks、.crt、.pem 和 .key 文件以及我的密钥库密码都是正确的,因为同一台服务器上的其他应用程序正在使用相同的文件并且正在运行。
这是启动 Jetty 服务器的代码。使用常规套接字时一切正常。
if (keyStorePath != null) {
// use secure sockets
server = new Server();
HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(keyStorePath);
sslContextFactory.setKeyStorePassword(keyStorePassword);
sslContextFactory.setKeyManagerPassword(keyStorePassword);
ServerConnector sslConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https));
sslConnector.setHost(serverName); // EDIT: this line was the problem, removing it fixed everything.
sslConnector.setPort(port);
server.setConnectors(new Connector[] { sslConnector });
} else {
// use regular sockets
server = new Server(port);
}
server.setStopAtShutdown(true);
server.setDumpAfterStart(false);
server.setDumpBeforeStop(false);
// Initialize JSR-356 style websocket
ServletContextHandler servletContextHandler =
new ServletContextHandler(ServletContextHandler.SESSIONS);
servletContextHandler.setContextPath(contextPath);
server.setHandler(servletContextHandler);
ServerContainer container =
WebSocketServerContainerInitializer.configureContext(servletContextHandler);
container.addEndpoint(MyWebsocketEndpoint.class);
server.start();
logger.info("Started server: " + server);
if (server.getConnectors().length > 0) {
logger.info("Connector = " + server.getConnectors()[0] +
" isRunning=" + server.getConnectors()[0].isRunning());
}
当 keyStorePath 不为空时(意味着使用安全套接字),日志如下所示:
2015-04-23 16:07:37.634:INFO::main: Logging initialized @114ms
2015-04-23 16:07:37.863:INFO:oejs.Server:main: jetty-9.3.0.M2
2015-04-23 16:07:38.408:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@3abd7ff4{/websockets,null,AVAILABLE}
2015-04-23 16:07:38.489:INFO:oejs.ServerConnector:main: Started ServerConnector@2e4996ea{SSL,[ssl, http/1.1]}{my.server.com:8085}
2015-04-23 16:07:38.490:INFO:oejs.Server:main: Started @973ms
Apr 23, 2015 4:07:38 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Started server: org.eclipse.jetty.server.Server@7205c140
Apr 23, 2015 4:07:38 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Connector = ServerConnector@2e4996ea{SSL,[ssl, http/1.1]}{my.server.com:8085} isRunning=true
8085 端口上的 nmap 显示
PORT STATE SERVICE
8085/tcp closed unknown
我的 JavaScript 控制台中的错误是 "Error in connection establishment: net::ERR_CONNECTION_REFUSED"
当 keyStorePath 为 null(意味着使用套接字)时,日志如下所示:
2015-04-23 16:15:19.624:INFO::main: Logging initialized @115ms
2015-04-23 16:15:19.847:INFO:oejs.Server:main: jetty-9.3.0.M2
2015-04-23 16:15:20.431:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@403108f6{/websockets,null,AVAILABLE}
2015-04-23 16:15:20.446:INFO:oejs.ServerConnector:main: Started ServerConnector@4efce9a2{HTTP/1.1,[http/1.1]}{0.0.0.0:8085}
2015-04-23 16:15:20.450:INFO:oejs.Server:main: Started @941ms
Apr 23, 2015 4:15:20 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Started server: org.eclipse.jetty.server.Server@57a20888
Apr 23, 2015 4:15:20 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Connector = ServerConnector@4efce9a2{HTTP/1.1,[http/1.1]}{0.0.0.0:8085} isRunning=true
8085 端口上的 nmap 显示
PORT STATE SERVICE
8085/tcp open unknown
并且该应用程序在浏览器中运行良好。我很难过。我尝试了很多代码排列来设置 SSL,但都无济于事。谢谢你看这个。
已编辑 以表明我使用的是 JSR-356 websockets 而不是 Jetty 原生 websockets。
已编辑将解决方案放在示例代码的注释中。
Jetty 9.3.0 仍在更新中,不稳定。
首先,让我们使用稳定版本的 Jetty,即 9.2.10.v20150310。
您的示例中的 SSL、SslContextFactory 和 ServerConnector 设置是正确的。
示例(使用在 jetty-distribution/demo-base/etc
中找到的预先创建的 keystore
文件):
package jetty.websocket;
import java.io.FileNotFoundException;
import java.net.URL;
import javax.websocket.OnMessage;
import javax.websocket.server.ServerContainer;
import javax.websocket.server.ServerEndpoint;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.DefaultHandler;
import org.eclipse.jetty.server.handler.HandlerList;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.websocket.jsr356.server.deploy.WebSocketServerContainerInitializer;
public class SecureJavaxWebSocketServer
{
@ServerEndpoint(value="/echo")
public static class EchoSocket
{
@OnMessage
public String onMessage(String msg)
{
return msg;
}
}
public static void main(String[] args)
{
try
{
new SecureJavaxWebSocketServer().go();
}
catch (Throwable t)
{
t.printStackTrace(System.err);
}
}
private URL findResource(String path) throws FileNotFoundException
{
URL url = Thread.currentThread().getContextClassLoader().getResource(path);
if (url == null)
{
throw new FileNotFoundException("Resource Not Found: " + path);
}
return url;
}
public void go() throws Exception
{
Server server = new Server();
int httpsPort = 9443;
// Setup SSL
URL keystore = findResource("ssl/keystore");
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(keystore.toExternalForm());
sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
sslContextFactory.addExcludeProtocols("SSLv3"); // a good thing to do
sslContextFactory.addExcludeCipherSuites(".*_GCM_.*"); // geez these ciphers are slow
// Setup HTTPS Configuration
HttpConfiguration httpsConf = new HttpConfiguration();
httpsConf.setSecurePort(httpsPort);
httpsConf.setSecureScheme("https");
httpsConf.addCustomizer(new SecureRequestCustomizer());
ServerConnector htttpsConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(httpsConf));
htttpsConnector.setPort(httpsPort);
server.addConnector(htttpsConnector);
// Establish base handler list
HandlerList baseHandlers = new HandlerList();
server.setHandler(baseHandlers);
// Add Servlet Context
ServletContextHandler context = new ServletContextHandler();
context.setContextPath("/");
baseHandlers.addHandler(context);
// Add WebSocket
ServerContainer jsrContainer = WebSocketServerContainerInitializer.configureContext(context);
jsrContainer.addEndpoint(EchoSocket.class);
// Add default handler (for errors and whatnot) - always last
baseHandlers.addHandler(new DefaultHandler());
// Lets see how the server is setup after it is started
// server.setDumpAfterStart(true);
try
{
// Start the server thread
server.start();
// Wait for the server thread to end
server.join();
}
catch (Throwable t)
{
t.printStackTrace(System.err);
}
}
}
启动控制台结果:
2015-04-23 09:53:17.279:INFO::main: Logging initialized @139ms
2015-04-23 09:53:17.346:INFO:oejs.Server:main: jetty-9.2.10.v20150310
2015-04-23 09:53:17.370:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@2437c6dc{/,null,AVAILABLE}
2015-04-23 09:53:17.574:INFO:oejs.ServerConnector:main: Started ServerConnector@71423665{SSL-http/1.1}{0.0.0.0:9443}
2015-04-23 09:53:17.575:INFO:oejs.Server:main: Started @437ms
环境测试:
$ netstat -tlnp | grep LISTEN | grep 9443
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp6 0 0 :::9443 :::* LISTEN 8918/java
$ ps auwwwx | grep 8918
joakim 8918 0.7 0.1 11822896 59728 ? Sl 09:53 0:00 /home/joakim/java/jvm/jdk-8u31-x64/bin/java -Dfile.encoding=UTF-8 -classpath /home/joakim/code/(..snip..) jetty.websocket.SecureWebSocketServer
您可以使用位于
的回声测试客户端测试此回声 class
http://www.websocket.org/echo.html
只需将表单中的 URL 指向 wss://localhost:9443/echo
并勾选 TLS 复选框。
我正在编写一个服务器应用程序,它使用嵌入式 Jetty 9.3.0.M2 使用安全的 websockets。当我 运行 它没有安全套接字时,一切都很糟糕,但是当我启用安全套接字时,我的客户端连接被拒绝并且 nmap 显示端口已关闭。服务器端的日志中没有错误。
我相信我的 .jks、.crt、.pem 和 .key 文件以及我的密钥库密码都是正确的,因为同一台服务器上的其他应用程序正在使用相同的文件并且正在运行。
这是启动 Jetty 服务器的代码。使用常规套接字时一切正常。
if (keyStorePath != null) {
// use secure sockets
server = new Server();
HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(keyStorePath);
sslContextFactory.setKeyStorePassword(keyStorePassword);
sslContextFactory.setKeyManagerPassword(keyStorePassword);
ServerConnector sslConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https));
sslConnector.setHost(serverName); // EDIT: this line was the problem, removing it fixed everything.
sslConnector.setPort(port);
server.setConnectors(new Connector[] { sslConnector });
} else {
// use regular sockets
server = new Server(port);
}
server.setStopAtShutdown(true);
server.setDumpAfterStart(false);
server.setDumpBeforeStop(false);
// Initialize JSR-356 style websocket
ServletContextHandler servletContextHandler =
new ServletContextHandler(ServletContextHandler.SESSIONS);
servletContextHandler.setContextPath(contextPath);
server.setHandler(servletContextHandler);
ServerContainer container =
WebSocketServerContainerInitializer.configureContext(servletContextHandler);
container.addEndpoint(MyWebsocketEndpoint.class);
server.start();
logger.info("Started server: " + server);
if (server.getConnectors().length > 0) {
logger.info("Connector = " + server.getConnectors()[0] +
" isRunning=" + server.getConnectors()[0].isRunning());
}
当 keyStorePath 不为空时(意味着使用安全套接字),日志如下所示:
2015-04-23 16:07:37.634:INFO::main: Logging initialized @114ms
2015-04-23 16:07:37.863:INFO:oejs.Server:main: jetty-9.3.0.M2
2015-04-23 16:07:38.408:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@3abd7ff4{/websockets,null,AVAILABLE}
2015-04-23 16:07:38.489:INFO:oejs.ServerConnector:main: Started ServerConnector@2e4996ea{SSL,[ssl, http/1.1]}{my.server.com:8085}
2015-04-23 16:07:38.490:INFO:oejs.Server:main: Started @973ms
Apr 23, 2015 4:07:38 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Started server: org.eclipse.jetty.server.Server@7205c140
Apr 23, 2015 4:07:38 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Connector = ServerConnector@2e4996ea{SSL,[ssl, http/1.1]}{my.server.com:8085} isRunning=true
8085 端口上的 nmap 显示
PORT STATE SERVICE
8085/tcp closed unknown
我的 JavaScript 控制台中的错误是 "Error in connection establishment: net::ERR_CONNECTION_REFUSED"
当 keyStorePath 为 null(意味着使用套接字)时,日志如下所示:
2015-04-23 16:15:19.624:INFO::main: Logging initialized @115ms
2015-04-23 16:15:19.847:INFO:oejs.Server:main: jetty-9.3.0.M2
2015-04-23 16:15:20.431:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@403108f6{/websockets,null,AVAILABLE}
2015-04-23 16:15:20.446:INFO:oejs.ServerConnector:main: Started ServerConnector@4efce9a2{HTTP/1.1,[http/1.1]}{0.0.0.0:8085}
2015-04-23 16:15:20.450:INFO:oejs.Server:main: Started @941ms
Apr 23, 2015 4:15:20 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Started server: org.eclipse.jetty.server.Server@57a20888
Apr 23, 2015 4:15:20 PM com.crowdoptic.conference.jetty.JettyWebSocketServer start
INFO: Connector = ServerConnector@4efce9a2{HTTP/1.1,[http/1.1]}{0.0.0.0:8085} isRunning=true
8085 端口上的 nmap 显示
PORT STATE SERVICE
8085/tcp open unknown
并且该应用程序在浏览器中运行良好。我很难过。我尝试了很多代码排列来设置 SSL,但都无济于事。谢谢你看这个。
已编辑 以表明我使用的是 JSR-356 websockets 而不是 Jetty 原生 websockets。
已编辑将解决方案放在示例代码的注释中。
Jetty 9.3.0 仍在更新中,不稳定。
首先,让我们使用稳定版本的 Jetty,即 9.2.10.v20150310。
您的示例中的 SSL、SslContextFactory 和 ServerConnector 设置是正确的。
示例(使用在 jetty-distribution/demo-base/etc
中找到的预先创建的 keystore
文件):
package jetty.websocket;
import java.io.FileNotFoundException;
import java.net.URL;
import javax.websocket.OnMessage;
import javax.websocket.server.ServerContainer;
import javax.websocket.server.ServerEndpoint;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.DefaultHandler;
import org.eclipse.jetty.server.handler.HandlerList;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.websocket.jsr356.server.deploy.WebSocketServerContainerInitializer;
public class SecureJavaxWebSocketServer
{
@ServerEndpoint(value="/echo")
public static class EchoSocket
{
@OnMessage
public String onMessage(String msg)
{
return msg;
}
}
public static void main(String[] args)
{
try
{
new SecureJavaxWebSocketServer().go();
}
catch (Throwable t)
{
t.printStackTrace(System.err);
}
}
private URL findResource(String path) throws FileNotFoundException
{
URL url = Thread.currentThread().getContextClassLoader().getResource(path);
if (url == null)
{
throw new FileNotFoundException("Resource Not Found: " + path);
}
return url;
}
public void go() throws Exception
{
Server server = new Server();
int httpsPort = 9443;
// Setup SSL
URL keystore = findResource("ssl/keystore");
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(keystore.toExternalForm());
sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
sslContextFactory.addExcludeProtocols("SSLv3"); // a good thing to do
sslContextFactory.addExcludeCipherSuites(".*_GCM_.*"); // geez these ciphers are slow
// Setup HTTPS Configuration
HttpConfiguration httpsConf = new HttpConfiguration();
httpsConf.setSecurePort(httpsPort);
httpsConf.setSecureScheme("https");
httpsConf.addCustomizer(new SecureRequestCustomizer());
ServerConnector htttpsConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(httpsConf));
htttpsConnector.setPort(httpsPort);
server.addConnector(htttpsConnector);
// Establish base handler list
HandlerList baseHandlers = new HandlerList();
server.setHandler(baseHandlers);
// Add Servlet Context
ServletContextHandler context = new ServletContextHandler();
context.setContextPath("/");
baseHandlers.addHandler(context);
// Add WebSocket
ServerContainer jsrContainer = WebSocketServerContainerInitializer.configureContext(context);
jsrContainer.addEndpoint(EchoSocket.class);
// Add default handler (for errors and whatnot) - always last
baseHandlers.addHandler(new DefaultHandler());
// Lets see how the server is setup after it is started
// server.setDumpAfterStart(true);
try
{
// Start the server thread
server.start();
// Wait for the server thread to end
server.join();
}
catch (Throwable t)
{
t.printStackTrace(System.err);
}
}
}
启动控制台结果:
2015-04-23 09:53:17.279:INFO::main: Logging initialized @139ms
2015-04-23 09:53:17.346:INFO:oejs.Server:main: jetty-9.2.10.v20150310
2015-04-23 09:53:17.370:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@2437c6dc{/,null,AVAILABLE}
2015-04-23 09:53:17.574:INFO:oejs.ServerConnector:main: Started ServerConnector@71423665{SSL-http/1.1}{0.0.0.0:9443}
2015-04-23 09:53:17.575:INFO:oejs.Server:main: Started @437ms
环境测试:
$ netstat -tlnp | grep LISTEN | grep 9443
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp6 0 0 :::9443 :::* LISTEN 8918/java
$ ps auwwwx | grep 8918
joakim 8918 0.7 0.1 11822896 59728 ? Sl 09:53 0:00 /home/joakim/java/jvm/jdk-8u31-x64/bin/java -Dfile.encoding=UTF-8 -classpath /home/joakim/code/(..snip..) jetty.websocket.SecureWebSocketServer
您可以使用位于
的回声测试客户端测试此回声 classhttp://www.websocket.org/echo.html
只需将表单中的 URL 指向 wss://localhost:9443/echo
并勾选 TLS 复选框。