[jetty-users] keystore

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property name="jetty.keystore.password"
default="my-password"/></Set>
<Set name="TrustStorePassword"><Property
name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are
you sure?

--
John English

Lou DeGenaro

2018-03-10 19:48:16 UTC

yep.

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property name="jetty.keystore.password"
default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password"
default="my-password"/></Set>

The keystore password and truststore password are really the same? Are you
sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Greg Wilkins

2018-03-12 06:03:43 UTC

Any jetty.keystore.password is not set anywhere? if it is set, is it set to
your password?
Try hard coding it in the XML to debug before playing with parameters.

cheers

yep.

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property name="jetty.keystore.password"
default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password"
default="my-password"/></Set>

The keystore password and truststore password are really the same? Are
you sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Greg Wilkins <***@webtide.com> CTO http://webtide.com

Lou DeGenaro

2018-03-14 13:43:33 UTC

Still having (likely user error) issues with SSL. I generate my keystore
thus:

/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn,
OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg
SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore
-storepass uE9RVnqAXAh -keypass uE9RVnqAXAh

I run jetty 9.4.8 with java 1.8 and the keystore.

I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows
displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for your advise.

Lou.

Post by Greg Wilkins
Any jetty.keystore.password is not set anywhere? if it is set, is it set
to your password?
Try hard coding it in the XML to debug before playing with parameters.
cheers

yep.

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property name="jetty.keystore.password"
default="my-password"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password"
default="my-password"/></Set>

The keystore password and truststore password are really the same? Are
you sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Joakim Erdfelt

2018-03-14 14:44:46 UTC

Have you attempted to configure the SSL Cipher Suites on the Jetty server
side?

If you enable the jetty startup dump you'll see the list of enabled cipher
suites and protocols that Jetty is running with (including the reason why a
specific available protocol or cipher suite is disabled).

$ java -jar /path/to/my/jetty-home/start.jar
jetty.server.dumpAfterStart=true

Example output:

| += ***@51c668e3{SSL->http/1.1} - STARTED
| | += ***@19f040ba[provider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore]
trustAll=false
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security,
ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=29)
| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=53)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 -
JreDisabled:java.security
| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

Post by Lou DeGenaro
Still having (likely user error) issues with SSL. I generate my keystore
/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=my.cn,
OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize 2048 -sigalg
SHA256withRSA -validity 10000 -keystore /home/webserver/etc/keystore
-storepass uE9RVnqAXAh -keypass uE9RVnqAXAh
I run jetty 9.4.8 with java 1.8 and the keystore.
I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows
displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Thanks for your advise.
Lou.

Post by Greg Wilkins
Any jetty.keystore.password is not set anywhere? if it is set, is it set
to your password?
Try hard coding it in the XML to debug before playing with parameters.
cheers

yep.

The keystore password and truststore password are really the same? Are
you sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Lou DeGenaro

2018-03-14 14:55:32 UTC

Have you attempted to configure the SSL Cipher Suites on the Jetty server
side?

NO. I'm using vanilla jetty as shipped. Is there something else I need

to do?

Code shown below.

Thanks.

Lou.

private void server_main(String[] args) {
try {
// === jetty.xml
===

// Setup
Threadpool

QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMaxThreads(max_threads);

//
Server

server = new Server(threadPool);

//
Scheduler

server.addBean(new ScheduledExecutorScheduler());

// === jetty-http.xml
===

ServerConnector http = new ServerConnector(server, new
HttpConnectionFactory());
http.setPort(port_http);
http.setIdleTimeout(idle_timeout);
server.addConnector(http);

// === jetty-https.xml
===

// SSL Context
Factory

SslContextFactory sslContextFactory = new SslContextFactory();

HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(port_https);

HttpConfiguration https_config = new
HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());

ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));

https.setPort(port_https);
sslContextFactory.setKeyStorePath(keystore);

sslContextFactory.setKeyStorePassword(keystore_password);
sslContextFactory.setKeyManagerPassword(keymanager_password);

server.setConnectors(new Connector[] { http });
server.addConnector(https);

//
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase(jetty_server_root);

server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}

Have you attempted to configure the SSL Cipher Suites on the Jetty server
side?
If you enable the jetty startup dump you'll see the list of enabled cipher
suites and protocols that Jetty is running with (including the reason why a
specific available protocol or cipher suite is disabled).
$ java -jar /path/to/my/jetty-home/start.jar jetty.server.dumpAfterStart=
true
/mnt/c/code/jetty/distros/jetty-distribution-9.4.8.
v20171121/demo-base/etc/keystore,trustStore=file:///
mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore]
trustAll=false
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security,
ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=29)
| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=53)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 -
JreDisabled:java.security
| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_NULL_SHA256 -
JreDisabled:java.security

Post by Greg Wilkins
Any jetty.keystore.password is not set anywhere? if it is set, is it set
to your password?
Try hard coding it in the XML to debug before playing with parameters.
cheers

yep.

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property
name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property
name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same? Are
you sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Joakim Erdfelt

2018-03-14 15:23:48 UTC

Your server has no handlers, none, completely empty.

Perhaps you missed the ...

server.setHandler(resourceHandler);

Better yet, use ...

HandlerList handlers = new HandlerList();
handlers.addHandler(resourceHandler);
handlers.addHandler(new DefaultHandler()); // always last
server.setHandler(handlers);

Also, add this before your server.start();

server.setDumpAfterStart(true);
server.start();
server.join();

That should produce the dump I mentioned in the prior email.

Post by Joakim Erdfelt
Have you attempted to configure the SSL Cipher Suites on the Jetty server
side?

NO. I'm using vanilla jetty as shipped. Is there something else I need

to do?
Code shown below.
Thanks.
Lou.
private void server_main(String[] args) {
try {
// === jetty.xml ===
// Setup Threadpool
QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMaxThreads(max_threads);
// Server
server = new Server(threadPool);
// Scheduler
server.addBean(new ScheduledExecutorScheduler());
// === jetty-http.xml ===
ServerConnector http = new ServerConnector(server, new
HttpConnectionFactory());
http.setPort(port_http);
http.setIdleTimeout(idle_timeout);
server.addConnector(http);
// === jetty-https.xml ===
// SSL Context Factory
SslContextFactory sslContextFactory = new SslContextFactory();
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(port_https);
HttpConfiguration https_config = new
HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(port_https);
sslContextFactory.setKeyStorePath(keystore);
sslContextFactory.setKeyStorePassword(keystore_password);
sslContextFactory.setKeyManagerPassword(keymanager_password);
server.setConnectors(new Connector[] { http });
server.addConnector(https);
//
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase(jetty_server_root);
server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}

Have you attempted to configure the SSL Cipher Suites on the Jetty server
side?
If you enable the jetty startup dump you'll see the list of enabled
cipher suites and protocols that Jetty is running with (including the
reason why a specific available protocol or cipher suite is disabled).
$ java -jar /path/to/my/jetty-home/start.jar
jetty.server.dumpAfterStart=true
mnt/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/
demo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/distros/jetty-
distribution-9.4.8.v20171121/demo-base/etc/keystore] trustAll=false
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security,
ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=29)
| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=53)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 -
JreDisabled:java.security
| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_NULL_SHA256 -
JreDisabled:java.security

Post by Lou DeGenaro
Still having (likely user error) issues with SSL. I generate my
/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=
my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize
2048 -sigalg SHA256withRSA -validity 10000 -keystore
/home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh
I run jetty 9.4.8 with java 1.8 and the keystore.
I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my windows
displays: Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Thanks for your advise.
Lou.

Post by Greg Wilkins
Any jetty.keystore.password is not set anywhere? if it is set, is it
set to your password?
Try hard coding it in the XML to debug before playing with parameters.
cheers

yep.

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property
name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property
name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same?
Are you sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Lou DeGenaro

2018-03-14 15:43:20 UTC

No improvement. Revised code and console shown below.

Thanks.

Lou.

-----

private void server_main(String[] args) {
try {
// === jetty.xml
===

// Setup
Threadpool

QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMaxThreads(max_threads);

//
Server

server = new Server(threadPool);

//
Scheduler

server.addBean(new ScheduledExecutorScheduler());

// === jetty-http.xml
===

ServerConnector http = new ServerConnector(server, new
HttpConnectionFactory());
http.setPort(port_http);
http.setIdleTimeout(idle_timeout);
server.addConnector(http);

// === jetty-https.xml
===

// SSL Context
Factory

SslContextFactory sslContextFactory = new SslContextFactory();

HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(port_https);

HttpConfiguration https_config = new
HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());

ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));

https.setPort(port_https);
sslContextFactory.setKeyStorePath(keystore);

sslContextFactory.setKeyStorePassword(keystore_password);
sslContextFactory.setKeyManagerPassword(keymanager_password);

server.setConnectors(new Connector[] { http });
server.addConnector(https);

//
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase(jetty_server_root);

HandlerList handlers = new HandlerList();
handlers.addHandler(resourceHandler);
handlers.addHandler(new DefaultHandler()); // always last
server.setHandler(handlers);

server.setDumpAfterStart(true);

server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}

-----
2018-03-14 11:37:45.625:INFO::main: Logging initialized @351ms to
org.eclipse.jetty.util.log.StdErrLog
2018-03-14 11:37:45.825:INFO:oejs.Server:main: jetty-9.4.8.v20171121, build
timestamp: 2017-11-21T16:27:37-05:00, git hash:
82b8fb23f757335bb3329d540ce37a2a2615f0a8
2018-03-14 11:37:45.922:INFO:oejs.AbstractConnector:main: Started
***@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set
to TRUE or default
IBMJSSEProvider2 Build-Level: -20170331
2018-03-14 11:37:46.281:INFO:oejus.SslContextFactory:main:
x509=***@5e446688(jetty,h=[org.apache.uima.ducc],w=[]) for
***@1d40ef6d
[provider=null,keyStore=file:///home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/keystore,trustStore=null]
***
found key for : jetty
chain [0] = [
[
Version: V3
Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: IBMJCE RSA Public Key:
modulus:
26444069295037038267670300696763620220086855168010647941062481660899879479809803884294058174186734453624045301378960846171682857107027427250597312076248642649356771721145682344245878191309320890723575777460786702390358243322791249076850090693381733056591593174654468012583689613231816006119017233929860434582650065276576272281165144214678026119356221396436764713993593922893984567339081233071416154536460768358828849217850772778328033506197393729977576558944097787316741634679425927443562707477678127192646659210557046525097591671498428801608743933890349308048211506320417826611620098375345539572734782479701163777463
public exponent:
65537

Validity: [From: Wed Mar 07 15:56:33 EST 2018,
To: Sun Jul 23 16:56:33 EDT 2045]
Issuer: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
SerialNumber: [1372056716]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: d5 93 ce ef 56 40 f2 e8 54 f0 02 22 ed 77 36 fd ....V...T....w6.
0010: 4c 3f bb 73 L..s
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 96 5b c7 88 51 51 68 ce eb d6 61 dc ca b1 41 62 ....QQh...a...Ab
0010: b0 62 51 e2 ed de 88 8a bf 83 eb ef be 4d 13 32 .bQ..........M.2
0020: b9 82 64 2e 8a c8 bf 99 b2 a6 a2 cb fe 1b ba 88 ..d.............
0030: 13 12 36 67 1d 26 e6 e9 97 ae df 33 51 cd bd 1b ..6g.......3Q...
0040: 05 5b f5 62 db c5 a1 84 d0 b3 a0 1a f1 00 b7 74 ...b...........t
0050: f7 0d e1 3f e7 ab 36 59 9f d8 35 fa 3d bc c9 dd ......6Y..5.....
0060: 7c 13 3f f9 a3 b3 e8 e2 3b 2f 8b dd d4 39 0e 1d .............9..
0070: a9 ed 2c c9 d2 e5 e9 c9 99 84 62 4c fb a7 28 89 ..........bL....
0080: bf a3 c6 55 6e 13 09 63 e4 37 40 a5 c2 0d d7 4b ...Un..c.7.....K
0090: 1e b5 a3 02 31 5a 9d 84 c2 e1 b9 90 1d 0f 49 8a ....1Z........I.
00a0: d1 b8 d1 d1 4b bc a3 18 55 f7 de a2 6f 90 29 f2 ....K...U...o...
00b0: 99 7d 87 06 25 25 f1 8a 83 79 7b 52 9e 45 b2 ca .........y.R.E..
00c0: 0d 85 fa e2 7d b7 4c 9d ca 13 ab fd bc e1 6d c8 ......L.......m.
00d0: f1 4b 01 d2 1e 96 8f 50 68 24 ba e5 c4 f1 90 70 .K.....Ph......p
00e0: d9 00 36 fa 39 7e 34 4d 13 14 28 1d 43 e7 16 16 ..6.9.4M....C...
00f0: 2d a6 32 d5 57 19 08 a4 05 f6 f9 35 2b bc 8b 4d ..2.W......5...M

]
***
adding as trusted cert:
Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
Issuer: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
Algorithm: RSA; Serial number: 0x51c7ec8c
Valid from Wed Mar 07 15:56:33 EST 2018 until Sun Jul 23 16:56:33 EDT 2045

Installed Providers =
IBMJSSE2
IBMJCE
IBMJGSSProvider
IBMCertPath
IBMSASL
IBMXMLCRYPTO
IBMXMLEnc
IBMSPNEGO
SUN
SSLContextImpl: Using X509ExtendedKeyManager
org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.aB
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
1.8
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
1.8
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.8
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.8
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
IBMJSSE2 will enable CBC protection
Using SSLEngineImpl.
2018-03-14 11:37:47.170:INFO:oejs.AbstractConnector:main: Started
***@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
***@74696830[9.4.8.v20171121] - STARTING
+= ***@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
| +- 21 qtp-149401960-21-acceptor-***@6793ecf3-ServerConnector
@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} ACCEPTING RUNNABLE @
sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) prio=3
| +- 25 qtp-149401960-25 IDLE TIMED_WAITING @
sun.misc.Unsafe.park(Native Method)
| +- 26 qtp-149401960-26 IDLE TIMED_WAITING @
sun.misc.Unsafe.park(Native Method)
| +- 22 qtp-149401960-22 SELECTING RUNNABLE @
sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
| +- 23 qtp-149401960-23-acceptor-***@b20be6a6-***@2909406e{SSL,[ssl,
http/1.1]}{0.0.0.0:8443} ACCEPTING RUNNABLE @
sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) prio=3
| +- 24 qtp-149401960-24 IDLE TIMED_WAITING @
sun.misc.Unsafe.park(Native Method)
| +- 20 qtp-149401960-20 SELECTING RUNNABLE @
sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
| +- 27 qtp-149401960-27 IDLE TIMED_WAITING @
sun.misc.Unsafe.park(Native Method)
| +- jobs
+= ***@fed832b4 -
STARTED
+= ***@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
| +~ ***@74696830[9.4.8.v20171121] - STARTING
| +~ ***@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
| +~ ***@fed832b4 -
STARTED
| +- ***@133cfd8a
| += ***@378c4a8b[HTTP/1.1] - STARTED
| | +- ***@83e8c34f{32768/8192,8192/8192,https://:0,[]}
| += ***@ServerConnector@bce0c39e{HTTP/1.1,[http/1.1]}{
0.0.0.0:8080} - STARTED
| | += ***@d9a5f14a{s=0/1,p=0}@SelectorManager
@***@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
| | += ***@19be75b2 id=0 keys=0
selected=0 actions=0 - STARTED
| | += ***@44d241bf/***@f642edac
/PRODUCING/***@d9a5f14a{s=0/1,p=0}@SelectorManager
@***@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} - STARTED
| | +- ***@f642edac
| | +- keys
| | | +- ***@9292aa36 keys=0
| | +- actions
| +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8080]
| +- qtp-149401960-21-acceptor-***@6793ecf3-ServerConnector
@bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
+= ***@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
| +~ ***@74696830[9.4.8.v20171121] - STARTING
| +~ ***@qtp-149401960{STARTED,8<=8<=10,i=4,q=0} - STARTED
| +~ ***@fed832b4 -
STARTED
| +- ***@8d6ecdb
| += ***@7f664c55{SSL->http/1.1} - STARTED
| | += ***@1d40ef6d[provider=null,keyStore=file:///home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/keystore,trustStore=null]
trustAll=false
keyStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
keyStore type is: jks
keyStore provider is:
init keystore
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
init keymanager of type IbmX509
trustStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:
init truststore
adding as trusted cert:
Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xd9083fbba967ca1a
Valid from Wed Dec 07 06:28:07 EST 2011 until Sat Jul 31 07:28:07 EDT 2038

adding as trusted cert:
Subject: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Issuer: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Tue Sep 30 00:20:49 EDT 2003 until Sat Sep 30 00:20:49 EDT 2023

adding as trusted cert:
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc,
C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc,
C=US
Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
Subject: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x445734245b81899b35f2ceb82b3b5ba726f07528
Valid from Thu Jan 12 13:59:32 EST 2012 until Sun Jan 12 13:59:32 EST 2042

adding as trusted cert:
Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0x4
Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020

adding as trusted cert:
Subject: EMAILADDRESS=***@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Issuer: EMAILADDRESS=***@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 20:19:54 EDT 1999 until Tue Jun 25 20:19:54 EDT 2019

adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc.,
C=US
Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc.,
C=US
Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
Valid from Sun Nov 26 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: OU=Security Communication RootCA2, O="SECOM Trust Systems
CO.,LTD.", C=JP
Issuer: OU=Security Communication RootCA2, O="SECOM Trust Systems
CO.,LTD.", C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Fri May 29 01:00:39 EDT 2009 until Tue May 29 01:00:39 EDT 2029

adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,
C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,
C=US
Algorithm: RSA; Serial number: 0x1
Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020

adding as trusted cert:
Subject: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co.,
Ltd.", C=TW
Issuer: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co.,
Ltd.", C=TW
Algorithm: RSA; Serial number: 0x15c8bd65475cafb897005ee406d2bc9d
Valid from Sun Dec 19 21:31:27 EST 2004 until Tue Dec 19 21:31:27 EST 2034

adding as trusted cert:
Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x7777062726a9b17c
Valid from Fri Jan 29 09:06:06 EST 2010 until Tue Dec 31 09:06:06 EST 2030

adding as trusted cert:
Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority,
O=Unizeto Technologies S.A., C=PL
Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority,
O=Unizeto Technologies S.A., C=PL
Algorithm: RSA; Serial number: 0x444c0
Valid from Wed Oct 22 08:07:37 EDT 2008 until Mon Dec 31 07:07:37 EST 2029

adding as trusted cert:
Subject: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal Basic
CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal Basic
CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA,
O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA,
O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
Valid from Thu Jan 12 09:38:43 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
Issuer: CN=Sonera Class2 CA, O=Sonera, C=FI
Algorithm: RSA; Serial number: 0x1d
Valid from Fri Apr 06 03:29:40 EDT 2001 until Tue Apr 06 03:29:40 EDT 2021

adding as trusted cert:
Subject: CN=America Online Root Certification Authority 1, O=America
Online Inc., C=US
Issuer: CN=America Online Root Certification Authority 1, O=America
Online Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 28 02:00:00 EDT 2002 until Thu Nov 19 15:43:00 EST 2037

adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Algorithm: EC; Serial number: 0x3cb2f4480a00e2feeb243b5e603ec36b
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Algorithm: RSA; Serial number: 0x35def4cf
Valid from Sat Aug 22 12:41:51 EDT 1998 until Wed Aug 22 12:41:51 EDT 2018

adding as trusted cert:
Subject: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x2ac5c266a0b409b8f0b79f2ae462577
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
Subject: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Thu Mar 04 00:00:00 EST 2004 until Sun Mar 04 00:00:00 EST 2029

adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Algorithm: RSA; Serial number: 0x4000000000121585308a2
Valid from Wed Mar 18 06:00:00 EDT 2009 until Sun Mar 18 06:00:00 EDT 2029

adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 14:46:00 EDT 2000 until Mon May 12 19:59:00 EDT 2025

adding as trusted cert:
Subject: OU=Starfield Class 2 Certification Authority, O="Starfield
Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield
Technologies, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 13:39:16 EDT 2004 until Thu Jun 29 13:39:16 EDT 2034

adding as trusted cert:
Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford,
ST=Greater Manchester, C=GB
Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford,
ST=Greater Manchester, C=GB
Algorithm: RSA; Serial number: 0x1
Valid from Wed Dec 31 19:00:00 EST 2003 until Sun Dec 31 18:59:59 EST 2028

adding as trusted cert:
Subject: CN=Starfield Secure Certificate Authority - G2, OU=
http://certs.starfieldtech.com/repository/, O="Starfield Technologies,
Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x7
Valid from Tue May 03 03:00:00 EDT 2011 until Sat May 03 03:00:00 EDT 2031

adding as trusted cert:
Subject: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362afe650afd
Valid from Fri Jul 09 14:10:42 EDT 1999 until Tue Jul 09 14:19:22 EDT 2019

adding as trusted cert:
Subject: CN=Chambers of Commerce Root, OU=http://www.chambersign.org,
O=AC Camerfirma SA CIF A82743287, C=EU
Issuer: CN=Chambers of Commerce Root, OU=http://www.chambersign.org,
O=AC Camerfirma SA CIF A82743287, C=EU
Algorithm: RSA; Serial number: 0x0
Valid from Tue Sep 30 12:13:43 EDT 2003 until Wed Sep 30 12:13:44 EDT 2037

adding as trusted cert:
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Algorithm: RSA; Serial number: 0x40000000001154b5ac394
Valid from Tue Sep 01 08:00:00 EDT 1998 until Fri Jan 28 07:00:00 EST 2028

adding as trusted cert:
Subject: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362de0b35f1b
Valid from Fri Jul 09 14:31:20 EDT 1999 until Tue Jul 09 14:40:36 EDT 2019

adding as trusted cert:
Subject: CN=AffirmTrust Networking, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x7c4f04391cd4992d
Valid from Fri Jan 29 09:08:24 EST 2010 until Tue Dec 31 09:08:24 EST 2030

adding as trusted cert:
Subject: CN=AffirmTrust Premium, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Premium, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x6d8c1446b1a60aee
Valid from Fri Jan 29 09:10:36 EST 2010 until Mon Dec 31 09:10:36 EST 2040

adding as trusted cert:
Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA,
O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA,
O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x5c00001000241d0060a4dce7510
Valid from Thu Mar 23 09:10:23 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 10:01:00 EDT 2000 until Sat May 17 19:59:00 EDT 2025

adding as trusted cert:
Subject: CN=America Online Root Certification Authority 2, O=America
Online Inc., C=US
Issuer: CN=America Online Root Certification Authority 2, O=America
Online Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 28 02:00:00 EDT 2002 until Tue Sep 29 10:08:00 EDT 2037

adding as trusted cert:
Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xae8219053f5e8271
Valid from Wed Dec 07 06:29:21 EST 2011 until Sat Jul 31 07:29:21 EDT 2038

adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x15ac6e9419b2794b41f627a9c3180f1f
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xa3da427ea4b1aeda
Valid from Fri Aug 01 08:29:50 EDT 2008 until Sat Jul 31 08:29:50 EDT 2038

adding as trusted cert:
Subject: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4f1bd42f54bb2f4b
Valid from Wed Oct 25 04:32:46 EDT 2006 until Sat Oct 25 04:32:46 EDT 2036

adding as trusted cert:
Subject: CN=Entrust Root Certification Authority - G2, OU="(c) 2009
Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms,
O="Entrust, Inc.", C=US
Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009
Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms,
O="Entrust, Inc.", C=US
Algorithm: RSA; Serial number: 0x4a538c28
Valid from Tue Jul 07 13:25:54 EDT 2009 until Sat Dec 07 12:55:54 EST 2030

adding as trusted cert:
Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert
Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert
Inc, C=US
Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 13:06:20 EDT 2004 until Thu Jun 29 13:06:20 EDT 2034

adding as trusted cert:
Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:48:38 EDT 2000 until Sat May 30 06:48:38 EDT 2020

adding as trusted cert:
Subject: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center,
O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center,
O=T-Systems Enterprise Services GmbH, C=DE
Algorithm: RSA; Serial number: 0x1
Valid from Wed Oct 01 06:29:56 EDT 2008 until Sat Oct 01 19:59:59 EDT 2033

adding as trusted cert:
Subject: CN=UTN-USERFirst-Client Authentication and Email, OU=
http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT,
C=US
Issuer: CN=UTN-USERFirst-Client Authentication and Email, OU=
http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT,
C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d336252567c989
Valid from Fri Jul 09 13:28:50 EDT 1999 until Tue Jul 09 13:36:58 EDT 2019

adding as trusted cert:
Subject: CN=Class 2 Primary CA, O=Certplus, C=FR
Issuer: CN=Class 2 Primary CA, O=Certplus, C=FR
Algorithm: RSA; Serial number: 0x85bd4bf3d8dae369f694d75fc3a54423
Valid from Wed Jul 07 13:05:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019

adding as trusted cert:
Subject: EMAILADDRESS=premium-***@thawte.com, CN=Thawte Premium Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-***@thawte.com, CN=Thawte Premium Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23456
Valid from Tue May 21 00:00:00 EDT 2002 until Sat May 21 00:00:00 EDT 2022

adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036

adding as trusted cert:
Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: CN=Starfield Root Certificate Authority - G2, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x3863def8
Valid from Fri Dec 24 12:50:51 EST 1999 until Tue Jul 24 10:15:12 EDT 2029

adding as trusted cert:
Subject: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Algorithm: RSA; Serial number: 0x344ed55720d5edec49f42fce37db2b6d
Valid from Thu Nov 16 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: EMAILADDRESS=server-***@thawte.com, CN=Thawte Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=server-***@thawte.com, CN=Thawte Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com,
Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com,
Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x123df0e7da2a2247a43889e08aeec967
Valid from Sun Dec 31 19:00:00 EST 1995 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,
OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,
OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Algorithm: EC; Serial number: 0x2f80fe238c0e220f486712289187acb3
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust,
Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust,
Inc.", C=US
Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust,
Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust,
Inc.", C=US
Algorithm: RSA; Serial number: 0x456b5054
Valid from Mon Nov 27 15:23:42 EST 2006 until Fri Nov 27 15:53:42 EST 2026

adding as trusted cert:
Subject: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal
CA, O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal
CA, O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x1da200010002ecb76080788db606
Valid from Wed Mar 22 10:54:28 EST 2006 until Wed Dec 31 17:59:59 EST 2025

adding as trusted cert:
Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Algorithm: RSA; Serial number: 0x10020
Valid from Tue Jun 11 06:46:39 EDT 2002 until Fri Jun 11 06:46:39 EDT 2027

adding as trusted cert:
Subject: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Issuer: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:44:50 EDT 2000 until Sat May 30 06:44:50 EDT 2020

adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
Algorithm: RSA; Serial number: 0x2
Valid from Tue Oct 26 04:38:03 EDT 2010 until Fri Oct 26 04:38:03 EDT 2040

adding as trusted cert:
Subject: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0xbb401c43f55e4fb0
Valid from Wed Oct 25 04:30:35 EDT 2006 until Sat Oct 25 04:30:35 EDT 2036

adding as trusted cert:
Subject: CN=Certum Trusted Network CA 2, OU=Certum Certification
Authority, O=Unizeto Technologies S.A., C=PL
Issuer: CN=Certum Trusted Network CA 2, OU=Certum Certification
Authority, O=Unizeto Technologies S.A., C=PL
Algorithm: RSA; Serial number: 0xb85914713f57df8f31c0333dd2d6197a2317b4eb
Valid from Thu Oct 06 04:39:56 EDT 2011 until Sat Oct 06 04:39:56 EDT 2046

adding as trusted cert:
Subject: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500021b411d32a6806a9ad69
Valid from Thu Jun 24 14:57:21 EDT 1999 until Mon Jun 24 15:06:30 EDT 2019

adding as trusted cert:
Subject: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x509
Valid from Fri Nov 24 13:27:00 EST 2006 until Mon Nov 24 13:23:33 EST 2031

adding as trusted cert:
Subject: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center,
O=Deutsche Telekom AG, C=DE
Issuer: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center,
O=Deutsche Telekom AG, C=DE
Algorithm: RSA; Serial number: 0x26
Valid from Fri Jul 09 08:11:00 EDT 1999 until Tue Jul 09 19:59:00 EDT 2019

adding as trusted cert:
Subject: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x78585f2ead2c194be3370735341328b596d46593
Valid from Thu Jan 12 12:27:44 EST 2012 until Sun Jan 12 12:27:44 EST 2042

adding as trusted cert:
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x3f691e819cf09a4af373ffb948a2e4dd
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at
https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x6ecc7aa5a7032009b8cebcf4e952d491
Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020

adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x18dad19e267de8bb4a2158cdcc6b3b4a
Valid from Tue Nov 07 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Algorithm: RSA; Serial number: 0x400000000010f8626e60d
Valid from Fri Dec 15 03:00:00 EST 2006 until Wed Dec 15 03:00:00 EST 2021

adding as trusted cert:
Subject: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x5c6
Valid from Fri Nov 24 14:11:23 EST 2006 until Mon Nov 24 14:06:44 EST 2031

adding as trusted cert:
Subject: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x2ef59b0228a7db7affd5a3a9eebd03a0cf126a1d
Valid from Thu Jan 12 15:26:32 EST 2012 until Sun Jan 12 15:26:32 EST 2042

adding as trusted cert:
Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Algorithm: RSA; Serial number: 0x3770cfb5
Valid from Wed Jun 23 08:14:45 EDT 1999 until Sun Jun 23 08:14:45 EDT 2019

adding as trusted cert:
Subject: EMAILADDRESS=server-***@thawte.com, CN=Thawte Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=server-***@thawte.com, CN=Thawte Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x34a4fff630af4ca53c331742a1946675
Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=QuoVadis Root Certification Authority, OU=Root Certification
Authority, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification
Authority, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x3ab6508b
Valid from Mon Mar 19 13:33:33 EST 2001 until Wed Mar 17 14:33:33 EDT 2021

adding as trusted cert:
Subject: CN=Class 3P Primary CA, O=Certplus, C=FR
Issuer: CN=Class 3P Primary CA, O=Certplus, C=FR
Algorithm: RSA; Serial number: 0xbf5cdbb6f21c6ec04deb7a023b36e879
Valid from Wed Jul 07 13:10:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019

adding as trusted cert:
Subject: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
Subject: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Algorithm: RSA; Serial number: 0x2
Valid from Tue Oct 26 04:28:58 EDT 2010 until Fri Oct 26 04:28:58 EDT 2040

adding as trusted cert:
Subject: OU=Security Communication EV RootCA1, O="SECOM Trust Systems
CO.,LTD.", C=JP
Issuer: OU=Security Communication EV RootCA1, O="SECOM Trust Systems
CO.,LTD.", C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 05 22:12:32 EDT 2007 until Fri Jun 05 22:12:32 EDT 2037

adding as trusted cert:
Subject: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For
authorized use only", O="thawte, Inc.", C=US
Issuer: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For
authorized use only", O="thawte, Inc.", C=US
Algorithm: EC; Serial number: 0x35fc265cd9844fc93d263d579baed756
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-***@thawte.com, CN=Thawte Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
Subject: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008
VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008
VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x401ac46421b31321030ebbe4121ac51d
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust
AB, C=SE
Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust
AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:38:31 EDT 2000 until Sat May 30 06:38:31 EDT 2020

adding as trusted cert:
Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA
Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Tue Dec 31 19:00:00 EST 1996 until Thu Dec 31 18:59:59 EST 2020

adding as trusted cert:
Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xc9cdd3e9d57d23ce
Valid from Fri Aug 01 08:31:40 EDT 2008 until Sat Jul 31 08:31:40 EDT 2038

adding as trusted cert:
Subject: EMAILADDRESS=***@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Issuer: EMAILADDRESS=***@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 18:23:48 EDT 1999 until Tue Jun 25 18:23:48 EDT 2019

adding as trusted cert:
Subject: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Issuer: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Algorithm: RSA; Serial number: 0x600197b746a7eab4b49ad64b2ff790fb
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a5
Valid from Wed Aug 12 20:29:00 EDT 1998 until Mon Aug 13 19:59:00 EDT 2018

adding as trusted cert:
Subject: EMAILADDRESS=premium-***@thawte.com, CN=Thawte Premium Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-***@thawte.com, CN=Thawte Premium Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x36122296c5e338a520a1d25f4cd70954
Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
Subject: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Algorithm: EC; Serial number: 0x7497258ac73f7a54
Valid from Fri Jan 29 09:20:24 EST 2010 until Mon Dec 31 09:20:24 EST 2040

adding as trusted cert:
Subject: CN=Sonera Class1 CA, O=Sonera, C=FI
Issuer: CN=Sonera Class1 CA, O=Sonera, C=FI
Algorithm: RSA; Serial number: 0x24
Valid from Fri Apr 06 06:49:13 EDT 2001 until Tue Apr 06 06:49:13 EDT 2021

adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
Issuer: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
Algorithm: RSA; Serial number: 0x1121bc276c5547af584eefd4ced629b2a285
Valid from Mon May 25 20:00:00 EDT 2009 until Mon May 25 20:00:00 EDT 2020

adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c)
1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits
liab.), O=Entrust.net, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c)
1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits
liab.), O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 12:09:40 EDT 1999 until Sat May 25 12:39:40 EDT 2019

adding as trusted cert:
Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc,
C=US
Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc,
C=US
Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.ax
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.aB
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
1.8
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
SSLv3 protocol was requested but was not enabled
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=0)
| | +- Cipher Suite Selections
| | +- Enabled (size=15)
| | | +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | +- Disabled (size=31)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_AES_128_CBC_SHA256 -
JreDisabled:java.security
| | +- SSL_DH_anon_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_anon_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_WITH_DES_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_FIPS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA256 - JreDisabled:java.security
| += ***@a8cd160a[HTTP/1.1] - STARTED
| | +- ***@12228f86{32768/8192,8192/8192,https://
:8443,[***@6b7b18a5]}
| += ***@ServerConnector@2909406e{SSL,[ssl, http/1.1]}{
0.0.0.0:8443} - STARTED
| | += ***@c1103942{s=0/1,p=0}@SelectorManager
@***@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
| | += ***@5a5e403b id=0 keys=0
selected=0 actions=0 - STARTED
| | += ***@d8752858/***@a0c05928
/PRODUCING/***@c1103942{s=0/1,p=0}@SelectorManager
@***@2909406e{SSL,[ssl, http/1.1]}{0.0.0.0:8443} - STARTED
| | +- ***@a0c05928
| | +- keys
| | | +- ***@b35b5262 keys=0
| | +- actions
| +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8443]
| +- qtp-149401960-23-acceptor-***@b20be6a6-***@2909406e{SSL,[ssl,
http/1.1]}{0.0.0.0:8443}
+= ***@d7f449c5
[***@90e16429,
***@603dc6d8] - STARTED
| += ***@90e16429 - STARTED
| += ***@603dc6d8 - STARTED
+= ***@e3a93338 - STARTED
+> sun.misc.Launcher$***@404d29ca
+- file:/home/degenaro/eclipse-workspace.oxygen/jetty-test-9-4-8/bin/
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/alpn-api-1.1.3.v20160715.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-2-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-core-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/cdi-servlet-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-conscrypt-server-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-java-server-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-openjdk8-server-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-alpn-server-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-annotations-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-client-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-continuation-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-deploy-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-gcloud-session-manager-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-hazelcast-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-http-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-infinispan-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-io-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jaas-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jaspi-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jmx-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-jndi-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-memcached-sessions-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-nosql-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-plus-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-proxy-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-quickstart-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-rewrite-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-schemas-3.1.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-security-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-server-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-servlet-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-servlets-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-unixsocket-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-util-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-webapp-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/jetty-xml-9.4.8.v20171121.jar
+-
file:/home/degenaro/test/jetty-distribution-9.4.8.v20171121/lib/servlet-api-3.1.jar
+- sun.misc.Launcher$***@cf86cb9f
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj-interface.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/localedata.jar
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/IBMSecureRandom.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/traceformat.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmjcefips.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jverbs.jar
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmcmsprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dnsns.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfjview.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/nashorn.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/zipfs.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/cldrdata.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/xmlencfw.jar
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmpkcs11impl.jar
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmldsigprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/gskikm.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/CmpCrmf.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jaccess.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/healthcenter.jar
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmsaslprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmkeycert.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmlcrypto.jar
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmxmlencprovider.jar
+-
file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmjceprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj.jar
2018-03-14 11:37:47.846:INFO:oejs.Server:main: Started @2577ms
Using SSLEngineImpl.
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate
set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake
per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check
during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to
OFF or default
IBMJSSE2 will allow client initiated renegotiation per
jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default

Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[Raw read]: length = 5
0000: 16 03 01 00 9d .....

[Raw read]: length = 157
0000: 01 00 00 99 03 03 05 85 07 79 1b 58 d2 ef e6 25 .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f c2 70 21 52 84 eb 82 1f .........p.R....
0020: 4c a0 64 48 c3 ba 00 00 1e c0 2c c0 0a c0 2b cc L.dH............
0030: a9 c0 09 c0 30 c0 14 c0 2f cc a8 c0 13 00 39 00 ....0.........9.
0040: 33 00 35 00 2f 00 0a 01 00 00 52 00 17 00 00 ff 3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a 00 08 00 1d 00 17 00 18 ................
0060: 00 19 00 0b 00 02 01 00 00 23 00 00 00 10 00 0e ................
0070: 00 0c 02 68 32 08 68 74 74 70 2f 31 2e 31 00 05 ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00 0d 00 12 00 10 04 03 05 ................
0090: 03 06 03 04 01 05 01 06 01 02 03 02 01 .............

qtp-149401960-22, READ: TLSv1 Handshake, length = 157
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie: GMT: 75827065 bytes = { 27, 88, 210, 239, 230, 37, 47, 176,
21, 185, 138, 214, 21, 95, 194, 112, 33, 82, 132, 235, 130, 31, 76, 160,
100, 72, 195, 186 }
Session ID: {}
Cipher Suites: [SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_23, data:
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1,
secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_16, data:
00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Extension signature_algorithms, signature_algorithms: SHA256withECDSA,
SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA,
SHA512withRSA, SHA1withECDSA, SHA1withRSA
***
[read] MD5 and SHA1 hashes: len = 157
0000: 01 00 00 99 03 03 05 85 07 79 1b 58 d2 ef e6 25 .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f c2 70 21 52 84 eb 82 1f .........p.R....
0020: 4c a0 64 48 c3 ba 00 00 1e c0 2c c0 0a c0 2b cc L.dH............
0030: a9 c0 09 c0 30 c0 14 c0 2f cc a8 c0 13 00 39 00 ....0.........9.
0040: 33 00 35 00 2f 00 0a 01 00 00 52 00 17 00 00 ff 3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a 00 08 00 1d 00 17 00 18 ................
0060: 00 19 00 0b 00 02 01 00 00 23 00 00 00 10 00 0e ................
0070: 00 0c 02 68 32 08 68 74 74 70 2f 31 2e 31 00 05 ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00 0d 00 12 00 10 04 03 05 ................
0090: 03 06 03 04 01 05 01 06 01 02 03 02 01 .............

JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.8
JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.8
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, SEND TLSv1 ALERT: fatal, description = handshake_failure
qtp-149401960-22, WRITE: TLSv1 Alert, length = 2
qtp-149401960-22, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp-149401960-22, called closeOutbound()
qtp-149401960-22, closeOutboundInternal()
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 ......

Post by Joakim Erdfelt
Your server has no handlers, none, completely empty.
Perhaps you missed the ...
server.setHandler(resourceHandler);
Better yet, use ...
HandlerList handlers = new HandlerList();
handlers.addHandler(resourceHandler);
handlers.addHandler(new DefaultHandler()); // always last
server.setHandler(handlers);
Also, add this before your server.start();
server.setDumpAfterStart(true);
server.start();
server.join();
That should produce the dump I mentioned in the prior email.

Post by Joakim Erdfelt
Have you attempted to configure the SSL Cipher Suites on the Jetty server
side?

NO. I'm using vanilla jetty as shipped. Is there something else I

need to do?
Code shown below.
Thanks.
Lou.
private void server_main(String[] args) {
try {
// === jetty.xml ===
// Setup Threadpool
QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMaxThreads(max_threads);
// Server
server = new Server(threadPool);
// Scheduler
server.addBean(new ScheduledExecutorScheduler());
// === jetty-http.xml ===
ServerConnector http = new ServerConnector(server, new
HttpConnectionFactory());
http.setPort(port_http);
http.setIdleTimeout(idle_timeout);
server.addConnector(http);
// === jetty-https.xml ===
// SSL Context Factory
SslContextFactory sslContextFactory = new SslContextFactory();
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(port_https);
HttpConfiguration https_config = new
HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(port_https);
sslContextFactory.setKeyStorePath(keystore);
sslContextFactory.setKeyStorePassword(keystore_password);
sslContextFactory.setKeyManagerPassword(keymanager_password);
server.setConnectors(new Connector[] { http });
server.addConnector(https);
//
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase(jetty_server_root);
server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}

Have you attempted to configure the SSL Cipher Suites on the Jetty
server side?
If you enable the jetty startup dump you'll see the list of enabled
cipher suites and protocols that Jetty is running with (including the
reason why a specific available protocol or cipher suite is disabled).
$ java -jar /path/to/my/jetty-home/start.jar
jetty.server.dumpAfterStart=true
t/c/code/jetty/distros/jetty-distribution-9.4.8.v20171121/d
emo-base/etc/keystore,trustStore=file:///mnt/c/code/jetty/
distros/jetty-distribution-9.4.8.v20171121/demo-base/etc/keystore]
trustAll=false
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security,
ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=29)
| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=53)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 -
JreDisabled:java.security
| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_NULL_SHA256 -
JreDisabled:java.security

Post by Lou DeGenaro
Still having (likely user error) issues with SSL. I generate my
/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=
my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize
2048 -sigalg SHA256withRSA -validity 10000 -keystore
/home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh
I run jetty 9.4.8 with java 1.8 and the keystore.
I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my
SSL_ERROR_NO_CYPHER_OVERLAP
Thanks for your advise.
Lou.

Post by Greg Wilkins
Any jetty.keystore.password is not set anywhere? if it is set, is it
set to your password?
Try hard coding it in the XML to debug before playing with parameters.
cheers

yep.
On Sat, Mar 10, 2018 at 12:59 PM, John English <

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property
name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property
name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same?
Are you sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Joakim Erdfelt

2018-03-14 16:24:18 UTC

Don't use the IBM JVM, use the Oracle or OpenJDK JVM and try again.

If it works for you then you can be sure of a few things ...

* The keystore is sane, its not your problem anymore.
* The IBM JVM is not sane, look into its cipher suites and protocols.

A quick comparison shows that it has half the cipher suites that oracle jvm
or openjdk has.

Note: that the IBM JVM has a non-standard TLS configuration.
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

Also Note: If you plan on using HTTP/2 you cannot use IBM JVM (not
supported), you must use the Oracle or OpenJDK JVMs.

Post by Lou DeGenaro
No improvement. Revised code and console shown below.
Thanks.
Lou.
-----
private void server_main(String[] args) {
try {
// === jetty.xml ===
// Setup Threadpool
QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMaxThreads(max_threads);
// Server
server = new Server(threadPool);
// Scheduler
server.addBean(new ScheduledExecutorScheduler());
// === jetty-http.xml ===
ServerConnector http = new ServerConnector(server, new
HttpConnectionFactory());
http.setPort(port_http);
http.setIdleTimeout(idle_timeout);
server.addConnector(http);
// === jetty-https.xml ===
// SSL Context Factory
SslContextFactory sslContextFactory = new SslContextFactory();
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(port_https);
HttpConfiguration https_config = new
HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(port_https);
sslContextFactory.setKeyStorePath(keystore);
sslContextFactory.setKeyStorePassword(keystore_password);
sslContextFactory.setKeyManagerPassword(keymanager_password);
server.setConnectors(new Connector[] { http });
server.addConnector(https);
//
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase(jetty_server_root);
HandlerList handlers = new HandlerList();
handlers.addHandler(resourceHandler);
handlers.addHandler(new DefaultHandler()); // always last
server.setHandler(handlers);
server.setDumpAfterStart(true);
server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}
-----
org.eclipse.jetty.util.log.StdErrLog
2018-03-14 11:37:45.825:INFO:oejs.Server:main: jetty-9.4.8.v20171121,
82b8fb23f757335bb3329d540ce37a2a2615f0a8
2018-03-14 11:37:45.922:INFO:oejs.AbstractConnector:main: Started
IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set
to TRUE or default
IBMJSSEProvider2 Build-Level: -20170331
/home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/
keystore,trustStore=null]
***
found key for : jetty
chain [0] = [
[
Version: V3
Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
264440692950370382676703006967636202200868551680106479410624
816608998794798098038842940581741867344536240453013789608461
716828571070274272505973120762486426493567717211456823442458
781913093208907235757774607867023903582433227912490768500906
933817330565915931746544680125836896132318160061190172339298
604345826500652765762722811651442146780261193562213964367647
139935939228939845673390812330714161545364607683588288492178
507727783280335061973937299775765589440977873167416346794259
274435627074776781271926466592105570465250975916714984288016
087439338903493080482115063204178266116200983753455395727347
82479701163777463
65537
Validity: [From: Wed Mar 07 15:56:33 EST 2018,
To: Sun Jul 23 16:56:33 EDT 2045]
Issuer: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
SerialNumber: [1372056716]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: d5 93 ce ef 56 40 f2 e8 54 f0 02 22 ed 77 36 fd ....V...T....w6.
0010: 4c 3f bb 73 L..s
]
]
]
Algorithm: [SHA256withRSA]
0000: 96 5b c7 88 51 51 68 ce eb d6 61 dc ca b1 41 62 ....QQh...a...Ab
0010: b0 62 51 e2 ed de 88 8a bf 83 eb ef be 4d 13 32 .bQ..........M.2
0020: b9 82 64 2e 8a c8 bf 99 b2 a6 a2 cb fe 1b ba 88 ..d.............
0030: 13 12 36 67 1d 26 e6 e9 97 ae df 33 51 cd bd 1b ..6g.......3Q...
0040: 05 5b f5 62 db c5 a1 84 d0 b3 a0 1a f1 00 b7 74 ...b...........t
0050: f7 0d e1 3f e7 ab 36 59 9f d8 35 fa 3d bc c9 dd ......6Y..5.....
0060: 7c 13 3f f9 a3 b3 e8 e2 3b 2f 8b dd d4 39 0e 1d .............9..
0070: a9 ed 2c c9 d2 e5 e9 c9 99 84 62 4c fb a7 28 89 ..........bL....
0080: bf a3 c6 55 6e 13 09 63 e4 37 40 a5 c2 0d d7 4b ...Un..c.7.....K
0090: 1e b5 a3 02 31 5a 9d 84 c2 e1 b9 90 1d 0f 49 8a ....1Z........I.
00a0: d1 b8 d1 d1 4b bc a3 18 55 f7 de a2 6f 90 29 f2 ....K...U...o...
00b0: 99 7d 87 06 25 25 f1 8a 83 79 7b 52 9e 45 b2 ca .........y.R.E..
00c0: 0d 85 fa e2 7d b7 4c 9d ca 13 ab fd bc e1 6d c8 ......L.......m.
00d0: f1 4b 01 d2 1e 96 8f 50 68 24 ba e5 c4 f1 90 70 .K.....Ph......p
00e0: d9 00 36 fa 39 7e 34 4d 13 14 28 1d 43 e7 16 16 ..6.9.4M....C...
00f0: 2d a6 32 d5 57 19 08 a4 05 f6 f9 35 2b bc 8b 4d ..2.W......5...M
]
***
Subject: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
Issuer: CN=org.apache.uima.ducc, OU=uima.ducc, O=Apache, L=Wilmington,
ST=Delaware, C=USA
Algorithm: RSA; Serial number: 0x51c7ec8c
Valid from Wed Mar 07 15:56:33 EST 2018 until Sun Jul 23 16:56:33 EDT 2045
Installed Providers =
IBMJSSE2
IBMJCE
IBMJGSSProvider
IBMCertPath
IBMSASL
IBMXMLCRYPTO
IBMXMLEnc
IBMSPNEGO
SUN
SSLContextImpl: Using X509ExtendedKeyManager org.eclipse.jetty.util.ssl.
SniX509ExtendedKeyManager
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.aB
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
1.8
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
1.8
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.8
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.8
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
IBMJSSE2 will enable CBC protection
Using SSLEngineImpl.
2018-03-14 11:37:47.170:INFO:oejs.AbstractConnector:main: Started
sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) prio=3
sun.misc.Unsafe.park(Native Method)
sun.misc.Unsafe.park(Native Method)
sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
ServerSocketChannelImpl.accept0(Native Method) prio=3
sun.misc.Unsafe.park(Native Method)
sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
sun.misc.Unsafe.park(Native Method)
| +- jobs
STARTED
- STARTED
0.0.0.0:8080} - STARTED
selected=0 actions=0 - STARTED
| | +- keys
| | +- actions
| +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8080]
bce0c39e{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
- STARTED
/home/degenaro/eclipse-workspace.oxygen/jetty-test/jetty_server/resources/keystore,trustStore=null]
trustAll=false
keyStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
keyStore type is: jks
init keystore
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
init keymanager of type IbmX509
trustStore is: /share/ibm-java-x86_64-8.0.4.6/jre/lib/security/cacerts
trustStore type is: jks
init truststore
Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xd9083fbba967ca1a
Valid from Wed Dec 07 06:28:07 EST 2011 until Sat Jul 31 07:28:07 EDT 2038
Subject: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Issuer: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Tue Sep 30 00:20:49 EDT 2003 until Sat Sep 30 00:20:49 EDT 2023
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert
Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert
Inc, C=US
Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031
Subject: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x445734245b81899b35f2ceb82b3b
5ba726f07528
Valid from Thu Jan 12 13:59:32 EST 2012 until Sun Jan 12 13:59:32 EST 2042
Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0x4
Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 20:19:54 EDT 1999 until Tue Jun 25 20:19:54 EDT 2019
Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc.,
C=US
Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc.,
C=US
Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
Valid from Sun Nov 26 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036
Subject: OU=Security Communication RootCA2, O="SECOM Trust Systems
CO.,LTD.", C=JP
Issuer: OU=Security Communication RootCA2, O="SECOM Trust Systems
CO.,LTD.", C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Fri May 29 01:00:39 EDT 2009 until Tue May 29 01:00:39 EDT 2029
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Finalizer thread, called closeSocket(true)
Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,
C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,
C=US
Algorithm: RSA; Serial number: 0x1
Valid from Mon Jun 21 00:00:00 EDT 1999 until Sun Jun 21 00:00:00 EDT 2020
Subject: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co.,
Ltd.", C=TW
Issuer: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co.,
Ltd.", C=TW
Algorithm: RSA; Serial number: 0x15c8bd65475cafb897005ee406d2bc9d
Valid from Sun Dec 19 21:31:27 EST 2004 until Tue Dec 19 21:31:27 EST 2034
Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x7777062726a9b17c
Valid from Fri Jan 29 09:06:06 EST 2010 until Tue Dec 31 09:06:06 EST 2030
Subject: CN=Certum Trusted Network CA, OU=Certum Certification
Authority, O=Unizeto Technologies S.A., C=PL
Issuer: CN=Certum Trusted Network CA, OU=Certum Certification
Authority, O=Unizeto Technologies S.A., C=PL
Algorithm: RSA; Serial number: 0x444c0
Valid from Wed Oct 22 08:07:37 EDT 2008 until Mon Dec 31 07:07:37 EST 2029
Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
Town, ST=Western Cape, C=ZA
Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020
Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA,
O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA,
O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
Valid from Thu Jan 12 09:38:43 EST 2006 until Wed Dec 31 17:59:59 EST 2025
Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
Issuer: CN=Sonera Class2 CA, O=Sonera, C=FI
Algorithm: RSA; Serial number: 0x1d
Valid from Fri Apr 06 03:29:40 EDT 2001 until Tue Apr 06 03:29:40 EDT 2021
Subject: CN=America Online Root Certification Authority 1, O=America
Online Inc., C=US
Issuer: CN=America Online Root Certification Authority 1, O=America
Online Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 28 02:00:00 EDT 2002 until Thu Nov 19 15:43:00 EST 2037
Subject: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Algorithm: EC; Serial number: 0x3cb2f4480a00e2feeb243b5e603ec36b
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Algorithm: RSA; Serial number: 0x35def4cf
Valid from Sat Aug 22 12:41:51 EDT 1998 until Wed Aug 22 12:41:51 EDT 2018
Subject: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x2ac5c266a0b409b8f0b79f2ae462577
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031
Subject: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Thu Mar 04 00:00:00 EST 2004 until Sun Mar 04 00:00:00 EST 2029
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Algorithm: RSA; Serial number: 0x4000000000121585308a2
Valid from Wed Mar 18 06:00:00 EDT 2009 until Sun Mar 18 06:00:00 EDT 2029
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 14:46:00 EDT 2000 until Mon May 12 19:59:00 EDT 2025
Subject: OU=Starfield Class 2 Certification Authority, O="Starfield
Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield
Technologies, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 13:39:16 EDT 2004 until Thu Jun 29 13:39:16 EDT 2034
Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford,
ST=Greater Manchester, C=GB
Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford,
ST=Greater Manchester, C=GB
Algorithm: RSA; Serial number: 0x1
Valid from Wed Dec 31 19:00:00 EST 2003 until Sun Dec 31 18:59:59 EST 2028
Subject: CN=Starfield Secure Certificate Authority - G2, OU=
http://certs.starfieldtech.com/repository/, O="Starfield Technologies,
Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x7
Valid from Tue May 03 03:00:00 EDT 2011 until Sat May 03 03:00:00 EDT 2031
Subject: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362afe650afd
Valid from Fri Jul 09 14:10:42 EDT 1999 until Tue Jul 09 14:19:22 EDT 2019
Subject: CN=Chambers of Commerce Root, OU=http://www.chambersign.org,
O=AC Camerfirma SA CIF A82743287, C=EU
Issuer: CN=Chambers of Commerce Root, OU=http://www.chambersign.org,
O=AC Camerfirma SA CIF A82743287, C=EU
Algorithm: RSA; Serial number: 0x0
Valid from Tue Sep 30 12:13:43 EDT 2003 until Wed Sep 30 12:13:44 EDT 2037
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028
Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036
Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Algorithm: RSA; Serial number: 0x40000000001154b5ac394
Valid from Tue Sep 01 08:00:00 EDT 1998 until Fri Jan 28 07:00:00 EST 2028
Subject: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362de0b35f1b
Valid from Fri Jul 09 14:31:20 EDT 1999 until Tue Jul 09 14:40:36 EDT 2019
Subject: CN=AffirmTrust Networking, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x7c4f04391cd4992d
Valid from Fri Jan 29 09:08:24 EST 2010 until Tue Dec 31 09:08:24 EST 2030
Subject: CN=AffirmTrust Premium, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Premium, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x6d8c1446b1a60aee
Valid from Fri Jan 29 09:10:36 EST 2010 until Mon Dec 31 09:10:36 EST 2040
Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028
Subject: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA,
O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA,
O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x5c00001000241d0060a4dce7510
Valid from Thu Mar 23 09:10:23 EST 2006 until Wed Dec 31 17:59:59 EST 2025
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 10:01:00 EDT 2000 until Sat May 17 19:59:00 EDT 2025
Subject: CN=America Online Root Certification Authority 2, O=America
Online Inc., C=US
Issuer: CN=America Online Root Certification Authority 2, O=America
Online Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 28 02:00:00 EDT 2002 until Tue Sep 29 10:08:00 EDT 2037
Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xae8219053f5e8271
Valid from Wed Dec 07 06:29:21 EST 2011 until Sat Jul 31 07:29:21 EDT 2038
Subject: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x15ac6e9419b2794b41f627a9c3180f1f
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037
Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xa3da427ea4b1aeda
Valid from Fri Aug 01 08:29:50 EDT 2008 until Sat Jul 31 08:29:50 EDT 2038
Subject: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4f1bd42f54bb2f4b
Valid from Wed Oct 25 04:32:46 EDT 2006 until Sat Oct 25 04:32:46 EDT 2036
Subject: CN=Entrust Root Certification Authority - G2, OU="(c) 2009
Entrust, Inc. - for authorized use only", OU=See
www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009
Entrust, Inc. - for authorized use only", OU=See
www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Algorithm: RSA; Serial number: 0x4a538c28
Valid from Tue Jul 07 13:25:54 EDT 2009 until Sat Dec 07 12:55:54 EST 2030
Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 13:06:20 EDT 2004 until Thu Jun 29 13:06:20 EDT 2034
Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:48:38 EDT 2000 until Sat May 30 06:48:38 EDT 2020
Subject: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center,
O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center,
O=T-Systems Enterprise Services GmbH, C=DE
Algorithm: RSA; Serial number: 0x1
Valid from Wed Oct 01 06:29:56 EDT 2008 until Sat Oct 01 19:59:59 EDT 2033
Subject: CN=UTN-USERFirst-Client Authentication and Email, OU=
http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City,
ST=UT, C=US
Issuer: CN=UTN-USERFirst-Client Authentication and Email, OU=
http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City,
ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d336252567c989
Valid from Fri Jul 09 13:28:50 EDT 1999 until Tue Jul 09 13:36:58 EDT 2019
Subject: CN=Class 2 Primary CA, O=Certplus, C=FR
Issuer: CN=Class 2 Primary CA, O=Certplus, C=FR
Algorithm: RSA; Serial number: 0x85bd4bf3d8dae369f694d75fc3a54423
Valid from Wed Jul 07 13:05:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019
Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23456
Valid from Tue May 21 00:00:00 EDT 2002 until Sat May 21 00:00:00 EDT 2022
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036
Subject: CN=VeriSign Class 2 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 2 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036
Subject: CN=Starfield Root Certificate Authority - G2, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x3863def8
Valid from Fri Dec 24 12:50:51 EST 1999 until Tue Jul 24 10:15:12 EDT 2029
Subject: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Algorithm: RSA; Serial number: 0x344ed55720d5edec49f42fce37db2b6d
Valid from Thu Nov 16 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Wed Jul 31 20:00:00 EDT 1996 until Thu Dec 31 18:59:59 EST 2020
Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com,
Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com,
Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037
Subject: CN=VeriSign Class 1 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 1 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x123df0e7da2a2247a43889e08aeec967
Valid from Sun Dec 31 19:00:00 EST 1995 until Fri Jan 01 18:59:59 EST 2021
Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority -
G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: EC; Serial number: 0x2f80fe238c0e220f486712289187acb3
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038
Subject: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust,
Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust,
Inc.", C=US
Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust,
Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust,
Inc.", C=US
Algorithm: RSA; Serial number: 0x456b5054
Valid from Mon Nov 27 15:23:42 EST 2006 until Fri Nov 27 15:53:42 EST 2026
Subject: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal
CA, O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal
CA, O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x1da200010002ecb76080788db606
Valid from Wed Mar 22 10:54:28 EST 2006 until Wed Dec 31 17:59:59 EST 2025
Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Algorithm: RSA; Serial number: 0x10020
Valid from Tue Jun 11 06:46:39 EDT 2002 until Fri Jun 11 06:46:39 EDT 2027
Subject: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Issuer: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:44:50 EDT 2000 until Sat May 30 06:44:50 EDT 2020
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
Valid from Sun Jan 28 19:00:00 EST 1996 until Tue Aug 01 19:59:59 EDT 2028
Subject: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
Algorithm: RSA; Serial number: 0x2
Valid from Tue Oct 26 04:38:03 EDT 2010 until Fri Oct 26 04:38:03 EDT 2040
Subject: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0xbb401c43f55e4fb0
Valid from Wed Oct 25 04:30:35 EDT 2006 until Sat Oct 25 04:30:35 EDT 2036
Subject: CN=Certum Trusted Network CA 2, OU=Certum Certification
Authority, O=Unizeto Technologies S.A., C=PL
Issuer: CN=Certum Trusted Network CA 2, OU=Certum Certification
Authority, O=Unizeto Technologies S.A., C=PL
Algorithm: RSA; Serial number: 0xb85914713f57df8f31c0333dd2d6
197a2317b4eb
Valid from Thu Oct 06 04:39:56 EDT 2011 until Sat Oct 06 04:39:56 EDT 2046
Subject: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500021b411d32a6806a9ad69
Valid from Thu Jun 24 14:57:21 EDT 1999 until Mon Jun 24 15:06:30 EDT 2019
Subject: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x509
Valid from Fri Nov 24 13:27:00 EST 2006 until Mon Nov 24 13:23:33 EST 2031
Subject: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center,
O=Deutsche Telekom AG, C=DE
Issuer: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center,
O=Deutsche Telekom AG, C=DE
Algorithm: RSA; Serial number: 0x26
Valid from Fri Jul 09 08:11:00 EDT 1999 until Tue Jul 09 19:59:00 EDT 2019
Subject: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x78585f2ead2c194be33707353413
28b596d46593
Valid from Thu Jan 12 12:27:44 EST 2012 until Sun Jan 12 12:27:44 EST 2042
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x3f691e819cf09a4af373ffb948a2e4dd
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
Subject: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at
https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network,
O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority -
G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x6ecc7aa5a7032009b8cebcf4e952d491
Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028
Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority -
G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x18dad19e267de8bb4a2158cdcc6b3b4a
Valid from Tue Nov 07 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Algorithm: RSA; Serial number: 0x400000000010f8626e60d
Valid from Fri Dec 15 03:00:00 EST 2006 until Wed Dec 15 03:00:00 EST 2021
Subject: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x5c6
Valid from Fri Nov 24 14:11:23 EST 2006 until Mon Nov 24 14:06:44 EST 2031
Subject: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x2ef59b0228a7db7affd5a3a9eebd
03a0cf126a1d
Valid from Thu Jan 12 15:26:32 EST 2012 until Sun Jan 12 15:26:32 EST 2042
Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Algorithm: RSA; Serial number: 0x3770cfb5
Valid from Wed Jun 23 08:14:45 EDT 1999 until Sun Jun 23 08:14:45 EDT 2019
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x34a4fff630af4ca53c331742a1946675
Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
Subject: CN=QuoVadis Root Certification Authority, OU=Root Certification
Authority, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification
Authority, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x3ab6508b
Valid from Mon Mar 19 13:33:33 EST 2001 until Wed Mar 17 14:33:33 EDT 2021
Subject: CN=Class 3P Primary CA, O=Certplus, C=FR
Issuer: CN=Class 3P Primary CA, O=Certplus, C=FR
Algorithm: RSA; Serial number: 0xbf5cdbb6f21c6ec04deb7a023b36e879
Valid from Wed Jul 07 13:10:00 EDT 1999 until Sat Jul 06 19:59:59 EDT 2019
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020
Subject: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Algorithm: RSA; Serial number: 0x2
Valid from Tue Oct 26 04:28:58 EDT 2010 until Fri Oct 26 04:28:58 EDT 2040
Subject: OU=Security Communication EV RootCA1, O="SECOM Trust Systems
CO.,LTD.", C=JP
Issuer: OU=Security Communication EV RootCA1, O="SECOM Trust Systems
CO.,LTD.", C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 05 22:12:32 EDT 2007 until Fri Jun 05 22:12:32 EDT 2037
Subject: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For
authorized use only", O="thawte, Inc.", C=US
Issuer: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For
authorized use only", O="thawte, Inc.", C=US
Algorithm: EC; Serial number: 0x35fc265cd9844fc93d263d579baed756
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038
Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
Town, ST=Western Cape, C=ZA
Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Sun Dec 31 19:00:00 EST 1995 until Thu Dec 31 18:59:59 EST 2020
Subject: CN=VeriSign Universal Root Certification Authority, OU="(c)
2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c)
2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x401ac46421b31321030ebbe4121ac51d
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037
Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:38:31 EDT 2000 until Sat May 30 06:38:31 EDT 2020
Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA
Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Tue Dec 31 19:00:00 EST 1996 until Thu Dec 31 18:59:59 EST 2020
Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Issuer: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at
www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xc9cdd3e9d57d23ce
Valid from Fri Aug 01 08:31:40 EDT 2008 until Sat Jul 31 08:31:40 EDT 2038
OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 18:23:48 EDT 1999 until Tue Jun 25 18:23:48 EDT 2019
Subject: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Issuer: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Algorithm: RSA; Serial number: 0x600197b746a7eab4b49ad64b2ff790fb
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a5
Valid from Wed Aug 12 20:29:00 EDT 1998 until Mon Aug 13 19:59:00 EDT 2018
Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x36122296c5e338a520a1d25f4cd70954
Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021
Subject: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Algorithm: EC; Serial number: 0x7497258ac73f7a54
Valid from Fri Jan 29 09:20:24 EST 2010 until Mon Dec 31 09:20:24 EST 2040
Subject: CN=Sonera Class1 CA, O=Sonera, C=FI
Issuer: CN=Sonera Class1 CA, O=Sonera, C=FI
Algorithm: RSA; Serial number: 0x24
Valid from Fri Apr 06 06:49:13 EDT 2001 until Tue Apr 06 06:49:13 EDT 2021
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028
Subject: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
Issuer: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
Algorithm: RSA; Serial number: 0x1121bc276c5547af584eefd4ced629b2a285
Valid from Mon May 25 20:00:00 EDT 2009 until Mon May 25 20:00:00 EDT 2020
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c)
1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits
liab.), O=Entrust.net, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c)
1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits
liab.), O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 12:09:40 EDT 1999 until Sat May 25 12:39:40 EDT 2019
Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert
Inc, C=US
Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert
Inc, C=US
Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.ax
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.aB
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
1.8
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
SSLv3 protocol was requested but was not enabled
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=0)
| | +- Cipher Suite Selections
| | +- Enabled (size=15)
| | | +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- SSL_RSA_WITH_AES_128_CBC_SHA256
| | | +- SSL_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | +- Disabled (size=31)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_AES_128_CBC_SHA256 -
JreDisabled:java.security
| | +- SSL_DH_anon_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDHE_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_ECDH_anon_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_WITH_DES_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_KRB5_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_FIPS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security,
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA256 -
JreDisabled:java.security
0.0.0.0:8443} - STARTED
selected=0 actions=0 - STARTED
| | +- keys
| | +- actions
| +- sun.nio.ch.ServerSocketChannelImpl[/0:0:0:0:0:0:0:0:8443]
http/1.1]}{0.0.0.0:8443}
+- file:/home/degenaro/eclipse-workspace.oxygen/jetty-test-9-4-8/bin/
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/alpn-api-1.1.3.v20160715.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/cdi-2-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/cdi-core-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/cdi-servlet-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-alpn-conscrypt-server-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-alpn-java-server-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-alpn-openjdk8-server-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-alpn-server-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-annotations-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-client-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-continuation-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-deploy-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-gcloud-session-manager-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-hazelcast-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-http-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-infinispan-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-io-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-jaas-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-jaspi-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-jmx-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-jndi-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-memcached-sessions-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-nosql-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-plus-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-proxy-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-quickstart-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-rewrite-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-schemas-3.1.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-security-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-server-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-servlet-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-servlets-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-unixsocket-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-util-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-webapp-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/jetty-xml-9.4.8.v20171121.jar
+- file:/home/degenaro/test/jetty-distribution-9.4.8.
v20171121/lib/servlet-api-3.1.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj-
interface.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/localedata.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
IBMSecureRandom.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/traceformat.
jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmjcefips.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jverbs.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
ibmcmsprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dnsns.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfjview.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/nashorn.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/zipfs.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/cldrdata.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/xmlencfw.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
ibmpkcs11impl.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
ibmxmldsigprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/gskikm.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/CmpCrmf.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/jaccess.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
healthcenter.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
ibmsaslprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/ibmkeycert.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
ibmxmlcrypto.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
ibmxmlencprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/
ibmjceprovider.jar
+- file:/share/ibm-java-x86_64-8.0.4.6/jre/lib/ext/dtfj.jar
Using SSLEngineImpl.
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate
set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake
per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check
during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set
to OFF or default
IBMJSSE2 will allow client initiated renegotiation per jdk.tls.
rejectClientInitiatedRenegotiation set to FALSE or default
Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[Raw read]: length = 5
0000: 16 03 01 00 9d .....
[Raw read]: length = 157
0000: 01 00 00 99 03 03 05 85 07 79 1b 58 d2 ef e6 25 .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f c2 70 21 52 84 eb 82 1f .........p.R....
0020: 4c a0 64 48 c3 ba 00 00 1e c0 2c c0 0a c0 2b cc L.dH............
0030: a9 c0 09 c0 30 c0 14 c0 2f cc a8 c0 13 00 39 00 ....0.........9.
0040: 33 00 35 00 2f 00 0a 01 00 00 52 00 17 00 00 ff 3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a 00 08 00 1d 00 17 00 18 ................
0060: 00 19 00 0b 00 02 01 00 00 23 00 00 00 10 00 0e ................
0070: 00 0c 02 68 32 08 68 74 74 70 2f 31 2e 31 00 05 ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00 0d 00 12 00 10 04 03 05 ................
0090: 03 06 03 04 01 05 01 06 01 02 03 02 01 .............
qtp-149401960-22, READ: TLSv1 Handshake, length = 157
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie: GMT: 75827065 bytes = { 27, 88, 210, 239, 230, 37, 47, 176,
21, 185, 138, 214, 21, 95, 194, 112, 33, 82, 132, 235, 130, 31, 76, 160,
100, 72, 195, 186 }
Session ID: {}
Cipher Suites: [SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
Unknown 0xcc:0xa9, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1,
secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Extension signature_algorithms, signature_algorithms: SHA256withECDSA,
SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA,
SHA512withRSA, SHA1withECDSA, SHA1withRSA
***
[read] MD5 and SHA1 hashes: len = 157
0000: 01 00 00 99 03 03 05 85 07 79 1b 58 d2 ef e6 25 .........y.X....
0010: 2f b0 15 b9 8a d6 15 5f c2 70 21 52 84 eb 82 1f .........p.R....
0020: 4c a0 64 48 c3 ba 00 00 1e c0 2c c0 0a c0 2b cc L.dH............
0030: a9 c0 09 c0 30 c0 14 c0 2f cc a8 c0 13 00 39 00 ....0.........9.
0040: 33 00 35 00 2f 00 0a 01 00 00 52 00 17 00 00 ff 3.5.......R.....
0050: 01 00 01 00 00 0a 00 0a 00 08 00 1d 00 17 00 18 ................
0060: 00 19 00 0b 00 02 01 00 00 23 00 00 00 10 00 0e ................
0070: 00 0c 02 68 32 08 68 74 74 70 2f 31 2e 31 00 05 ...h2.http.1.1..
0080: 00 05 01 00 00 00 00 00 0d 00 12 00 10 04 03 05 ................
0090: 03 06 03 04 01 05 01 06 01 02 03 02 01 .............
JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.8
JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.8
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp-149401960-22, SEND TLSv1 ALERT: fatal, description = handshake_failure
qtp-149401960-22, WRITE: TLSv1 Alert, length = 2
no cipher suites in common
qtp-149401960-22, called closeOutbound()
qtp-149401960-22, closeOutboundInternal()
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 ......

Post by Joakim Erdfelt
Have you attempted to configure the SSL Cipher Suites on the Jetty
server side?

NO. I'm using vanilla jetty as shipped. Is there something else I

need to do?
Code shown below.
Thanks.
Lou.
private void server_main(String[] args) {
try {
// === jetty.xml ===
// Setup Threadpool
QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMaxThreads(max_threads);
// Server
server = new Server(threadPool);
// Scheduler
server.addBean(new ScheduledExecutorScheduler());
// === jetty-http.xml ===
ServerConnector http = new ServerConnector(server, new
HttpConnectionFactory());
http.setPort(port_http);
http.setIdleTimeout(idle_timeout);
server.addConnector(http);
// === jetty-https.xml ===
// SSL Context Factory
SslContextFactory sslContextFactory = new
SslContextFactory();
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(port_https);
HttpConfiguration https_config = new
HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(port_https);
sslContextFactory.setKeyStorePath(keystore);
sslContextFactory.setKeyStorePassword(keystore_password);
sslContextFactory.setKeyManagerPassword(keymanager_password)
;
server.setConnectors(new Connector[] { http });
server.addConnector(https);
//
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase(jetty_server_root);
server.start();
server.join();
}
catch(Exception e) {
e.printStackTrace();
}
}

Have you attempted to configure the SSL Cipher Suites on the Jetty
server side?
If you enable the jetty startup dump you'll see the list of enabled
cipher suites and protocols that Jetty is running with (including the
reason why a specific available protocol or cipher suite is disabled).
$ java -jar /path/to/my/jetty-home/start.jar
jetty.server.dumpAfterStart=true
vider=null,keyStore=file:///mnt/c/code/jetty/distros/jetty-d
istribution-9.4.8.v20171121/demo-base/etc/keystore,trustStor
e=file:///mnt/c/code/jetty/distros/jetty-distribution-9.4.8.
v20171121/demo-base/etc/keystore] trustAll=false
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security,
ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=29)
| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=53)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 -
JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 -
JreDisabled:java.security
| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_NULL_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_MD5 -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_SHA -
JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_128_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_256_CBC_SHA -
ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_NULL_SHA256 -
JreDisabled:java.security

Post by Lou DeGenaro
Still having (likely user error) issues with SSL. I generate my
/share/jdk1.8/bin/keytool -genkey -noprompt -alias jetty -dname "CN=
my.cn, OU=my.ou, O=my.o, L=my.l, S=my.s, C=my.c" -keyalg RSA -keysize
2048 -sigalg SHA256withRSA -validity 10000 -keystore
/home/webserver/etc/keystore -storepass uE9RVnqAXAh -keypass uE9RVnqAXAh
I run jetty 9.4.8 with java 1.8 and the keystore.
I visit https:/myhost:8443/ using Firefox 52.4.0 (64-bit) and my
SSL_ERROR_NO_CYPHER_OVERLAP
Thanks for your advise.
Lou.

Post by Greg Wilkins
Any jetty.keystore.password is not set anywhere? if it is set, is it
set to your password?
Try hard coding it in the XML to debug before playing with parameters.
cheers

yep.
On Sat, Mar 10, 2018 at 12:59 PM, John English <

Post by Lou DeGenaro
<Set name="KeyStorePassword"><Property
name="jetty.keystore.password" default="my-password"/></Set>
<Set name="TrustStorePassword"><Property
name="jetty.truststore.password" default="my-password"/></Set>

The keystore password and truststore password are really the same?
Are you sure?
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Lothar Kimmeringer

2018-03-14 16:36:34 UTC

Hi,

Post by Joakim Erdfelt
* The IBM JVM is not sane, look into its cipher suites and protocols.
A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]

Cheers, Lothar

Joakim Erdfelt

2018-03-14 16:47:43 UTC

Post by Lou DeGenaro
Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The stated reason from Firefox for that error is that you lack the required
cipher suites for the updated TLS configuration present since FireFox 50.x

* https://support.mozilla.org/en-US/questions/1148536
* https://support.mozilla.org/en-US/questions/1153050
* https://support.mozilla.org/en-US/questions/1167953

Your IBM JVM reports 14 selected Cipher Suites (31 disabled) by default.
Oracle JVM reports 29 selected Cipher Suites (53 disabled) by default.

Conclusion: You have a cipher suite issue.

Try MSIE or FireFox 45 (suggestions made in the mozilla support forum). If
those work, then you have a Cipher Suite issue with your IBM JVM.

Post by Lou DeGenaro
Hi,
* The IBM JVM is not sane, look into its cipher suites and protocols.

Post by Joakim Erdfelt
A quick comparison shows that it has half the cipher suites that oracle
jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).
Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
Cipher Suites: [
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
Cheers, Lothar
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Lothar Kimmeringer

2018-03-14 16:53:15 UTC

Hi,

Post by Joakim Erdfelt
Conclusion: You have a cipher suite issue.

I don't have any issues (I just added my 2 cents to this thread). My point is
if we have a similar effect here than with JVMs on iSeries that the JVM
reports ciphers "SSL_-something" and jetty is configured to only enable
ciphers "TLS_-something", the server might filter out all the "good ones"
leading to the situation that server and client don't share any ciphers
leading to this error.

The fix in that case would be to change the jetty-configuration of
enabled ciphers to the corresponding textual representations of these
ciphers on that particular system (replace TLS_ by SSL_ that is)

Cheers, Lothar

Silvio Bierman

2018-03-14 16:53:28 UTC

Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

Sent from my Samsung Galaxy smartphone.
-------- Original message --------From: Lothar Kimmeringer <***@kimmeringer.de> Date: 3/14/18 17:36 (GMT+01:00) To: jetty-***@eclipse.org Subject: Re: [jetty-users] keystore
Hi,

Post by Joakim Erdfelt
* The IBM JVM is not sane, look into its cipher suites and protocols.
A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
Â TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
Â SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
Â SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
Â SSL_RSA_WITH_AES_256_CBC_SHA256,
Â SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
Â SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
Â SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
Â SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
Â SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
Â SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
Â SSL_RSA_WITH_AES_256_CBC_SHA,
Â SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
Â SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
Â SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
Â SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
Â SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
Â SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
Â SSL_RSA_WITH_AES_128_CBC_SHA256,
Â SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
Â SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
Â SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
Â SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
Â SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
Â SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Â SSL_RSA_WITH_AES_128_CBC_SHA,
Â SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
Â SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
Â SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
Â SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
Â SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
Â SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
Â SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
Â SSL_RSA_WITH_AES_256_GCM_SHA384,
Â SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
Â SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
Â SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
Â SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
Â SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Â SSL_RSA_WITH_AES_128_GCM_SHA256,
Â SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
Â SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
Â SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
Â SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]

Cheers, Lothar

Joakim Erdfelt

2018-03-14 17:04:25 UTC

Also, read and understand the linked to issue at the IBM side for TLS (from
the prior message)

https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

The IBM JVM does not apparently follow the OpenJDK standard naming of
things (which dozens of other alternate JVMs do), that article tells you
how to correct the startup of your IBM JVM to address that as well.

Joakim Erdfelt / ***@webtide.com

On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman <

Post by Silvio Bierman
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
Date: 3/14/18 17:36 (GMT+01:00)
Subject: Re: [jetty-users] keystore
Hi,

Post by Joakim Erdfelt
* The IBM JVM is not sane, look into its cipher suites and protocols.
A quick comparison shows that it has half the cipher suites that oracle

jvm or openjdk has.
Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).
Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
Cipher Suites: [
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
Cheers, Lothar
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Joakim Erdfelt

2018-03-14 17:10:29 UTC

Also, with the IBM JVM you might have to configure the following on the
Jetty side ...

SslContextFactory ...

.setProtocol(String protocol) - this defaults to "TLS" (the openjdk
official name), yours is likely different (based on my reading of the IBM
JVM documentation).
.setProvider(String provider) - this defaults to "" (unset) as we use the
default provider, but your IBM JVM seems to want to do things "the IBM
way", not "the standard way".

As a last resort, you might need to create the javax.net.ssl.SSLContext
manually, the IBM way, and give it to the jetty side
SslContextFactory.setSslContext(SSLContext context)

Post by Joakim Erdfelt
Also, read and understand the linked to issue at the IBM side for TLS
(from the prior message)
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.
0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/
matchsslcontext_tls.html
The IBM JVM does not apparently follow the OpenJDK standard naming of
things (which dozens of other alternate JVMs do), that article tells you
how to correct the startup of your IBM JVM to address that as well.
On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman <

Post by Joakim Erdfelt
* The IBM JVM is not sane, look into its cipher suites and protocols.
A quick comparison shows that it has half the cipher suites that oracle

Lothar Kimmeringer

2018-03-14 18:45:06 UTC

Post by Silvio Bierman
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

I'm not defending IBM here for their decision to follow the NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
handshake:

OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27, 62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14, 181, 116, 137, 40 }
Session ID: {}
Cipher Suites:
[...]

The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.

Cheers, Lothar

Lou DeGenaro

2018-03-14 18:53:29 UTC

Looking here:
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

I added -Dcom.ibm.jsse2.overrideDefaultTLS=true to the launch of my Jetty
server and much joy resulted.

Lou.

Post by Silvio Bierman
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

I'm not defending IBM here for their decision to follow the NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on
address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27,
62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14,
181, 116, 137, 40 }
Session ID: {}
[...]
The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.
Cheers, Lothar
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Jesse McConnell

2018-03-14 19:04:38 UTC

That is an interesting nugget Lou, any chance you can report results from
here: https://www.ssllabs.com/ssltest/ ?

--
jesse mcconnell

Looking here: https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.
0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/
matchsslcontext_tls.html
I added -Dcom.ibm.jsse2.overrideDefaultTLS=true to the launch of my Jetty
server and much joy resulted.
Lou.

Post by Silvio Bierman
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

I'm not defending IBM here for their decision to follow the NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on
address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27,
62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14,
181, 116, 137, 40 }
Session ID: {}
[...]
The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.
Cheers, Lothar
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Lou DeGenaro

2018-03-14 19:15:35 UTC

Unfortunately no. I could only supply an IP address (which it seems is not
allowed) and is only accessible internally anyway.

Lou.

Post by Jesse McConnell
That is an interesting nugget Lou, any chance you can report results from
here: https://www.ssllabs.com/ssltest/ ?
--
jesse mcconnell

Looking here: https://www.ibm.com/support/kn
owledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.componen
t.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html
I added -Dcom.ibm.jsse2.overrideDefaultTLS=true to the launch of my
Jetty server and much joy resulted.
Lou.

Post by Silvio Bierman
Those are ciphers for the SSL protocol instead of TLS. You do not want
to use those...

I'm not defending IBM here for their decision to follow the
NIH-principle.
The ciphers are for TLS, the session where this trace came from was an
OFTP2-connection that is restricted to TLS and was using TLSv1.2 for the
OFTP TLS-ReceiveThread2 (Thread nr. 6, for server-socket listening on
address /x.x.x.x on port 6619), READ: TLSv1.2 Handshake, length = 181
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
JsseJCE: Using AlgorithmParameters EC from provider IBMJCE version 1.8
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1491538846 bytes = { 239, 0, 205, 234, 239, 135, 27,
62, 91, 187, 205, 216, 254, 230, 62, 170, 127, 69, 1, 60, 88, 75, 88, 14,
181, 116, 137, 40 }
Session ID: {}
[...]
The corresponding Wireshark trace showed the cipher-list with the names
you're used to, so there really are no SSL-ciphers here, "just" a
different naming scheme.
Cheers, Lothar
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Jesse McConnell

2018-03-14 19:16:36 UTC

fair enough, congrats at least :)

--
jesse mcconnell

Post by Lou DeGenaro
Unfortunately no. I could only supply an IP address (which it seems is
not allowed) and is only accessible internally anyway.
Lou.
On Wed, Mar 14, 2018 at 3:04 PM, Jesse McConnell <

Post by Jesse McConnell
That is an interesting nugget Lou, any chance you can report results from
here: https://www.ssllabs.com/ssltest/ ?
--
jesse mcconnell

Looking here: https://www.ibm.com/support/kn
owledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.componen
t.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html
I added -Dcom.ibm.jsse2.overrideDefaultTLS=true to the launch of my
Jetty server and much joy resulted.
Lou.