Channels
100daysofcode
100daysofkotlin
100daysofkotlin-2021
advent-of-code
aem
ai
alexa
algeria
algolialibraries
amsterdam
android
android-architecture
android-databinding
android-studio
androidgithubprojects
androidthings
androidx
androidx-xprocessing
anime
anko
announcements
apollo-kotlin
appintro
arabic
argentina
arkenv
arksemdevteam
armenia
arrow
arrow-contributors
arrow-meta
ass
atlanta
atm17
atrium
austin
australia
austria
awesome-kotlin
ballast
bangladesh
barcelona
bayarea
bazel
beepiz-libraries
belgium
benchmarks
berlin
big-data
books
boston
brazil
brikk
budapest
build
build-tools
bulgaria
bydgoszcz
cambodia
canada
carrat
carrat-dev
carrat-feed
chicago
chile
china
chucker
cincinnati-user-group
cli
clikt
cloudfoundry
cn
cobalt
code-coverage
codeforces
codemash-precompiler
codereview
codingame
codingconventions
coimbatore
collaborations
colombia
colorado
communities
competitive-programming
competitivecoding
compiler
compose
compose-android
compose-desktop
compose-hiring
compose-ios
compose-mp
compose-ui-showcase
compose-wear
compose-web
confetti
connect-audit-events
corda
cork
coroutines
couchbase
coursera
croatia
cryptography
cscenter-course-2016
cucumber-bdd
cyprus
czech
dagger
data2viz
databinding
datascience
dckotlin
debugging
decompose
decouple
denmark
deprecated
detekt
detekt-hint
dev-core
dfw
docs-revamped
dokka
domain-driven-design
doodle
dsl
dublin
dutch
eap
eclipse
ecuador
edinburgh
education
effective-kotlin
effectivekotlin
emacs
embedded-kotlin
estatik
event21-community-content
events
exposed
failgood
fb-internal-demo
feed
firebase
flow
fluid-libraries
forkhandles
forum
fosdem
fp-in-kotlin
framework-elide
freenode
french
fritz2
fuchsia
functional
funktionale
gamedev
ge-kotlin
general-advice
georgia
geospatial
german-lang
getting-started
github-workflows-kt
glance
godot-kotlin
google-io
gradle
graphic
graphkool
graphql
graphql-kotlin
graviton-browser
greece
grpc
gsoc
gui
hackathons
hacktoberfest
hamburg
hamkrest
helios
helsinki
hexagon
hibernate
hikari-cp
hire-me
hiring
hongkong
hoplite
http4k
hungary
hyderabad
image-processing
india
indonesia
inkremental
intellij
intellij-plugins
intellij-tricks
internships
introduce-yourself
io
ios
iran
israel
istanbulcoders
italian
jackson-kotlin
jadx
japanese
jasync-sql
java-to-kotlin-refactoring
javadevelopers
javafx
javalin
javascript
jdbi
jhipster-kotlin
jobsworldwide
jpa
jshdq
juul-libraries
jvm-ir-backend-feedback
jxadapter
k2-early-adopters
kaal
kafka
kakao
kalasim
kapt
karachi
karg
karlsruhe
kash_shell
kaskade
kbuild
kdbc
kgen-doc-tools
kgraphql
kinta
klaxon
klock
kloudformation
kmdc
kmm-español
kmongo
knbt
knote
koalaql
koans
kobalt
kobweb
kodein
kodex
kohesive
koin
koin-dev
komapper
kondor-json
kong
kontent
kontributors
korau
korean
korge
korim
korio
korlibs
korte
kotest
kotest-contributors
kotless
kotlick
kotlin-asia
kotlin-beam
kotlin-by-example
kotlin-csv
kotlin-data-storage
kotlin-foundation
kotlin-fuel
kotlin-in-action
kotlin-inject
kotlin-latam
kotlin-logging
kotlin-multiplatform-contest
kotlin-mumbai
kotlin-native
kotlin-pakistan
kotlin-plugin
kotlin-pune
kotlin-roadmap
kotlin-samples
kotlin-sap
kotlin-serbia
kotlin-spark
kotlin-szeged
kotlin-website
kotlinacademy
kotlinbot
kotlinconf
kotlindl
kotlinforbeginners
kotlingforbeginners
kotlinlondon
kotlinmad
kotlinprogrammers
kotlinsu
kotlintest
kotlintest-devs
kotlintlv
kotlinultimatechallenge
kotlinx-datetime
kotlinx-files
kotlinx-html
kotrix
kotson
kovenant
kprompt
kraph
krawler
kroto-plus
ksp
ktcc
ktfmt
ktlint
ktor
ktp
kubed
kug-leads
kug-torino
kvision
kweb
lambdaworld_cadiz
lanark
language-evolution
language-proposals
latvia
leakcanary
leedskotlinusergroup
lets-have-fun
libgdx
libkgd
library-development
lincheck
linkeddata
lithuania
london
losangeles
lottie
love
lychee
macedonia
machinelearningbawas
madrid
malaysia
mathematics
meetkotlin
memes
meta
metro-detroit
mexico
miami
micronaut
minnesota
minutest
mirror
mockk
moko
moldova
monsterpuzzle
montreal
moonbean
morocco
motionlayout
mpapt
mu
multiplatform
mumbai
munich
mvikotlin
mvrx
myndocs-oauth2-server
naming
navigation-architecture-component
nepal
new-mexico
new-zealand
newname
nigeria
nodejs
norway
npm-publish
nyc
oceania
ohio-kotlin-users
oldenburg
oolong
opensource
orbit-mvi
osgi
otpisani
package-search
pakistan
panamá
pattern-matching
pbandk
pdx
peru
philippines
phoenix
pinoy
pocketgitclient
polish
popkorn
portugal
practical-functional-programming
proguard
prozis-android-backup
pyhsikal
python
python-contributors
quasar
random
re
react
reaktive
realm
realworldkotlin
reductor
reduks
redux
redux-kotlin
refactoring-to-kotlin
reflect
refreshversions
reports
result
rethink
revolver
rhein-main
rocksdb
romania
room
rpi-pico
rsocket
russian
russian_feed
russian-kotlinasfirst
rx
rxjava
san-diego
science
scotland
scrcast
scrimage
script
scripting
seattle
serialization
server
sg-user-group
singapore
skia-wasm-interop-temp
skrape-it
slovak
snake
sofl-user-group
southafrica
spacemacs
spain
spanish
speaking
spek
spin
splitties
spotify-mobius
spring
spring-security
squarelibraries
stackoverflow
stacks
stayhungrystayfoolish
stdlib
stlouis
strife-discord-lib
strikt
students
stuttgart
sudan
swagger-gradle-codegen
swarm
sweden
swing
swiss-user-group
switzerland
talking-kotlin
tallinn
tampa
teamcity
tegal
tempe
tensorflow
terminal
test
testing
testtestest
texas
tgbotapi
thailand
tornadofx
touchlab-tools
training
tricity-kotlin-user-group
trójmiasto
truth
tunisia
turkey
turkiye
twitter-feed
uae
udacityindia
uk
ukrainian
uniflow
unkonf
uruguay
utah
uuid
vancouver
vankotlin
vertx
videos
vienna
vietnam
vim
vkug
vuejs
web-mpp
webassembly
webrtc
wimix_sentry
wwdc
zircon
Title
c
Cosmin Victor Celea
06/11/2020, 8:00 AMGET /api/personer/47120999865 HTTP/2Host: localhost:8443
User-Agent: curl/7.64.1
Accept: /* Connection state changed (MAX_CONCURRENT_STREAMS == 128)! * TLSv1.2 (IN), TLS alert, close notify (256): * Empty reply from server * Connection #0 to host localhost left intact curl: (52) Empty reply from server * Closing connection 0
s
s4nchez
06/11/2020, 8:24 AMDoes your server have any restriction on http vs https? The TLS alert looks suspicious there.
c
Cosmin Victor Celea
06/11/2020, 8:25 AMI am using a custom Jetty server. I require a certificate. If I look on the logs on the server side it looks like the request passes the validation and the server send a 200 response back
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=NO; O=BITS AS; CN=BITS AS TEST; serialNumber=916960190
* start date: Dec 20 07:54:39 2019 GMT
* expire date: Dec 20 22:59:00 2022 GMT
* issuer: C=NO; O=Buypass AS-983163327; CN=Buypass Class 3 Test4 CA 3
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdfb480d600)
GET /api/personer/47120999865 HTTP/2
Host: localhost:8443
User-Agent: curl/7.64.1
Accept: /* Connection state changed (MAX_CONCURRENT_STREAMS == 128)! * TLSv1.2 (IN), TLS alert, close notify (256): * Empty reply from server * Connection #0 to host localhost left intact curl: (52) Empty reply from se
here is the whole request
everything looks identical if i compare with the result i get if I run the app from InteliJ, until “TLSv1.2 (IN), TLS alert, close notify (256):”
the last 3 lines are the ones that are different.
s
s4nchez
06/11/2020, 8:28 AMAnd you can curl the server if it runs directly from IntelliJ?
c
Cosmin Victor Celea
06/11/2020, 8:28 AMyes and get a 200 response.
s
s4nchez
06/11/2020, 8:30 AMHmm what I’d check is any difference in the JVM options in both scenarios. If I had to bet at this stage I’d say it has to do with how the server ssl cert is being loaded/configured
c
Cosmin Victor Celea
06/11/2020, 8:30 AMok, I will have a look
thanks for the tips.Is it ok if i ask again on this thread?
s
s4nchez
06/11/2020, 8:31 AMAnd are you sure you’re always using “https” in the request?
Sure, ask away and I’ll answer if I’m around
c
Cosmin Victor Celea
06/11/2020, 8:31 AMYep, same request both times
s
s4nchez
06/11/2020, 8:34 AMIf you’re able to produce an example (just a hello world server in a public git repo) we can try and help too
c
Cosmin Victor Celea
06/11/2020, 9:47 AMHei I now dropped all custom code from https://github.com/http4k/http4k/blob/master/http4k-server-jetty/src/main/kotlin/org/http4k/server/jetty.kt
And just used the code that is here
i use http2 and not http
http2(port,"src/main/resources/certificates/bits.jks", "pass"))Like this.
And is still does not work.
This is the only code in the handler
httpResponse = Response(Status.OK)
httpResponses
s4nchez
06/11/2020, 9:51 AMDoes it work for http2 without https?
c
Cosmin Victor Celea
06/11/2020, 9:51 AMone sec.
fun http2(http2Port: Int, keystorePath: String, keystorePassword: String): ConnectorBuilder =
{ server: Server ->
ServerConnector(server,
SslConnectionFactory(
SslContextFactory.Server().apply {
keyStorePath = keystorePath
setKeyStorePassword(keystorePassword)
cipherComparator = COMPARATOR
provider = "Conscrypt"
},
"alpn"),
ALPNServerConnectionFactory().apply {
defaultProtocol = "h2"
},
HTTP2ServerConnectionFactory(HttpConfiguration().apply {
sendServerVersion = false
secureScheme = "https"
securePort = http2Port
addCustomizer(SecureRequestCustomizer())
})).apply { port = http2Port }
}is it enough to set the secureScheme = “http”
?
s
s4nchez
06/11/2020, 10:01 AMHmmm I’m not sure. I’ll try and reproduce it locally, but most likely will only get back to you later
c
Cosmin Victor Celea
06/11/2020, 10:02 AMok, thank you so much.
I also updated all the libraries. Is there a working example of http2 using https that i could have a look on?
that can be build and run via maven.
s
s4nchez
06/11/2020, 11:52 AMNot that I’m aware of...
c
Cosmin Victor Celea
06/11/2020, 12:25 PMAny tips on how i can get then a https custom jetty implementation to work? Is this something that should work?
I am a bit stuck and not sure how to continue or even if it should work or not.
s
s4nchez
06/11/2020, 12:29 PMI've played with the code you provided and the problem seems to be neither http2 or ssl, is seems to be the
ALPNServerConnectionFactoryfun http2(http2Port: Int): ConnectorBuilder =
{ server: Server ->
ServerConnector(server,
ALPNServerConnectionFactory().apply {
defaultProtocol = "h2"
}
).apply { port = http2Port }
}d
dave
06/11/2020, 12:31 PMThere is a note in the jetty maven about ALPN:
"org.mortbay.jetty.alpn:alpn-boot:8.1.12.v20180117" // this version depends on your version of JDK!This was originally built against Java 8 - no idea if the switch to 11 has had an effect
c
Cosmin Victor Celea
06/11/2020, 12:32 PMOk, I am confused so does this mean that this is not meant to work with Java 11?
s
s4nchez
06/11/2020, 12:33 PMAlso, http2 works on its own if you try:
fun http2(http2Port: Int): ConnectorBuilder =
{ server: Server ->
ServerConnector(server,
HTTP2ServerConnectionFactory(HttpConfiguration().apply {
sendServerVersion = false
})
).apply { port = http2Port }
}curl --http2-prior-knowledge -v <http://localhost:8081>d
dave
06/11/2020, 12:33 PMOk, I am confusedThis is standard with http2! 😂
c
Cosmin Victor Celea
06/11/2020, 12:33 PM😂
d
dave
06/11/2020, 12:33 PMHave you tried Undertow? I seem to remember that http2 was easier to configure on that..
c
Cosmin Victor Celea
06/11/2020, 12:34 PMNo, will have a look.
d
dave
06/11/2020, 12:34 PMWhat is your deployment setup @Cosmin Victor Celea?
(we have definitely deployed Undertow in a secure configuration to prod in the past - I can't actually remember what prompted us adding the Jetty code TBH)
c
Cosmin Victor Celea
06/11/2020, 12:37 PMSince the project is still in a early phases, I was the only one working on it. So until now, I just ran everything locally from InteliJ. So i was planning to work now on a deployment script, when i saw that it crashes when i try to build it and run it via maven.
So i should try to move things to Undertow?
d
dave
06/11/2020, 12:38 PMdo you need to terminate SSL at the app server?
Normally I'd favour offloading that to something sitting in front.. (and sidestepping the entire problem! 😂 )
s
s4nchez
06/11/2020, 12:39 PMYeah. Nowadays is unusual to have https managed directly at the service process.
c
Cosmin Victor Celea
06/11/2020, 12:40 PMSo the idea is that we only allow requests that come from a certificate that is signed by a specific issuer and and we use the information from the certificate in our logic.
It was a requirement for the project.
s
s4nchez
06/11/2020, 12:42 PMYou mean maTLS?
d
dave
06/11/2020, 12:43 PMThe way I've seen this done in the past is to fingerprint the cert at an outside proxy service (which specifically does just and only that). Then just forward that to the inner service.
c
Cosmin Victor Celea
06/11/2020, 12:44 PMSeems like I have some thinking to do.
👍 1