On Thu, Jun 1, 2023 at 5:43 PM Shawn Heisey <ecli...@elyograg.org> wrote:
> On 6/1/23 15:45, Jesse McConnell wrote: > > Your best bet would be to do at Greg said and capture the actual request > > failing on the wire using wireshark or tcpdump, or get a > > HttpChannel.Listener[1] set up in the server so you can see what is > > happening there. > > I do not have access to the private key for the TLS certificate. > > Even if I did, I have found that Wireshark cannot decrypt HTTPS if a > modern cipher is being used. Solr 9 requires at least Java 11, and that > is the version being used. I would expect Java 11, Jetty Server 9, and > Jetty client 10 to be utilizing a modern cipher. Browser connections to > Solr are using TLS 1.2 with the cipher named > TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384. > This has been possible in Wireshark since 2016 and its support for the SSLKEYLOGFILE format. You'll need this from either the User Agent (Browser / HttpClient) or the Server for success. Unfortunately Java doesn't export this file by default. The output from `javax.net.debug` has the information, but not in the correct SSLKEYLOGFILE format that Wireshark needs. You can, instead, use a Java Agent (on the client side) to export this information automatically for you. See https://github.com/neykov/extract-tls-secrets - Joakim
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
