SSL issue with Jetty, Simple

Thu, 06 May 2010 07:16:29 -0700 

Hi all-

We're having a problem with serving our restlet web application over
SSL.  It's very possible that we're doing something wrong with how
we're setting up the keystore and cert.

We had previously set up SSL with a self-signed cert, generated using
java keytool.  This worked fine on Jetty and, until recently, with the
Simple connector, which had some hanging issues a few revisions ago
(but which may have been fixed, we're not sure.  overall we'd prefer
to get back to using the simple connector).

Our configuration involved something like this:
Series<Parameter> params =
         s.getServers().add(Protocol.HTTPS, 8443)
              .getContext().getParameters();
params.add("keystorePath", "path/to/keystore.jks");
params.add("keystorePassword", "secret");
params.add("keyPassword", "secret");

So, like I said, this worked fine with a self-signed cert, although
obviously browsers complain at first.

We recently decided to acquire a "real" CA-signed cert, which we got
from StartSSL.com.  I built up a keystore which imports their root
certs and the cert they signed for us.  Doing a "keytool -list"
command shows something like this:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 3 entries

    startcom.ca.sub, Apr 26, 2010, trustedCertEntry,
    Certificate fingerprint (MD5):
30:B0:5A:F7:B2:F4:BE:0C:28:67:15:EA:CC:5B:24:20
    startcom.ca, Apr 26, 2010, trustedCertEntry,
    Certificate fingerprint (MD5):
22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
    startcom pfx certificate, Apr 26, 2010, PrivateKeyEntry,
    Certificate fingerprint (MD5):
15:F4:A5:34:C6:B1:DE:BE:BF:4E:5D:83:BA:97:89:1E

Here is what we experience now:

With Jetty:
  - everything seems to work great in our Safari, Chrome, and IE
browsers, in that HTTPS works and the browser doesn't complain.
  - Firefox complains that the cert is "Untrusted"

With Simple extension, and using the same configuration:
  - no access at all via HTTPS.  no response or log message at all on
the server at startup or on request

Anyone else successfully serving up CA-signed HTTPS using Jetty or
Simple?  And why doesn't the default connector do HTTPS?  Also, I've
never been clear on what the org.restlet.ext.ssl module is for- will
it add HTTPS support to the default restlet connector?

Thanks,
  -Dave Fogel

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2604257

Reply via email to