Hi Joakim, Thanks for the reply.
I tried adding debug logs by updating the root logger to have DEBUG level in logback.xml, but this did not seem to have any affect. No logs appeared when attempting to make a connection. I am doubtful about the issue being the set of enabled protocols/ciphers because this service is deployed as a Docker container so it has the exact same setup as other, working instances. Unfortunately further testing will be impossible since the container with the issue has since been blown away, so all we have left to try and diagnose is the thread dump. Thanks, Karthik On Fri, Sep 8, 2017 at 12:42 PM, Joakim Erdfelt <[email protected]> wrote: > Enable DEBUG logging on the named logger > "org.eclipse.jetty.util.ssl.SslContextFactory" > and look at the output it produces. > Use the techniques for your configured server logging framework. > > It's likely that you have a set of SSL/TLS Protocols and Ciphers that have > different Includes/Excludes then you expect. > Compare them with your your working instance. > > Keep in mind that Java itself introduces excludes, and Jetty has an > include/exclude system as well (note: excludes win over includes in jetty). > The debug output will tell you if a protocol or cipher is excluded, and > all of the ways that specific entry was excluded. > > Of extra note that the keystore/truststore minimum requirements are > constantly evolving on Java and the Web in general. > What you used in the past might not be valid anymore (bitlength too low, > use of deprecated certificate signing methods SHA1/MD5, etc) > > > Joakim Erdfelt / [email protected] > > On Fri, Sep 8, 2017 at 12:33 PM, _klk_ <[email protected]> > wrote: > >> We have been using Jetty for a long time, with no problem. Today our >> service >> started up and entered a weird state where it would serve requests just >> fine >> on the HTTP port, but fail everything on the HTTPS port (example below): >> >> bash-4.1# curl -vvv -k -i https://localhost:8181/foo >> * About to connect() to localhost port 8181 (#0) >> * Trying ::1... connected >> * Connected to localhost (::1) port 8181 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * warning: ignoring value of ssl.verifyhost >> * NSS error -5990 >> * Closing connection #0 >> * SSL connect error >> curl: (35) SSL connect error >> >> Bringing up a new instance of the service (same Jetty version) did not >> exhibit the same behavior. I took a thread dump >> (https://gist.github.com/anonymous/5a92c14825381a219604cf8fbeca8abc). >> Nothing jumps out at me, I only notice that all acceptors are blocked >> while >> all selectors are runnable. I don't know enough about Jetty's internals to >> know if that means anything. >> >> >> >> >> -- >> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- Karthik Kailash Phone: (408) 768-7704
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
