Rhythmyx Jetty Workbench SSL

Has anyone succeeded running Jetty with SSL? With keystore file in place, root certificate imported, cert and keystore have the same default keystore password, jetty starts with

12:25:16,386 INFO [SslContextFactory] Protocol TLSv1. 2 not supported in [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
12:25:16,387 WARN [SslContextFactory] No selected protocols from [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
12:25:16,390 INFO [AbstractConnector] Started ServerConnector@9816741{SSL,[ssl, http/1.1]}{0.0.0.0:8443}

Outcome:

NSS error -12188 (SSL\_ERROR\_INTERNAL\_ERROR\_ALERT)
Peer reports it experienced an internal error.
Closing connection 0
curl: (35) Peer reports it experienced an internal error.

installation.properties

jetty.http.port=9992
jetty.ssl.port=8443
jetty.sslContext.keyStorePassword=changeit
jetty.sslContext.trustStorePassword=changeit
jetty.sslContext.keyManagerPassword=changeit
perc.ssl.protocols=TLSv1. 2
perc.ssl.includeCiphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore

ssl.ini and https.ini are present in start.d

Hi,

Can you doublecheck your perc.ssl.protocols= line?  It looks like there may be an extraneous space in the protocol between the . and the 2.  It should be  TLSv1.2  with no spaces. 

-n

You’re right, there was a space. Removed, restarted, Workbench reports:

An unknown exception occurred while communicating with the server: Received fatal alert: handshake_failure

It’s not a self-signed cert, and I added both intermediary and root CAs into keystore just in case.

Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

I’m thinking some cypher suites don’t play nicely with TLS1.2…

The default Cipher suites are supported with TLS v1.2 in fact those ciphers require TLSv1.2.  O

1.  Confirm you are using a new install of developer tools from the patch.

2.  Check the lax.nl.current.vm= in RhythmyxWorkbench.lax of the developer tools install you are running is pointing to to the correct JVM in the developer tools install.  On a clean install this is relative to the current directory in example Current Directory is Rhythmyx so if the folder was modified it may not find this
    
   lax.nl.current.vm=…\Rhythmyx\JRE\bin\java.exe

If the vm is not found the startup executable will fall back to base jvm on the system which may be Java 7 and will not work.

1. Check what the signature algorithm for the Certificate is.  To support TLSv1.2 you may need to have “SHA-256 with RSA”.  SHA-1 certificates are deprecated due to security risk and will not work with TLSv1.2
   https://stackoverflow.com/questions/25810999/check-if-my-ssl-certificate-is-sha1-or-sha2

2. When the service is stopped start jetty with the following.  It adds a lot if information after startup to the log and close to the start of this dump it reports the effective enabled and disabled protocols.  This should identify if the problem is on the server or certificate or the client.

  ./JettysStart.sh jetty.server.dumpAfterStart=true

All the strong ciphers included in the list require TLSv1.2.  The GCM ciphers are only in Java 1.8,  and the CBC Ciphers are in Java 1.7 but Java v1.7 requires TLSv1.2 to be enabled with a system property.   The current version of the Workbench is working to connect using these ciphers against the current tomcat with this configuration.  

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 | += SslConnectionFactory@4b741d6d{SSL-\>http/1.1} - STARTED | | += SslContextFactory@6344004d(file:///C:/RX\_732/jetty/base/etc/keystore,file:///C:/RX\_732/jetty/base/etc/keystore) trustAll=false | | | +- Protocol Selections | | | | +- Enabled (size=1) | | | | | +- TLSv1.2 | | | | +- Disabled (size=4) | | | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello', ConfigIncluded:NotSpecified | | | | +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3', ConfigIncluded:NotSpecified | | | | +- TLSv1 - ConfigIncluded:NotSpecified | | | | +- TLSv1.1 - ConfigIncluded:NotSpecified | | | +- Cipher Suite Selections | | | +- Enabled (size=4) | | | | +- TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | | | | +- TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | | | | +- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | | | | +- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | | | +- Disabled (size=53) | | | +- SSL\_DHE\_DSS\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DHE\_DSS\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DHE\_DSS\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DHE\_RSA\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DHE\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DHE\_RSA\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DH\_anon\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DH\_anon\_WITH\_3DES\_EDE\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_DH\_anon\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_RSA\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_RSA\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_RSA\_WITH\_NULL\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- SSL\_RSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_DHE\_DSS\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_DHE\_DSS\_WITH\_AES\_128\_CBC\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_DHE\_DSS\_WITH\_AES\_128\_GCM\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_DH\_anon\_WITH\_AES\_128\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_DH\_anon\_WITH\_AES\_128\_CBC\_SHA256 - JreDisabled:java.security, ConfigIncluded:NotSpecified | | | +- TLS\_DH\_anon\_WITH\_AES\_128\_GCM\_SHA256 - JreDisabled:java.security, ConfigIncluded:NotSpecified | | | +- TLS\_ECDHE\_ECDSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDHE\_ECDSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDHE\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDHE\_RSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_ECDSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_ECDSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_ECDSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_RSA\_WITH\_AES\_128\_CBC\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_RSA\_WITH\_AES\_128\_GCM\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_RSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_anon\_WITH\_3DES\_EDE\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_anon\_WITH\_AES\_128\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_ECDH\_anon\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_EMPTY\_RENEGOTIATION\_INFO\_SCSV - ConfigIncluded:NotSpecified | | | +- TLS\_KRB5\_EXPORT\_WITH\_DES\_CBC\_40\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_KRB5\_EXPORT\_WITH\_DES\_CBC\_40\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_KRB5\_WITH\_3DES\_EDE\_CBC\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_KRB5\_WITH\_3DES\_EDE\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_KRB5\_WITH\_DES\_CBC\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_KRB5\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$', ConfigIncluded:NotSpecified | | | +- TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 - ConfigIncluded:NotSpecified | | | +- TLS\_RSA\_WITH\_NULL\_SHA256 - JreDisabled:java.security, ConfigIncluded:NotSpecified | | +~ org.eclipse.jetty.jmx.MBeanContainer@4c60d6e9

if the perc.ssl.includeCiphers value in jetty/etc/installation.properties is blank the server will use the configured default for jetty which is updated with jetty versions,  this is currently the following with TLSv1.2

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256

|   +- Protocol Selections
|   |   |   |   +- Enabled (size=1)
|   |   |   |   |   +- TLSv1.2
|   |   |   |   +- Disabled (size=4)
|   |   |   |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello', ConfigIncluded:NotSpecified
|   |   |   |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3', ConfigIncluded:NotSpecified
|   |   |   |       +- TLSv1 - ConfigIncluded:NotSpecified
|   |   |   |       +- TLSv1.1 - ConfigIncluded:NotSpecified
|   |   |   +- Cipher Suite Selections
|   |   |       +- Enabled (size=15)
|   |   |       |   +- TLS\_DHE\_DSS\_WITH\_AES\_128\_CBC\_SHA256
|   |   |       |   +- TLS\_DHE\_DSS\_WITH\_AES\_128\_GCM\_SHA256
|   |   |       |   +- TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
|   |   |       |   +- TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
|   |   |       |   +- TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256
|   |   |       |   +- TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
|   |   |       |   +- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
|   |   |       |   +- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
|   |   |       |   +- TLS\_ECDH\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256
|   |   |       |   +- TLS\_ECDH\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
|   |   |       |   +- TLS\_ECDH\_RSA\_WITH\_AES\_128\_CBC\_SHA256
|   |   |       |   +- TLS\_ECDH\_RSA\_WITH\_AES\_128\_GCM\_SHA256
|   |   |       |   +- TLS\_EMPTY\_RENEGOTIATION\_INFO\_SCSV
|   |   |       |   +- TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256
|   |   |       |   +- TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256
|   |   |       +- Disabled (size=42)
|   |   |           +- SSL\_DHE\_DSS\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DHE\_DSS\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DHE\_DSS\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DHE\_RSA\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DHE\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DHE\_RSA\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DH\_anon\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DH\_anon\_WITH\_3DES\_EDE\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_DH\_anon\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_RSA\_EXPORT\_WITH\_DES40\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_RSA\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_RSA\_WITH\_NULL\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- SSL\_RSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_DHE\_DSS\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_DH\_anon\_WITH\_AES\_128\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_DH\_anon\_WITH\_AES\_128\_CBC\_SHA256 - JreDisabled:java.security
|   |   |           +- TLS\_DH\_anon\_WITH\_AES\_128\_GCM\_SHA256 - JreDisabled:java.security
|   |   |           +- TLS\_ECDHE\_ECDSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDHE\_ECDSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDHE\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDHE\_RSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_ECDSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_ECDSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_ECDSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_RSA\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_anon\_WITH\_3DES\_EDE\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_anon\_WITH\_AES\_128\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_ECDH\_anon\_WITH\_NULL\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_KRB5\_EXPORT\_WITH\_DES\_CBC\_40\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_KRB5\_EXPORT\_WITH\_DES\_CBC\_40\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_KRB5\_WITH\_3DES\_EDE\_CBC\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_KRB5\_WITH\_3DES\_EDE\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_KRB5\_WITH\_DES\_CBC\_MD5 - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_KRB5\_WITH\_DES\_CBC\_SHA - JreDisabled:java.security, ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA - ConfigExcluded:'^.\*\_(MD5|SHA|SHA1)$'
|   |   |           +- TLS\_RSA\_WITH\_NULL\_SHA256 - JreDisabled:java.security 

Thanks for the tips. I’ve nailed down the cypher problem to this: root CA issued root and intermediary certificates with ^M line endings. Converting these into Unix format (dos2unix), then concatenating, deleting all old certificates and importing everything again into certstore works fine for Jetty. It starts, and I can connect to it on :8443 with openssl client, curl, browser.

However, Workbench returns:

An unknown exception occurred while communicating with the server: unable to find valid certification path to requested target

I have downloaded developer tools again, updated the old ones, double checked the lax file which reads:

#   LAX.NL.CURRENT.VM
#   -----------------
#   the VM to use for the next launch

lax.nl.current.vm=…\Rhythmyx\JRE\bin\java.exe

Still no love from Workbench.

I then saw that JRE\lib\security on the client keeps its own cacerts file. This file is apparently not updated automatically with the install / upgrade routine of developer tools. I copied the new keystore file that I generated above on the server onto the client, closed Workbench, started it again, and that does it.

I hope that helps if someone else encounters similar problems.

Please close the thread and many thanks again for all the good tips.

Best wishes,
Predrag

If not using a public certificate authority then the CA root certificate to enable all certs created with that CA or the actual server certificate should be added to the java cacerts file for the client, in this case the dev tools jre used by workbench referenced in RhythmyxWorkbench.lax.

Here are some good instructions , i have used a similar tool to protecle referenced in this post called keystore explorer which works well. You can copy the cacerts to other jre instances, but be aware that jre updates may remove, add or update other root certs in the file.

https://stackoverflow.com/questions/1…

Root and intermediary certificates have already been imported, as indicated above, this works now.

What does not work, however, is SNI. My understanding was that as of Java 7 SNI just works, and looking into jetty’s installation.properties I have the following line:

jetty.ssl.sniHostCheck=true

I would have thought that should be enough to work with the certificate which is signed to CN cms.example.com, but has cms-dev.example.com and cms-uat.example.com in subject alternate names. Connecting to the host which has CN set in the certificate works. Connecting to the host which is only in the subject alternate name, for example cms-dev.example.com works as far as establishing the connection, but consecutive operations fails. For example, clicking on Content Explorer in Workbench and trying to unfold any of the items returns:

Does this mean anything to you?

Splitting this as a new question as it is related, but different from the original post.

Please reference the new conversation here: SSL SNI Support in Workbench

Splitting this as a new question as it is related, but different from the original post.

Please reference the new conversation here: SSL SNI Support in Workbench