Hi Dave, On 06/05/2010 15:16, David Fogel wrote: > > We had previously set up SSL with a self-signed cert, generated using > java keytool. This worked fine on Jetty and, until recently, with the > Simple connector, which had some hanging issues a few revisions ago > (but which may have been fixed, we're not sure. overall we'd prefer > to get back to using the simple connector).
Have you tried the Simple connector since 2.0-RC2? It should incorporate the fix discussed in the thread you started at the end of March <http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2464621> (a newer release of the Simple library). > Our configuration involved something like this: > Series<Parameter> params = > s.getServers().add(Protocol.HTTPS, 8443) > .getContext().getParameters(); > params.add("keystorePath", "path/to/keystore.jks"); > params.add("keystorePassword", "secret"); > params.add("keyPassword", "secret"); This looks correct (although you might need to configure a truststore too if you're using the Simple connector, see below). > We recently decided to acquire a "real" CA-signed cert, which we got > from StartSSL.com. I built up a keystore which imports their root > certs and the cert they signed for us. Doing a "keytool -list" > command shows something like this: > > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 3 entries > > startcom.ca.sub, Apr 26, 2010, trustedCertEntry, > Certificate fingerprint (MD5): > 30:B0:5A:F7:B2:F4:BE:0C:28:67:15:EA:CC:5B:24:20 > startcom.ca, Apr 26, 2010, trustedCertEntry, > Certificate fingerprint (MD5): > 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 > startcom pfx certificate, Apr 26, 2010, PrivateKeyEntry, > Certificate fingerprint (MD5): > 15:F4:A5:34:C6:B1:DE:BE:BF:4E:5D:83:BA:97:89:1E > > Here is what we experience now: > > With Jetty: > - everything seems to work great in our Safari, Chrome, and IE > browsers, in that HTTPS works and the browser doesn't complain. > - Firefox complains that the cert is "Untrusted" What does Firefox say in detail? Usually, you can get the certificate and it will tell you what's wrong with it (on the first dialog after the warning page, the one where you can get the cert and choose to accept/refuse it). Maybe the StartSSL CA certificates aren't installed in this Firefox (it may also vary depending on the distribution on Linux for example). I'm afraid I haven't tried StartSSL. The ability for a CA to be trusted by a browser often has nothing to do with the browser or its technical capabilities, but is rather an administrative, legal or political issue as to which CAs get bundled with the browser's installer. > With Simple extension, and using the same configuration: > - no access at all via HTTPS. no response or log message at all on > the server at startup or on request Perhaps try setting the truststore to use the keystore too? params.add("truststorePath", "path/to/keystore.jks"); params.add("truststorePassword", "secret"); Otherwise, you might run into a similar problem as in this thread: <http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2599797> (This is due to the fact that Simple always ask for a client-certificate at the moment). > Anyone else successfully serving up CA-signed HTTPS using Jetty or > Simple? And why doesn't the default connector do HTTPS? I have. Admittedly, mostly with the UK e-Science CA: its certificates aren't bundled by default with browsers, but that's an admin/trust problem, not a technical one. > Also, I've > never been clear on what the org.restlet.ext.ssl module is for- will > it add HTTPS support to the default restlet connector? The SSL extension is mostly useful if you want "advanced" SSLContext settings (e.g. specific client certificate settings or non-default trust models such as those used with FOAF+SSL or grid computing). You probably don't need it if you're not using client certificates at all. Best wishes, Bruno. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2604285