Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange

Wed, 23 Nov 2022 06:26:29 -0800 

Hi,

On Wed, Nov 23, 2022 at 12:55 PM Simone Bordet <sbor...@webtide.com> wrote:
>
> Hi,
>
> On Wed, Nov 23, 2022 at 10:13 AM Info <i...@betzel.net> wrote:
> >
> > Dear community,
> >
> >
> > I am looking into the Lets Encrypt TLS-ALPN-01 challenge and want to create 
> > a ALPN TLS extension for Jetty 9.
> > Does anybody already have any experience with this or even already created 
> > an open source connection factory?
> >
> > I am looking into the HTTP2 configurations I can find online for 
> > inspiration, can I stack the ALPN challange ontop of the default SSL/TLS 
> > connection?
>
> It should be enough to use the configuration for http2 and http/1.1,
> add "acme-tls/1" to the list of ALPN protocols.
>
> When the ACME client connects, Jetty will select the "acme-tls/1"
> ConnectionFactory, complete the TLS handshake, find that the
> "acme-tls/1" has no correspondent ConnectionFactory and close the
> connection (which is expected).
>
> So:
>
> $ java -jar $JETTY_HOME/start.jar --add-modules=http2
> $ java -jar $JETTY_HOME/start.jar jetty.alpn.protocols=acme-tls/1,h2,http/1.1
>
> I did not try, so let us know if it works.

I did try to setup only h2 on the server, and force curl to send
http/1.1, and correctly Jetty completes the TLS handshake and then
closes the connection.
You will see this log line at INFO level similar to this one:

2022-11-23 15:24:27.359:INFO
:oejs.NegotiatingServerConnection:qtp1408652377-53:
ALPNServerConnection@332adb96::DecryptedEndPoint@290b9c76[{l=/127.0.0.1:8443,r=/127.0.0.1:39912,OPEN,fill=-,flush=-,to=34/30000}]
application selected protocol 'http/1.1', but no correspondent
org.eclipse.jetty.server.ConnectionFactory has been configured

That is to say that it already works out of the box.

If you want to avoid that log line, you can write your own
ConnectionFactory and close the EndPoint from onOpen().
-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to