Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whois doesnot work on HTTPS #1588

Closed
gonghewan opened this issue Nov 15, 2024 · 8 comments
Closed

Whois doesnot work on HTTPS #1588

gonghewan opened this issue Nov 15, 2024 · 8 comments

Comments

@gonghewan
Copy link

I try to configure HTTPS on whois, and terminal shows startup log:
2024-11-15T03:18:44,106 INFO [Server] Started Server@68c06a2{STARTING}[11.0.20,sto=0] @8333ms
2024-11-15T03:18:44,106 INFO [JettyBootstrap] Jetty started on HTTP port 40931 HTTPS port 34061
2024-11-15T03:18:44,106 INFO [JettyBootstrap] Certificate: X509@54a0ada1(cn=unknown,ou=unknown,o=unknown,l=unknown,st=unknown,c=unknown,h=[unknown],a=[],w=[])
2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Protocols [TLSv1.3, TLSv1.2]
2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Ciphers []
2024-11-15T03:18:44,107 INFO [WhoisServer] Initializing: net.ripe.db.whois.query.QueryServer@7a087132
2024-11-15T03:18:44,116 INFO [QueryServer] Query server listening on 33533
2024-11-15T03:18:44,117 INFO [WhoisServer] Running version: 1.114-SNAPSHOT (commit: 3b671aa)
2024-11-15T03:18:44,119 INFO [WhoisServer] HOME: /home/dbase
2024-11-15T03:18:44,119 INFO [WhoisServer] LANG: en_US.UTF-8
...

Then i visit localhost:40931/whois/metadata/templates/inetnum, it works and I get the correct answer, but when i try localhost:34061/whois/metadata/templates/inetnum, i got ERR_INVALID_HTTP_RESPONSE and the whois log shows nothing new.

Here is my configure:
First, i use keytool generate cert and key
keytool -genkeypair -alias whois -keyalg RSA -keysize 4096 -storetype JKS -keystore whois.jks -valid ity 3650 -storepass 20240731
keytool -export -alias "whois" -keystore whois.jks -storetype JKS -storepass "20240731" -rfc -file "whois.cer"
keytool -v -importkeystore -srckeystore whois.jks -srcstoretype jks -srcstorepass 20240731 -destkeystore whois.pfx -deststoretype pkcs12 -deststorepass 20240731 -destkeypass 20240731
openssl pkcs12 -in whois.pfx -nocerts -nodes -out whois.pri.key
Second, i change the properties file of whois:
# Service ports
# HTTPS
whois.private.keys=/home/dbase/whois.pri.key
whois.certificates=/home/dbase/whois.cer
whois.keystore=/home/dbase/whois.jks
port.api.secure=0

@gonghewan gonghewan changed the title Whois not work on HTTPS Whois doesnot work on HTTPS Nov 15, 2024
@eshryane
Copy link
Member

eshryane commented Nov 15, 2024

Hello @gonghewan what is the output from :
$ curl -v --header "Host: rest.db.ripe.net" -k https://localhost:40931/metadata/templates/inetnum

@gonghewan
Copy link
Author

gonghewan commented Nov 18, 2024

Hello @gonghewan what is the output from : $ curl -v --header "Host: rest.db.ripe.net" -k https://localhost:40931/metadata/templates/inetnum

* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:45041...
* Connected to localhost (::1) port 45041
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure

I tried to place server.key, server.crt and ca.crt into apache2, and apache2 works fine based on HTTPS. Like:

curl -v https://localhost

* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:443...
* Connected to localhost (::1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /usr/lib/ssl/cert.pem
*  CApath: /usr/lib/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate in certificate chain
* Closing connection
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

Btw, I found that whois has a log says:
2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Ciphers []
Will the lack of Ciphers algorithm have any impact?

@gonghewan
Copy link
Author

gonghewan commented Nov 18, 2024

I create a new key and cert and verify them by openssl again, it also works fine in apache2:
Server.crt:

-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIULlOVrrGw65XJnmTFRnoH0ZhCdLowDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
YW5nemhvdTETMBEGA1UECgwKTklDIENFUk5FVDEPMA0GA1UECwwGQ0VSTkVUMRMw
EQYDVQQDDApuaWMuZWR1LmNuMB4XDTI0MTExODAzMDQ1N1oXDTM0MTExNjAzMDQ1
N1owbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
YW5nemhvdTETMBEGA1UECgwKTklDIENFUk5FVDEPMA0GA1UECwwGQ0VSTkVUMRMw
EQYDVQQDDApuaWMuZWR1LmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAiChp0xzCuYNjBNoFEI04p58ovFuN60EGYhQZUgQbVksXTuC+8/hQYHfcGeOK
A4w4RW46Tb7aMnTIUc1VZDJAnTvr9ENL/rdUvnJl/8PiH+S9n1pEmyOQkB1BxWYT
8tFcE3wRHaabqbp6boLGFHrGPpk0Fh2Jleor2W3070JkDis/wG9P9JmkWoD39wxK
o52vZC7E/4lyARWUYDelQ0BNdxFFwMccj89Ry1TpoO64WNJxUp060NPnXXiSZOTN
He64bG2iUczPzQp8ynvwLmG6X1KMJjAFjkQ+2F/guygKiueAJjrcei6RLYNZ8IXS
pn5Mo1vJUN7VI3ncW41By7fzrQIDAQABo4HbMIHYMB8GA1UdEQQYMBaCDmRucy5u
aWMuZWR1LmNuhwR/AAABMB0GA1UdDgQWBBQGuWkFya96LgXmG7B6nxYREgdq4jCB
lQYDVR0jBIGNMIGKoXKkcDBuMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlh
bmcxETAPBgNVBAcMCEhhbmd6aG91MRMwEQYDVQQKDApOSUMgQ0VSTkVUMQ8wDQYD
VQQLDAZDRVJORVQxEzARBgNVBAMMCm5pYy5lZHUuY26CFGXU1Igk29+lWeVSXGcx
pprtqiBIMA0GCSqGSIb3DQEBCwUAA4IBAQBELdBQXJbbTLsLWCYZY1Y1WOYukuNR
fL213S1g7oEJsCQtWoLoDedvsYBJ6blCFSOW69J53GGSIaKLxfDda1HpIrlexWMm
mTeI0n5EdgGnM6rsJ0X5YbJwQ0pHbnQEGU2/In/yzIGtkrWg3FS3hmx9St0RaIfm
3IEkWPnHZx8Q4f4YUACHf0DKKgEgInVtUIABg7lm0Yz1A0cnJumIcvAOoH4MrwgH
whmxnjkaj4OqH6fimYnrqn8gbKqjizh97uBXHt95IMUGNOkqT5nvEAc3mIrTKVU1
a88+FGvD8QSGKNZ76T5S0hkdDh92wghbTzv4HDIN+qraUdaqLqgeMi2c
-----END CERTIFICATE-----

Server.key:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCIKGnTHMK5g2ME
2gUQjTinnyi8W43rQQZiFBlSBBtWSxdO4L7z+FBgd9wZ44oDjDhFbjpNvtoydMhR
zVVkMkCdO+v0Q0v+t1S+cmX/w+If5L2fWkSbI5CQHUHFZhPy0VwTfBEdppupunpu
gsYUesY+mTQWHYmV6ivZbfTvQmQOKz/Ab0/0maRagPf3DEqjna9kLsT/iXIBFZRg
N6VDQE13EUXAxxyPz1HLVOmg7rhY0nFSnTrQ0+ddeJJk5M0d7rhsbaJRzM/NCnzK
e/AuYbpfUowmMAWORD7YX+C7KAqK54AmOtx6LpEtg1nwhdKmfkyjW8lQ3tUjedxb
jUHLt/OtAgMBAAECggEADxHsseluArBwcOSx83oIpOzbH7XryE0N0s8yBOo1cwtO
oh6tTpLTpUm+5RKn1OqxKRDL3Texg4Ik0IEEjC7Ps1d4LzSU9bVUPjFVPsYZ12PZ
j7NNrUogwa1V+UOUvlG+ejLyMLD0a7MbF/OGJFV5GbaalZQMBWQXbwevjh0atpfu
L/eUyPqnxBSKsT1V21izQBXQELlnTORGhP9eNkQTs7m5vLNmZe0UE4Qq9t50ngXX
QQaYYycn/wau6E/bplyJ/Ba4LOjSR2UG7KNL7teECl7zeChZgrjQ072hVppiM4Np
Nw40lz0+OKTOWaJTHSRoctjoTI7sRJh3ZVLpSZZW1QKBgQC86h62yMK0yQPRom+m
HXQdtCytwUqRazDsPPrzfi8GQEXCrE8qq9PdrAf23Jv7DgN+YADWvdFYZSoUDxpj
9BTJdyJyiczIAP0E26WKDoeYQtjP+MGyQ4l7v78MQ1SLymycyDcJyFXUdFo/+KqA
oyed4Jdx05FfTL41J/wk8dWDZwKBgQC4gkehihEYVym88W1e8EFn352SjEXFLSX0
+LaucRKq4BDzisahw9xrblviM570PM38gUG4v/WWz2n3FSqnn5qbQeyU6Ef2MLUw
0ZJ83xYWa/FY00PYS4edm5IfOJqEM8tXUmmSb1aA3wdHmP1+Dakv+yzifXukCrpu
Ef4rIIGXywKBgFvp1NO9ze3Dt5XxYD0EK5CgLvTDDJLAAmeOK9L4W8zAzLAwwbvT
Khu6LY3QPBvj75M3BnF0nTxSzCxCRObIxKxYyGvN29KbmH8aluoas6JDM9XMBAHF
lkidPEitIZ9592o4h3689/WMPrTNObeoqgfIVCbPdvVVE14tfCJFf0qVAoGAX9B/
xDp/kCVLbmvtQP0A6iEsobqoTLGaYXF65HGhoQzEoMQzTDP61es0We42oFynF3ZE
G93Leipxu7bJNMzkK7X7VoSdQhKfNR/Ps3rh7HjXlyn2tG7cmRL9uaraSsbe1JTe
cAXTZQ7sp9ih4wDTGDCWaXOCbniHwbskQ18ZDSsCgYEAsAjf+QsHLdhmxDLmrLfC
ze0Rh5422a7jf1iO9tkyRr8+hYn6i4o/W/qkFyL2RpagdEkP0fq+S44ozKZSEF+8
O3KjISTloaaiW1e9hNof1goKi+47rNWpyOkoyHXJCkPntRG0ebAmVUwCJXfPtCvA
qOKedgl7iO2j99Eh4SoMbK8=
-----END PRIVATE KEY-----

ca.key:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHL6UE/2rOQ/Gm
jLZatv5WqQDsgeHyBKH7f+GRFvWHMv80WbEgzlBJ9iNimT2iwrGlWLPf9KOjlFzq
Fde0cgwmoqJTsVnXyybWFWVOW/OkC8iE+NwGTx0qcQ1ksDm1LtgT7Mbfw4fDPhxQ
SFSWia8pDTKeg+PRQKCKKhNUw7JS5sSkVzjCjdbwNTf3Oyt3PqMW8LFAJ1wyAhGe
9aagkf/X5iT4BUYb/lP5HESqJsSHmLLUL3HI9c2ZweOREzhU1mcENvkIKbU+RLsa
QZl5PA/4c9wO71QHA6KrHxoO7LDVKBFtqvY4Kr57ffpoWP8Xiv2B3D0iQ4CqEujD
VdgwoNETAgMBAAECggEAL3oOxlsvFQ0i20Ts7kBx7SwJWVY4CdzK00yO8mtbiKdC
JzM9wgkLICX4FzdZdqMbfsLe1QHVw1bIss8UBCGu/cKEGJjMRmBY2GxvIjdOoopg
eDltEF/pHsWloJtUlfgdbtpgKNPNV19Flmk3KE6XHpzTtO7Q7X6PBX+z7d9bcOC+
zUVy67Ovid01++PO3cd3/FYC76H20xdgT1z3RxI1rf9ZUI0RM2Jl8Z0u1cIso+J7
0J2DPRsaV8el6WZjISlcAcxNpw/ywVLHJGc5tIR0JdU9IxIjiOSzy5ypVxpNY+kE
BISDrNHCHrSPHrzwvh6mf05CR8XrSVPDB9mUEJUxyQKBgQDno5eWL5RjSb3IWQ3S
M+U/VFatwZK/UqnrtycHPSJamsYsLaY1xkvsvrIiM7VeN2uG9VsJi9L6yOQZ6QMm
GtSlODWKOfc3MPgeQpOubUxkmrfo00+R6KLhfCjzNS8TuLUaYcm7q/mzY67QWgv/
eRMAre4dpVU7wIQTjZI/aVaubQKBgQDcIlLpoYA1PCkR9StJqxS6HN4q7icqOD87
P0hkjd+hTV14vBt7oyM/OXITVlrPaONIK9UdQK/Jkyo6MYWl16twCJqjgP+9u2YS
gbvQRcR98yOW7fS0augs5dzZYy2Nq4Lpc6yFZ0c747M1eTuWHF9tkB6r7y+boncU
mx10ZN/NfwKBgF65V1PjQRsZHLLBOBWtgyHSq1+CuS/j7fimfR9IsLO8dy25vS5g
WMwHb3DtFE3i++XEj+Xnd+92F1FBKDh84FhwE/Tin2XCcLRvJVU+/O5nFq3vO6q/
J1xuGZDbPtUhw212b7h/Ky1gpiwtpppiOJMejTEyWxiEMX6NdjDYMspBAoGBANAV
DeTUCXnIxVW5N1Lqiawnb4aLGbBZ/MNHXWnXheVWWR2wShZDriSsa32F6k8WaYkm
DcwaAlB7cLYTa67JP7+mEm6tmJDDXIfv5BXKbSNVOnYHtoD4cUFHgsxmaH/6+MMt
2Y08g+RDp3nLgByz8yyAx81kSc9G8mMjAOOuGrOHAoGAVZJwdQ562/YTV1eSVyNh
tO+IEgm+cEQjujNQSYGbc3BtaBJLL66E2pouFDeW7u/gBbYn5ySBZQgWZ5S07k1/
fGKforlXBadydBow09zanfSpalJsP9EQqMmrLIhntJMMac17loT+Z7co6Zt5YWDn
3q3B+wUNhax/hx0D4R/Wd5E=
-----END PRIVATE KEY-----

ca.crt:

-----BEGIN CERTIFICATE-----
MIIDYzCCAksCFGXU1Igk29+lWeVSXGcxpprtqiBIMA0GCSqGSIb3DQEBCwUAMG4x
CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3po
b3UxEzARBgNVBAoMCk5JQyBDRVJORVQxDzANBgNVBAsMBkNFUk5FVDETMBEGA1UE
AwwKbmljLmVkdS5jbjAeFw0yNDExMTgwMzAyMzNaFw0zNDExMTYwMzAyMzNaMG4x
CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3po
b3UxEzARBgNVBAoMCk5JQyBDRVJORVQxDzANBgNVBAsMBkNFUk5FVDETMBEGA1UE
AwwKbmljLmVkdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcv
pQT/as5D8aaMtlq2/lapAOyB4fIEoft/4ZEW9Ycy/zRZsSDOUEn2I2KZPaLCsaVY
s9/0o6OUXOoV17RyDCaiolOxWdfLJtYVZU5b86QLyIT43AZPHSpxDWSwObUu2BPs
xt/Dh8M+HFBIVJaJrykNMp6D49FAoIoqE1TDslLmxKRXOMKN1vA1N/c7K3c+oxbw
sUAnXDICEZ71pqCR/9fmJPgFRhv+U/kcRKomxIeYstQvccj1zZnB45ETOFTWZwQ2
+QgptT5EuxpBmXk8D/hz3A7vVAcDoqsfGg7ssNUoEW2q9jgqvnt9+mhY/xeK/YHc
PSJDgKoS6MNV2DCg0RMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUWWDjidT8OdW
z8Ks32taU4jwBxxLr8MYNdzEtxAZp7RYHsFoQP7alT+d3R75IdtzmgqXTK9BiGwp
5hU/dQlGIqASbcBu3iBhLl4YyUmTsR8lrkqkRlaQspuoqTXQLMA6p+D82XpGeIFT
LuUKm8NlEU9TyToCcglJs0WrKr2UlzN0OujmyNmoLkkIzQ71yGCtlMaAx2V10cTF
WNEo82wpf+YkpoRSjR9IjamfTD+9D1JF3O/vAZKGrRz+Nrr5uCMKsdiXAk6qTC8E
jVMKHf2QlDaaAozrNRjMrbR4yfOz5DeJkM62A2/c8gWaIwryGjgeb6WS3ay8GTvM
5qVvEqyEEA==
-----END CERTIFICATE-----

openssl s_server -accept 10001 -key server.key -cert server.crt
output is:

Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEICifjaMkuqnBMiNQB4qri/5IYwhr6Lnth70WiCRiFE7L
BDCPs1X5f168KC57bYp0dz1Mv4NJs/Hk04N1H1pBsXpZxS3EjeLqEi28XWyUvAsS
sDmhBgIEZzrmlaIEAgIcIKQGBAQBAAAArgYCBHCDhdKzAwIBHQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported

openssl s_client -connect localhost:10001
output is:

CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
verify return:1
depth=0 C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
verify return:1
---
Certificate chain
 0 s:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   i:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 18 03:04:57 2024 GMT; NotAfter: Nov 16 03:04:57 2034 GMT
 1 s:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   i:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 18 03:02:33 2024 GMT; NotAfter: Nov 16 03:02:33 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIULlOVrrGw65XJnmTFRnoH0ZhCdLowDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
YW5nemhvdTETMBEGA1UECgwKTklDIENFUk5FVDEPMA0GA1UECwwGQ0VSTkVUMRMw
EQYDVQQDDApuaWMuZWR1LmNuMB4XDTI0MTExODAzMDQ1N1oXDTM0MTExNjAzMDQ1
N1owbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
YW5nemhvdTETMBEGA1UECgwKTklDIENFUk5FVDEPMA0GA1UECwwGQ0VSTkVUMRMw
EQYDVQQDDApuaWMuZWR1LmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAiChp0xzCuYNjBNoFEI04p58ovFuN60EGYhQZUgQbVksXTuC+8/hQYHfcGeOK
A4w4RW46Tb7aMnTIUc1VZDJAnTvr9ENL/rdUvnJl/8PiH+S9n1pEmyOQkB1BxWYT
8tFcE3wRHaabqbp6boLGFHrGPpk0Fh2Jleor2W3070JkDis/wG9P9JmkWoD39wxK
o52vZC7E/4lyARWUYDelQ0BNdxFFwMccj89Ry1TpoO64WNJxUp060NPnXXiSZOTN
He64bG2iUczPzQp8ynvwLmG6X1KMJjAFjkQ+2F/guygKiueAJjrcei6RLYNZ8IXS
pn5Mo1vJUN7VI3ncW41By7fzrQIDAQABo4HbMIHYMB8GA1UdEQQYMBaCDmRucy5u
aWMuZWR1LmNuhwR/AAABMB0GA1UdDgQWBBQGuWkFya96LgXmG7B6nxYREgdq4jCB
lQYDVR0jBIGNMIGKoXKkcDBuMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlh
bmcxETAPBgNVBAcMCEhhbmd6aG91MRMwEQYDVQQKDApOSUMgQ0VSTkVUMQ8wDQYD
VQQLDAZDRVJORVQxEzARBgNVBAMMCm5pYy5lZHUuY26CFGXU1Igk29+lWeVSXGcx
pprtqiBIMA0GCSqGSIb3DQEBCwUAA4IBAQBELdBQXJbbTLsLWCYZY1Y1WOYukuNR
fL213S1g7oEJsCQtWoLoDedvsYBJ6blCFSOW69J53GGSIaKLxfDda1HpIrlexWMm
mTeI0n5EdgGnM6rsJ0X5YbJwQ0pHbnQEGU2/In/yzIGtkrWg3FS3hmx9St0RaIfm
3IEkWPnHZx8Q4f4YUACHf0DKKgEgInVtUIABg7lm0Yz1A0cnJumIcvAOoH4MrwgH
whmxnjkaj4OqH6fimYnrqn8gbKqjizh97uBXHt95IMUGNOkqT5nvEAc3mIrTKVU1
a88+FGvD8QSGKNZ76T5S0hkdDh92wghbTzv4HDIN+qraUdaqLqgeMi2c
-----END CERTIFICATE-----
subject=C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
issuer=C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2530 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9EF3E860537015AD0CEDFB56265B4D15DBEE6F45971F0D705AE2E9EB7F44ACED
    Session-ID-ctx: 
    Resumption PSK: 82928D2A65D7199437BE76F899E9FEE920903B1E5B8D5093EC3626DC5313D2BBB2E5AC53F3E2E3BB7EEBDEFD60BA3ABB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 95 07 9d ec bb cb 18 66-b6 89 df 33 3c e8 9f e1   .......f...3<...
    0010 - 59 44 16 f7 3e 40 ba 7f-f7 a8 69 ce 36 67 8b d8   YD..>@....i.6g..
    0020 - 75 c3 f4 5c 1e f5 72 37-51 c7 f5 31 1d b0 5c 17   u..\..r7Q..1..\.
    0030 - 27 ba 97 ba 52 b5 36 0e-70 0a 3e 9b 8d e5 78 ac   '...R.6.p.>...x.
    0040 - a1 5b 37 db b1 7d 52 f6-98 60 fb e3 10 8f 9d 1a   .[7..}R..`......
    0050 - 56 ce 3e 84 3f 4a 88 6a-a7 c7 4e 02 c7 64 d5 02   V.>.?J.j..N..d..
    0060 - 24 a5 c0 ae e9 ad 60 e6-c3 73 ed 85 24 ae 9c 37   $.....`..s..$..7
    0070 - b2 a6 8f ac 62 46 b3 8e-f2 fe 82 1c cb 3a e5 38   ....bF.......:.8
    0080 - c9 ae f4 f1 5b bc c0 51-bc b1 bd a6 e2 b6 50 90   ....[..Q......P.
    0090 - 2e b8 ca 7d 48 81 d6 04-f2 3c 99 d0 76 53 ab c7   ...}H....<..vS..
    00a0 - d6 1a c0 b2 27 9e 9f b9-40 aa bf 9a 4f 25 db ab   ....'[email protected]%..
    00b0 - e0 df 09 d1 c8 93 ce b3-9b b3 af 9b 68 bb 84 b8   ............h...
    00c0 - b0 6c 12 dd a3 95 db 66-cd ed 3a ac d8 d9 c0 8b   .l.....f..:.....

    Start Time: 1731913365
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3A0DF899DFF4198F946FD618AFC9B0BD9E7DAEF4C121DA9C95EBE5085DBE6DB2
    Session-ID-ctx: 
    Resumption PSK: 8FB355F97F5EBC282E7B6D8A74773D4CBF8349B3F1E4D383751F5A41B17A59C52DC48DE2EA122DBC5D6C94BC0B12B039
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 95 07 9d ec bb cb 18 66-b6 89 df 33 3c e8 9f e1   .......f...3<...
    0010 - db b5 3b 14 bc f9 a3 55-3a 3b 22 64 6a 06 25 53   ..;....U:;"dj.%S
    0020 - 23 c0 b0 27 b0 95 53 b1-34 ca 59 60 48 f6 64 4a   #..'..S.4.Y`H.dJ
    0030 - b5 0f 6d 3d f1 7f c3 37-bd a7 84 7f 8a 38 58 e3   ..m=...7.....8X.
    0040 - 55 82 36 dc 34 4d 32 6a-d4 81 20 90 47 5a 6f 88   U.6.4M2j.. .GZo.
    0050 - 96 ae 10 59 1b 54 1c 43-79 ce b2 09 0f b3 9e 30   ...Y.T.Cy......0
    0060 - 40 d3 4c 12 28 19 2c c4-2e f2 74 f7 d0 24 0b 1a   @.L.(.,...t..$..
    0070 - cd 22 e7 66 f7 b8 32 73-f9 69 5a 1d 86 af f1 2e   .".f..2s.iZ.....
    0080 - f7 ec 40 46 33 83 55 b1-e9 47 89 da 4d d3 f1 c8   [email protected]...
    0090 - ff b7 d8 9a f5 34 af ee-5e 01 9f 4b 26 9b e9 66   .....4..^..K&..f
    00a0 - ff ab 22 d9 26 8a 9e fd-b4 8e 33 9b 03 2a 85 89   ..".&.....3..*..
    00b0 - 40 6c 3a de 10 18 38 02-67 2e 9c db 39 67 9f 6e   @l:...8.g...9g.n
    00c0 - f9 00 84 a6 1b 91 a8 5d-e4 3e 44 6b af f7 1d 6c   .......].>Dk...l

    Start Time: 1731913365
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

However, when i use in Whois, it still failed:
curl -v --header "Host: rest.db.ripe.net" -k https://localhost:45721/whois/metadata/templates/inetnum

* Host localhost:45721 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:45721...
* Connected to localhost (::1) port 45721
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure

more details:
openssl s_client -connect localhost:45721 -tls1_3

CONNECTED(00000003)
Can't use SSL_get_servername
4087A31438790000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1599:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 243 bytes and written 225 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Also, I try to use sslContextFactory.setIncludeCipherSuites() and remake whois to add some ciphers, but it doesn't work.
Curl verison:

curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.2.0 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.4
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

Openssl version:

OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

@eshryane
Copy link
Member

Hi @gonghewan I see the alternative name in the server certificate is dns.nic.edu.cn can you try

curl -v --header "Host: dns.nic.edu.cn" -k https://localhost:40931/metadata/templates/inetnum

@gonghewan
Copy link
Author

gonghewan commented Nov 18, 2024

Hi @gonghewan I see the alternative name in the server certificate is dns.nic.edu.cn can you try

curl -v --header "Host: dns.nic.edu.cn" -k https://localhost:40931/metadata/templates/inetnum

It's a fake dns, and I get the same result:

  • Host localhost:45721 was resolved.
  • IPv6: ::1
  • IPv4: 127.0.0.1
  • Trying [::1]:45721...
  • Connected to localhost (::1) port 45721
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS alert, handshake failure (552):
  • OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure
  • Closing connection
    curl: (35) OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure

@eshryane
Copy link
Member

Btw, I found that whois has a log says:
2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Ciphers []
Will the lack of Ciphers algorithm have any impact?

Empty ciphers is OK. What matters is that the certificate is found:

2024-11-15T03:18:44,106 INFO [JettyBootstrap] Certificate: X509@54a0ada1(cn=unknown,ou=unknown,o=unknown,l=unknown,st=unknown,c=unknown,h=[unknown],a=[],w=[])
2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Protocols [TLSv1.3, TLSv1.2]

Maybe the issue is that Jetty does not trust a self-signed certificate. We use Let's Encrypt to generate per-host certificates.

@eshryane
Copy link
Member

Try using the "-k" flag for curl to trust the self-signed certificate, i.e.

curl -v -k https://localhost/...

@gonghewan
Copy link
Author

gonghewan commented Dec 3, 2024

Resolved it by openssl rsa -in server.key -out server_tra.key -traditional.
I added some log info and found that error occured when whois was parsing my server.key in PKCS#8 format
So i tried converting server.key to traditional PKCS#1 and it works. I read the source code again and find that whois accept PKCS#1 by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants