Setting up secure WebSocket server with Jetty and JavaScript client

前端 未结 2 1604
我寻月下人不归
我寻月下人不归 2021-02-10 09:08

I am trying to setup a secure WebSocket server with Jetty like the following:

import java.util.ArrayList;
import java.util.List;

import org.eclipse.jetty.http.H         


        
2条回答
  •  醉梦人生
    2021-02-10 09:34

    I'd like to add on to riverhorse's answer (I would add a comment, but at the time of writing I did not have the 50 required reputation to comment on answers).

    While that answer shows how to complete the process with a self-signed key, I figured out how to do it with CA-signed certificates.

    To do this I will assume you have access to 3 files which are the usual files you receive when purchasing a CA signed certificate

    Note: you may have files like example.crt, example_key.txt, and all kinds of variations. That will not matter as long as there contents match the file they are meant to describe. In other words, all of the files are just text, so as long they contain the required text for that specific file, then you can use that file instead (or you can change the name).

    example.cer -> the main certificate
    
    example.key -> the key for the certificate
    
    example.ca-bundle -> the intermediate certificate
    

    The first step is to combine the main certificate and the intermediate into one file like so

    Note that the order is important, the main certificate should be before the intermediate certificates

    cat example.cer example.ca-bundle > cert-chain.txt
    

    Now the next step is to use the example.key and the new cert-chain.txt to generate a pkcs12 file (which can then be put into the keystore). These steps are very similiar to riverhorse's answer.

    so run

    Every time it asks for a password, keep it the same, you will eventually use it in the code

    openssl pkcs12 -export -inkey example.key -in cert-chain.txt -out example.pkcs12
    

    The last step is to import into the keystore using

    keytool -importkeystore -srckeystore example.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
    

    If you run into an issue like unable to load certificates 140126084731328:error:0908F066:PEM routines:get_header_and_data:bad end line:../crypto/pem/pem_lib.c:842 check the bottom of this answer for a potential fix that worked for me

    Now you have the keystore for your jetty program and you can go back to riverhorse's example to see how that would be applied.

    If you want to check that the keystore has the certificates you can run

    keytool -list -v -keystore keystore > output_filename.txt
    

    and then use cat output_filename.txt or nano output_filename.txt to see the contents.

    These steps came from riverhorse's answer along with these 2 links below

    https://www.thesslstore.com/knowledgebase/ssl-install/jetty-java-http-servlet-webserver-ssl-installation/

    Really helpful in showing the overall steps, but I did not find success until combing it with the other link (however your mileage may vary as its very possible I made a mistake in my first try)

    https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Requesting_a_Trusted_Certificate

    Check the header "Loading Keys and Certificates via PKCS12", this link in general is somewhat outdated as using the openssl command to load the pkcs12 into the keystore was not a thing at this point, but it showed how to deal with intermediate certificates the best

    Potential Fix to loading issue:

    if you had this issue one possible thing that could of caused it is the cert-chain.txt file, open it and check that none of the lines between two certificates are like (5 before and after)

    -----END CERTIFICATE----------BEGIN CERTIFICATE-----
    

    as they should be

    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    

提交回复
热议问题