Issues using certificates with multple Subject Alternate Names in Jetty

Description

Upgraded from v3.4.6 to v4.0.0 and container would bomb out after bringing up the IDP application during the listener phase of Jetty startup with the following error:

Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
  at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
  at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
  at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)

The "frontchannel" certificate on this instance has a Subject Alternate Name (which happens to be www.HOSTNAME, possibly inserted by the Issuing CA).

Environment

Windows 2012 R2

Amazon Coretto 11

IdP 4.0.0 MSI Installer managed Jetty

Activity

Rod Widdowson May 23, 2020 at 2:22 PM

  • Moved the windows 9.4 branch to match latest jetty and latest other changes,

  • Did a build and test (including SOAP).

  • Renamed the artefact to make it obvious which version of jetty it is for

  • Built the artefact and tagged it (with a better name).

  • pushed everything

I think this is now done. Resolving. I close later when I'm sure its done

Rod Widdowson May 22, 2020 at 8:53 AM

  • Made and tested changes to the testbed pom to add this as a dependency.

  • I've made the same change (== cherry-picked the changes) into the windows branch

  • I've done the review 7 made the changes required for the jetty update

    • A lot of comments in xml files have been mangled in this jetty version so I have mangled our versions as well to make the diffs readable

    • The only functionL change is to add the .Server thing to that context factory.

  • Not puhing the fix pending further testing (I need to build and test an installer)

Rod Widdowson May 21, 2020 at 2:33 PM

I spotted that as soon as I'd put the comment in. Sorry

Scott Cantor May 21, 2020 at 2:13 PM

We don't really use the SNAPSHOT of this artifact, once it was built, that was what got used. I did the release this morning so it should be a fixed change now.

Rod Widdowson May 21, 2020 at 2:01 PM

We'll also need to crank a "build" of it at some stage - that is unless we want the testbed and all other jetty-base consumers (windows installer and integration test) to be using jetty94-dta-ssl-1.0.1-SNAPSHOT.jar (which I'd sooner avoid for the windows installer, although I can do a build myself if needed)

Fixed

Assignee

Reporter

Components

Fix versions

Affects versions

Created May 18, 2020 at 2:41 PM
Updated May 27, 2020 at 9:25 AM
Resolved May 23, 2020 at 2:24 PM