I am having an issue with ssl configuration, my configuration is as follows:
server.port=8449
# self signed cert with CN=localhost used for https method tests
server.ssl.key-store=keystore.p12
server.ssl.key-password=password
server.ssl.key-alias=some-alias
server.ssl.key-store-type=PKCS12
If used with 1.3.7 version of spring boot everything is working. If upgraded to 1.4.0 on client side I get:
javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:287)
at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:255)
at org.glassfish.jersey.client.JerseyInvocation$2.call(JerseyInvocation.java:700)
at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
at org.glassfish.jersey.internal.Errors.process(Errors.java:228)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:444)
at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:696)
at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:448)
And calling ssl port from chrome results:
The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
Similar error from Firefox as well.
As I said only thing different in configuration is spring boot version. Am I missing something in configuration so it could be used with newer version of spring boot?
Thanks in advance Cheers!
P.S. I am not very knowledgeable in ssl related topics so please try to explain it for somewhat simple.
I managed to resolve this issue thanks to this Boot's Tomcat SSLsample provided by Andy
server.port=8449
# self signed cert with CN=localhost used for https method tests
server.ssl.key-store=keystore.p12
server.ssl.key-password=password
server.ssl.key-alias=some-alias
server.ssl.key-store-type=PKCS12
My guess (I could be wrong about this) is that Tomcat 8.5.4 requires specified server.ssl.key-store-password=password
it's not enough with just the server.ssl.key-password
being specified so after updating the configuration I came up with something like this:
server.port=8449
# self signed cert with CN=localhost used for https method tests
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=changeit
server.ssl.key-alias=some-alias
server.ssl.key-password=changeit
server.ssl.key-store-type=PKCS12
And now it works as intended :) Hope this answer helps someone else.
P.S. Yeah, I know it's bad to use the same password for both specific key and the general store, but this is just a test key store.