SSL not working in eXist 5.2

[jmcneal9]

Describe the bug
SSL not working in eXist 5.2

Expected behavior
App fails to load using HTTPS

To Reproduce
Set up a keystore/truststore with a single cert
Restart eXist
load the app in a browser using HTTPS like https://localhost/exist/apps/myApp/index.html

Context (please always complete the following information):

• OS: Windows Server 2019 Standard
• eXist-db version: 5.2.0
• Java Version - Java 1.8.0_221

Additional context

• How is eXist-db installed? JAR
• Any custom changes in e.g. conf.xml? Just SSL config
• Works fine in older versions of eXist (2.2, 3.4.1, 4.6.1)
• Possible related link: 'UnsupportedOperationException: X509ExtendedKeyManager only supported on Server' after upgrading to 9.4.24 jetty/jetty.project#4425
• Stacktrace:

java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.server.Server.doStart(Server.java:385)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.exist.jetty.JettyStart.startJetty(JettyStart.java:465)
	at org.exist.jetty.JettyStart.run(JettyStart.java:237)
	at org.exist.jetty.JettyStart.main(JettyStart.java:95)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.exist.start.Main.invokeMain(Main.java:118)
	at org.exist.start.Main.runEx(Main.java:248)
	at org.exist.service.ExistDbDaemon.start(ExistDbDaemon.java:36)
	at org.exist.service.ExistDbDaemon.start(ExistDbDaemon.java:64)

[line-o]

@jmcneal9 The error message in the stack trace you provided hints to a problem with your keystore: KeyStores with multiple certificates are not supported on the base. Have you tried using a KeyStore with only one base certificate?

[jmcneal9]

@jmcneal9 The error message in the stack trace you provided hints to a problem with your keystore: KeyStores with multiple certificates are not supported on the base. Have you tried using a KeyStore with only one base certificate?

I only have a single cert. This is a fresh install with a single cert in a new keystore. This same keystore works fine in eXist 2.2, 3.4.1, and 4.6.1.

While a different platform, it looks like there was a similar issue with Jenkins. https://issues.jenkins-ci.org/browse/JENKINS-60857.

Also possibly related - jetty/jetty.project#4385.

[joewiz]

Just to confirm, is your certificate for localhost?

[jmcneal9]

The cert is for a public domain. It's actively being used for a 2.2 instance.

However, I've tested it with localhost as well for 3.4.1, 4.6.1, and just now, 4.71 and it works.

In the 5.x builds, I've tried this with 5.1.1 and 5.2 - both throw that error in exist-db-stderr..log.

From what I've been reading (mentioned in jetty/jetty.project#4385 - "The change is on purpose throwing to get users to update to use SslContextFactory.Server")

In jetty/jetty.project#4425, they were able to resolve the issue by changing:
SslContextFactory sslContextFactory = new SslContextFactory("server.pkcs12");

to

SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("server.pkcs12");

Basically, it seems like you're supposed to specify .Server or .Client for SSLContextFactory, for the latest versions of Jetty. Since I'm configuring the keystore/truststore in jetty-ssl-context.xml, I'm not sure if there is a way to specify Server/Client there.

I have found a bit of hope in the Jetty docs where they specify the configuration like:
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">

I still need to test this though.

[adamretter]

@jmcneal9 We already switched over to using SslCongtextFactory$Server for the upcoming 5.3.0 release, see - https://github.com/eXist-db/exist/blob/develop/exist-jetty-config/src/main/resources/org/exist/jetty/etc/jetty-ssl-context.xml#L13

This was done in PR #3248.

Maybe you want to test a snapshot build of that?

[adamretter]

@jmcneal9 I am closing this as we have had no response from you for 1 month. Feel free to re-open if it's still an issue.