I recently opened a defect on Netty. While they responded very quickly the person that I worked with insisted that it was not a bug and that something with the certificates was being messed up.
I don't know how to get things working with Netty, but things work with core Java and Mina, so it looks like Miranda will be going with Mina.
Showing posts with label netty. Show all posts
Showing posts with label netty. Show all posts
Thursday, March 9, 2017
Tuesday, March 7, 2017
Mina Seems to Work
I tired using apache mina in a test program (up on github at https://github.com/ClarkHobbie/ssltest3) and it worked. I have posted a bug to the Netty project and see what they do with it. In the mean time I will use apache mina.
This is not an indictment of Netty, I will be able to switch over if the folks there figure out what is going wrong.
UPDATE
The folks at Netty (specifically, normanmaurer) got back to almost immediately and asked me to try 4.1.9. I did and it still had problems, but I am very impressed with how fast they got back to me.
This is not an indictment of Netty, I will be able to switch over if the folks there figure out what is going wrong.
UPDATE
The folks at Netty (specifically, normanmaurer) got back to almost immediately and asked me to try 4.1.9. I did and it still had problems, but I am very impressed with how fast they got back to me.
Sunday, March 5, 2017
To Post or not to Post
I have been taking an online course on agularjs in the hopes that I could use it on the admin side of Miranda. During my setup of the web site (I'm using Jetty btw) I discovered that Chrome doesn't like my certificate authority either.
I was planning on posting a bug to Netty regarding my difficulties in using a local CA, but I think I will wait until Chrome likes my web site.
I was planning on posting a bug to Netty regarding my difficulties in using a local CA, but I think I will wait until Chrome likes my web site.
Thursday, March 2, 2017
Apologies to netty
Yesterday I saw just how bad SSL/TLS was for nio and java and realised just how much work the folks who put out netty really have to do. Up until now, I have been frustrated with netty only to gain respect for anyone who will deal with SSL/TLS using non-blocking I/O in java.
So in summary I am sorry for my attitude up until now and will try to do better.
So in summary I am sorry for my attitude up until now and will try to do better.
Wednesday, March 1, 2017
Who is Responsible for nio TLS?
And I thought netty was bad...
It doesn't hold a candle to nio TLS...
Consider this link. My god, you would need to be a TLS expert to use it! And this is from Oracle...
Putting the reasons aside for the moment, it seems clear that
It doesn't hold a candle to nio TLS...
Consider this link. My god, you would need to be a TLS expert to use it! And this is from Oracle...
Putting the reasons aside for the moment, it seems clear that
- nio TLS is non-trival to use
- There are very few libraries available
And this is after 10 years!
I am speechless. Either developer are not using SSL/TLS with java, or I am missing something.
Tuesday, February 28, 2017
New Versions of SSLTest on GitHub
I got the netty and non-netty versions of SSL test up on github at
https://github.com/ClarkHobbie/ssltest
(netty version)
https://github.com/ClarkHobbie/ssltest2
(non-netty version)
All hail netty!
https://github.com/ClarkHobbie/ssltest
(netty version)
https://github.com/ClarkHobbie/ssltest2
(non-netty version)
All hail netty!
Saturday, February 18, 2017
Someone is Responding (and its not me)
With the incredibly simple approach that I am taking, when a new topic is created, it sends a message onto a class called, NewTopicHandlerReadyState, and it should send a reply when a new topic is added.
So far so good.
Now the interesting bit (and when I say interesting I mean annoying) is that this class's reply is not getting through.
In fact, I can't see where the reply that is getting through is coming from.
I have concluded that this is one of those interesting features that netty adds for free.
What was I thinking when I chose netty?
At this point, I feel like not fighting, and just embracing the insanity.
All hail netty!
So far so good.
Now the interesting bit (and when I say interesting I mean annoying) is that this class's reply is not getting through.
In fact, I can't see where the reply that is getting through is coming from.
I have concluded that this is one of those interesting features that netty adds for free.
What was I thinking when I chose netty?
At this point, I feel like not fighting, and just embracing the insanity.
All hail netty!
Monday, February 6, 2017
Stategic Withdraw
After two weeks of wrestling with Netty TLS I'm going to go onto something else. The sad fact is that I cannot get TLS to work, and it's holding up progress.
The idea is to work with TLS turned off until I can get it to working. I will work on TLS every day, I will just not let it block other tasks.
For the curious, the problem is that the server does not seem to get messages. The client gets them, but they are gibberish.
The idea is to work with TLS turned off until I can get it to working. I will work on TLS every day, I will just not let it block other tasks.
For the curious, the problem is that the server does not seem to get messages. The client gets them, but they are gibberish.
Saturday, January 28, 2017
Fun and Games with SSL and Netty
I had so much fun with SSL and netty that I will relay my solutions here.
This servers two purposes: firstly, anyone trying to do this can refer to my notes, and hopefully avoid the hours of frustration I endured, but mostly, this will serve as a reminder when I have to do this again. Which, given my luck will be tomorrow.
I used "whatever" as the password and took the defaults for the key.
I entered "yes" to accept the key.
I took the defaults.
It asked me whether I trusted the key ("yes").
At this point, you should have a key store called "severkeystore" that contains the server keys and the CA. You should also have a key store called "truststore" that contains just the CA. You are now ready to test it out (in my next post).
This servers two purposes: firstly, anyone trying to do this can refer to my notes, and hopefully avoid the hours of frustration I endured, but mostly, this will serve as a reminder when I have to do this again. Which, given my luck will be tomorrow.
Paths
You will need to setup your paths so that openssl and keytool can be executed directly.
openssl
This post assumes that you have openssl. I use windows so I got mine from
You can get openssl for different platforms form
Credit Where Credit is Due
This post borrows heavily for the Oracle docs for creating and using a certificate authority. You can find theses posts at:
A Note on Passwords
For this example I am using the string "whatever" as my password to all the key stores. You can use something else but the examples all assume "whatever" is the password.
What I am Trying to Achieve
I am trying to have Miranda nodes communicate with SSL. So all the Miranda nodes need certificates. Rather than getting CERTs for all the nodes, I am going to create a new certificate authority, sign all the keys and then use that CA when I use SSL.
Instructions
- Create a New CA
- Create a tust store
- Create keys for each node
- Create certificate signing requests for each key
- Sign each request keys with the CA
- Import the CA to each node's keystore
- Import each CERT to the node's keystore
openssl req -new -x509 -keyout ca-key.pem.txt -out ca-certificate.pem.txt -days 365
I used "whatever" as the password and took the defaults for the key.
Alternate Procedure for Creating the CA
openssl genrsa -out ca-key 2048
openssl req -x509 -new -key ca-key -out ca-certificate -days 365
Create a Trust Store
After a bit of trial-and-error, I came up with this command:
keytool -import -keystore truststore -file ca-certificate.pem.txt -alias ca -keyalg rsa -storepass whatever
I entered "yes" to accept the key.
Create Keys for the Sever
Going back to the Oracle docs, I used the following:
keytool –keystore serverkeystore –genkey –alias server -keyalg rsa -storepass whatever
I took the defaults.
Create a Certificate Singing Request for Each Key
Once again, from the Oracle docs:
keytool –keystore serverkeystore -storepass whatever –certreq –alias server –keyalg rsa –file server.csr
Sign the Server Request with the CA
From the Oracle docs:
openssl x509 -req -CA ca-certificate.pem.txt -CAkey ca-key.pem.txt -in server.csr -out server.cer -days 365 -CAcreateserial
Import the CA to the Server's Keystore
keytool -import -keystore serverkeystore -storepass whatever -file ca-certificate.pem.txt -alias ca -keyalg rsa
It asked me whether I trusted the key ("yes").
Import the CERT to the Server's Keystore
keytool -import -keystore serverkeystore -storepass whatever -file server.cer -alias server -keyalg rsa
At this point, you should have a key store called "severkeystore" that contains the server keys and the CA. You should also have a key store called "truststore" that contains just the CA. You are now ready to test it out (in my next post).
Subscribe to:
Posts (Atom)