Whois doesnot work on HTTPS

gonghewan commented 1 week ago

I try to configure HTTPS on whois, and terminal shows startup log: 2024-11-15T03:18:44,106 INFO [Server] Started Server@68c06a2{STARTING}[11.0.20,sto=0] @8333ms 2024-11-15T03:18:44,106 INFO [JettyBootstrap] Jetty started on HTTP port 40931 HTTPS port 34061 2024-11-15T03:18:44,106 INFO [JettyBootstrap] Certificate: X509@54a0ada1(cn=unknown,ou=unknown,o=unknown,l=unknown,st=unknown,c=unknown,h=[unknown],a=[],w=[]) 2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Protocols [TLSv1.3, TLSv1.2] 2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Ciphers [] 2024-11-15T03:18:44,107 INFO [WhoisServer] Initializing: net.ripe.db.whois.query.QueryServer@7a087132 2024-11-15T03:18:44,116 INFO [QueryServer] Query server listening on 33533 2024-11-15T03:18:44,117 INFO [WhoisServer] Running version: 1.114-SNAPSHOT (commit: 3b671aa) 2024-11-15T03:18:44,119 INFO [WhoisServer] HOME: /home/dbase 2024-11-15T03:18:44,119 INFO [WhoisServer] LANG: en_US.UTF-8 ...

Then i visit localhost:40931/whois/metadata/templates/inetnum, it works and I get the correct answer, but when i try localhost:34061/whois/metadata/templates/inetnum, i got ERR_INVALID_HTTP_RESPONSE and the whois log shows nothing new.

Here is my configure: First, i use keytool generate cert and key keytool -genkeypair -alias whois -keyalg RSA -keysize 4096 -storetype JKS -keystore whois.jks -valid ity 3650 -storepass 20240731 keytool -export -alias "whois" -keystore whois.jks -storetype JKS -storepass "20240731" -rfc -file "whois.cer" keytool -v -importkeystore -srckeystore whois.jks -srcstoretype jks -srcstorepass 20240731 -destkeystore whois.pfx -deststoretype pkcs12 -deststorepass 20240731 -destkeypass 20240731 openssl pkcs12 -in whois.pfx -nocerts -nodes -out whois.pri.key Second, i change the properties file of whois: # Service ports # HTTPS whois.private.keys=/home/dbase/whois.pri.key whois.certificates=/home/dbase/whois.cer whois.keystore=/home/dbase/whois.jks port.api.secure=0

eshryane commented 1 week ago

Hello @gonghewan what is the output from : $ curl -v --header "Host: rest.db.ripe.net" -k https://localhost:40931/metadata/templates/inetnum

gonghewan commented 4 days ago

Hello @gonghewan what is the output from : $ curl -v --header "Host: rest.db.ripe.net" -k https://localhost:40931/metadata/templates/inetnum

* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:45041...
* Connected to localhost (::1) port 45041
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure

I tried to place server.key, server.crt and ca.crt into apache2, and apache2 works fine based on HTTPS. Like:

curl -v https://localhost

* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:443...
* Connected to localhost (::1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /usr/lib/ssl/cert.pem
*  CApath: /usr/lib/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate in certificate chain
* Closing connection
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

Btw, I found that whois has a log says: 2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Ciphers [] Will the lack of Ciphers algorithm have any impact?

gonghewan commented 4 days ago

I create a new key and cert and verify them by openssl again, it also works fine in apache2: Server.crt:

Server.key:

ca.key:

ca.crt:

openssl s_server -accept 10001 -key server.key -cert server.crt output is:

Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEICifjaMkuqnBMiNQB4qri/5IYwhr6Lnth70WiCRiFE7L
BDCPs1X5f168KC57bYp0dz1Mv4NJs/Hk04N1H1pBsXpZxS3EjeLqEi28XWyUvAsS
sDmhBgIEZzrmlaIEAgIcIKQGBAQBAAAArgYCBHCDhdKzAwIBHQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported

openssl s_client -connect localhost:10001 output is:

CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
verify return:1
depth=0 C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
verify return:1
---
Certificate chain
 0 s:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   i:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 18 03:04:57 2024 GMT; NotAfter: Nov 16 03:04:57 2034 GMT
 1 s:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   i:C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 18 03:02:33 2024 GMT; NotAfter: Nov 16 03:02:33 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIULlOVrrGw65XJnmTFRnoH0ZhCdLowDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
YW5nemhvdTETMBEGA1UECgwKTklDIENFUk5FVDEPMA0GA1UECwwGQ0VSTkVUMRMw
EQYDVQQDDApuaWMuZWR1LmNuMB4XDTI0MTExODAzMDQ1N1oXDTM0MTExNjAzMDQ1
N1owbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
YW5nemhvdTETMBEGA1UECgwKTklDIENFUk5FVDEPMA0GA1UECwwGQ0VSTkVUMRMw
EQYDVQQDDApuaWMuZWR1LmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAiChp0xzCuYNjBNoFEI04p58ovFuN60EGYhQZUgQbVksXTuC+8/hQYHfcGeOK
A4w4RW46Tb7aMnTIUc1VZDJAnTvr9ENL/rdUvnJl/8PiH+S9n1pEmyOQkB1BxWYT
8tFcE3wRHaabqbp6boLGFHrGPpk0Fh2Jleor2W3070JkDis/wG9P9JmkWoD39wxK
o52vZC7E/4lyARWUYDelQ0BNdxFFwMccj89Ry1TpoO64WNJxUp060NPnXXiSZOTN
He64bG2iUczPzQp8ynvwLmG6X1KMJjAFjkQ+2F/guygKiueAJjrcei6RLYNZ8IXS
pn5Mo1vJUN7VI3ncW41By7fzrQIDAQABo4HbMIHYMB8GA1UdEQQYMBaCDmRucy5u
aWMuZWR1LmNuhwR/AAABMB0GA1UdDgQWBBQGuWkFya96LgXmG7B6nxYREgdq4jCB
lQYDVR0jBIGNMIGKoXKkcDBuMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlh
bmcxETAPBgNVBAcMCEhhbmd6aG91MRMwEQYDVQQKDApOSUMgQ0VSTkVUMQ8wDQYD
VQQLDAZDRVJORVQxEzARBgNVBAMMCm5pYy5lZHUuY26CFGXU1Igk29+lWeVSXGcx
pprtqiBIMA0GCSqGSIb3DQEBCwUAA4IBAQBELdBQXJbbTLsLWCYZY1Y1WOYukuNR
fL213S1g7oEJsCQtWoLoDedvsYBJ6blCFSOW69J53GGSIaKLxfDda1HpIrlexWMm
mTeI0n5EdgGnM6rsJ0X5YbJwQ0pHbnQEGU2/In/yzIGtkrWg3FS3hmx9St0RaIfm
3IEkWPnHZx8Q4f4YUACHf0DKKgEgInVtUIABg7lm0Yz1A0cnJumIcvAOoH4MrwgH
whmxnjkaj4OqH6fimYnrqn8gbKqjizh97uBXHt95IMUGNOkqT5nvEAc3mIrTKVU1
a88+FGvD8QSGKNZ76T5S0hkdDh92wghbTzv4HDIN+qraUdaqLqgeMi2c
-----END CERTIFICATE-----
subject=C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
issuer=C = CN, ST = Zhejiang, L = Hangzhou, O = NIC CERNET, OU = CERNET, CN = nic.edu.cn
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2530 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9EF3E860537015AD0CEDFB56265B4D15DBEE6F45971F0D705AE2E9EB7F44ACED
    Session-ID-ctx: 
    Resumption PSK: 82928D2A65D7199437BE76F899E9FEE920903B1E5B8D5093EC3626DC5313D2BBB2E5AC53F3E2E3BB7EEBDEFD60BA3ABB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 95 07 9d ec bb cb 18 66-b6 89 df 33 3c e8 9f e1   .......f...3<...
    0010 - 59 44 16 f7 3e 40 ba 7f-f7 a8 69 ce 36 67 8b d8   YD..>@....i.6g..
    0020 - 75 c3 f4 5c 1e f5 72 37-51 c7 f5 31 1d b0 5c 17   u..\..r7Q..1..\.
    0030 - 27 ba 97 ba 52 b5 36 0e-70 0a 3e 9b 8d e5 78 ac   '...R.6.p.>...x.
    0040 - a1 5b 37 db b1 7d 52 f6-98 60 fb e3 10 8f 9d 1a   .[7..}R..`......
    0050 - 56 ce 3e 84 3f 4a 88 6a-a7 c7 4e 02 c7 64 d5 02   V.>.?J.j..N..d..
    0060 - 24 a5 c0 ae e9 ad 60 e6-c3 73 ed 85 24 ae 9c 37   $.....`..s..$..7
    0070 - b2 a6 8f ac 62 46 b3 8e-f2 fe 82 1c cb 3a e5 38   ....bF.......:.8
    0080 - c9 ae f4 f1 5b bc c0 51-bc b1 bd a6 e2 b6 50 90   ....[..Q......P.
    0090 - 2e b8 ca 7d 48 81 d6 04-f2 3c 99 d0 76 53 ab c7   ...}H....<..vS..
    00a0 - d6 1a c0 b2 27 9e 9f b9-40 aa bf 9a 4f 25 db ab   ....'...@...O%..
    00b0 - e0 df 09 d1 c8 93 ce b3-9b b3 af 9b 68 bb 84 b8   ............h...
    00c0 - b0 6c 12 dd a3 95 db 66-cd ed 3a ac d8 d9 c0 8b   .l.....f..:.....

    Start Time: 1731913365
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3A0DF899DFF4198F946FD618AFC9B0BD9E7DAEF4C121DA9C95EBE5085DBE6DB2
    Session-ID-ctx: 
    Resumption PSK: 8FB355F97F5EBC282E7B6D8A74773D4CBF8349B3F1E4D383751F5A41B17A59C52DC48DE2EA122DBC5D6C94BC0B12B039
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 95 07 9d ec bb cb 18 66-b6 89 df 33 3c e8 9f e1   .......f...3<...
    0010 - db b5 3b 14 bc f9 a3 55-3a 3b 22 64 6a 06 25 53   ..;....U:;"dj.%S
    0020 - 23 c0 b0 27 b0 95 53 b1-34 ca 59 60 48 f6 64 4a   #..'..S.4.Y`H.dJ
    0030 - b5 0f 6d 3d f1 7f c3 37-bd a7 84 7f 8a 38 58 e3   ..m=...7.....8X.
    0040 - 55 82 36 dc 34 4d 32 6a-d4 81 20 90 47 5a 6f 88   U.6.4M2j.. .GZo.
    0050 - 96 ae 10 59 1b 54 1c 43-79 ce b2 09 0f b3 9e 30   ...Y.T.Cy......0
    0060 - 40 d3 4c 12 28 19 2c c4-2e f2 74 f7 d0 24 0b 1a   @.L.(.,...t..$..
    0070 - cd 22 e7 66 f7 b8 32 73-f9 69 5a 1d 86 af f1 2e   .".f..2s.iZ.....
    0080 - f7 ec 40 46 33 83 55 b1-e9 47 89 da 4d d3 f1 c8   ..@F3.U..G..M...
    0090 - ff b7 d8 9a f5 34 af ee-5e 01 9f 4b 26 9b e9 66   .....4..^..K&..f
    00a0 - ff ab 22 d9 26 8a 9e fd-b4 8e 33 9b 03 2a 85 89   ..".&.....3..*..
    00b0 - 40 6c 3a de 10 18 38 02-67 2e 9c db 39 67 9f 6e   @l:...8.g...9g.n
    00c0 - f9 00 84 a6 1b 91 a8 5d-e4 3e 44 6b af f7 1d 6c   .......].>Dk...l

    Start Time: 1731913365
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

However, when i use in Whois, it still failed: curl -v --header "Host: rest.db.ripe.net" -k https://localhost:45721/whois/metadata/templates/inetnum

* Host localhost:45721 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:45721...
* Connected to localhost (::1) port 45721
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure

more details: openssl s_client -connect localhost:45721 -tls1_3

CONNECTED(00000003)
Can't use SSL_get_servername
4087A31438790000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1599:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 243 bytes and written 225 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Also, I try to use sslContextFactory.setIncludeCipherSuites() and remake whois to add some ciphers, but it doesn't work. Curl verison:

curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.2.0 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.4
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

Openssl version:

OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

eshryane commented 4 days ago

Hi @gonghewan I see the alternative name in the server certificate is dns.nic.edu.cn can you try

curl -v --header "Host: dns.nic.edu.cn" -k https://localhost:40931/metadata/templates/inetnum

gonghewan commented 4 days ago

Hi @gonghewan I see the alternative name in the server certificate is dns.nic.edu.cn can you try
curl -v --header "Host: dns.nic.edu.cn" -k https://localhost:40931/metadata/templates/inetnum
It's a fake dns, and I get the same result:

Host localhost:45721 was resolved.

IPv6: ::1

IPv4: 127.0.0.1

Trying [::1]:45721...

Connected to localhost (::1) port 45721

ALPN: curl offers h2,http/1.1

TLSv1.3 (OUT), TLS handshake, Client hello (1):

TLSv1.3 (IN), TLS handshake, Server hello (2):

TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

TLSv1.3 (IN), TLS alert, handshake failure (552):

OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure

Closing connection curl: (35) OpenSSL/3.0.13: error:0A000410:SSL routines::sslv3 alert handshake failure

eshryane commented 4 days ago

Btw, I found that whois has a log says: 2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Ciphers [] Will the lack of Ciphers algorithm have any impact?

Empty ciphers is OK. What matters is that the certificate is found:

2024-11-15T03:18:44,106 INFO [JettyBootstrap] Certificate: X509@54a0ada1(cn=unknown,ou=unknown,o=unknown,l=unknown,st=unknown,c=unknown,h=[unknown],a=[],w=[]) 2024-11-15T03:18:44,107 INFO [JettyBootstrap] Selected Protocols [TLSv1.3, TLSv1.2]

Maybe the issue is that Jetty does not trust a self-signed certificate. We use Let's Encrypt to generate per-host certificates.

eshryane commented 4 days ago

Try using the "-k" flag for curl to trust the self-signed certificate, i.e.

curl -v -k https://localhost/...

RIPE-NCC / whois

Whois doesnot work on HTTPS #1588