HTTPS and TLS v1.3

[daniel-dlds]

Hi,

I am using the jetty-12.1.6 libraries with graalvm-ce-17.
I have made a Java class that starts an embedded jetty server with two connectors :

• one http on port 9000
• one https on port 9433

I started the class implementation from the example HTTP server on the jetty documentation site.
Then I looked at the HTTPS example on the developer docs and adapted the class with that.
The server starts up and I can make HTTP requests like I used to before putting in the HTTPS connector.
I created the Java keystore based on the instructions on the operations manual and some other openssl info.
Because I couldn't generate the certificate with java's key tool. It hangs in gencert. So I used openssl to do
most of the job and then imported the final result into the java keystore.

Then I used curl to test https.

dlsa@besta facialrecognition % curl --trace-ascii httpreq.log --cacert jettyhttpscerts/jettyhttpscert.pem 'https://localhost:9433/auth/authorize?client_id=dlsa&redirect_uri=https://localhost:9433/auth/token?code=auth_code_123' curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9433

The curl call log is :

== Info: Host localhost:9433 was resolved.
== Info: IPv6: ::1
== Info: IPv4: 127.0.0.1
== Info:   Trying [::1]:9433...
== Info: Connected to localhost (::1) port 9433
== Info: ALPN: curl offers h2,http/1.1
== Info: (304) (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 314 bytes (0x13a)
0000: ...6...~.d>..Tq...3.1^E[..O.7>.)...<. y.1......E;.=n._.y..L..].
0040: Or|.....b.............0.,.(.$.......k.9...........=.5...../.+.'.
0080: #.......g.3...E...<./...A.......................+............3.&
00c0: .$... /l..t...t..cw.3\...j....@.....JB.........localhost........
0100: ...............................................h2.http/1.1
== Info:  CAfile: jettyhttpscerts/jettyca.pem
== Info:  CApath: none
== Info: (304) (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 122 bytes (0x7a)
0000: ...v......fJAH....ym...J..G..,.+.5.U. y.1......E;.=n._.y..L..].
[AuthorizationServer.java](https://github.com/user-attachments/files/25415227/AuthorizationServer.java)

0040: Or|..........+.....3.$... 3....5.....Z..$.a....1R".pY...m.
== Info: LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9433
== Info: Closing connection

I asked in the curl-users mailing list, they say that jetty is probably returning HTTP.
So I am attaching the source code of the Java class where I embed the server, in the hopes
someone sees something I may be doing wrong.

Thanks,
Regards

(https://github.com/user-attachments/files/25415280/AuthorizationServer.java)

[sbordet]

I stripped down your AuthorizationServer.java to just set up the server and the connectors, and it works for me.

I don't think this is a Jetty issue, it is more likely a KeyStore issue or something else.

I suggest that you strip down your example to the bare minimum (just a Jetty server with connectors), and try with normal JVM and normal KeyStore.
Then change KeyStore with the one you're using. And so on.

Note that keytool -genkeypair is normally used to create a KeyStore, not -gencert. Make sure you create the KeyStore correctly.

curl -kv https://localhost:9433/
* Host localhost:9433 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9433...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=NE; L=Omaha; O=Webtide; OU=Jetty; CN=localhost
*  start date: Oct  8 20:15:39 2020 GMT
*  expire date: Sep 14 20:15:39 2120 GMT
*  issuer: C=US; ST=NE; L=Omaha; O=Webtide; OU=Jetty; CN=localhost
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to localhost (::1) port 9433
* using HTTP/1.x
> GET / HTTP/1.1
> Host: localhost:9433
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 404 Not Found
< Server: Jetty(12.1.6)
< Date: Sat, 21 Feb 2026 10:20:39 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 737
< 
<!DOCTYPE html>
<html lang="en">
<head>
<title>Error 404 - Not Found</title>
<meta charset="utf-8">
<style>body { font-family: sans-serif; } table, td { border: 1px solid #333; } td, th { padding: 5px; } thead, tfoot { background-color: #333; color: #fff; } </style>
</head>
<body>
<h2>Error 404 - Not Found.</h2>
<p>No context on this server matched or handled this request.</p>
<p>Contexts known to this server are:</p>
<table class="contexts"><thead><tr><th>Context Path</th><th>Display Name</th><th>Status</th><th>LifeCycle</th></tr></thead><tbody>
</tbody></table><hr/>
<a href="https://jetty.org"><img alt="icon" src="/favicon.ico"/></a>&nbsp;<a href="https://jetty.org">Powered by Eclipse Jetty:// Server</a><hr/>
</body>
</html>
* Connection #0 to host localhost left intact

[daniel-dlds]

Hi, Thanks for your reply. It was indeed a problem wit the both the keystore and the server configuration made in that class I sent. The configuration file I was using didn’t say where was the keystone, and I couldn’t figure that out from the communication errors. I regenerated the keystore and configured the server and it’s working now. Thank you for your help, Regards

…

On 21 Feb 2026, at 10:26, Simone Bordet ***@***.***> wrote: I stripped down your AuthorizationServer.java to just set up the server and the connectors, and it works for me. I don't think this is a Jetty issue, it is more likely a KeyStore issue or something else. I suggest that you strip down your example to the bare minimum (just a Jetty server with connectors), and try with normal JVM and normal KeyStore. Then change KeyStore with the one you're using. And so on. Note that keytool -genkeypair is normally used to create a KeyStore, not -gencert. Make sure you create the KeyStore correctly. curl -kv https://localhost:9433/ * Host localhost:9433 was resolved. * IPv6: ::1 * IPv4: 127.0.0.1 * Trying [::1]:9433... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS * ALPN: server accepted http/1.1 * Server certificate: * subject: C=US; ST=NE; L=Omaha; O=Webtide; OU=Jetty; CN=localhost * start date: Oct 8 20:15:39 2020 GMT * expire date: Sep 14 20:15:39 2120 GMT * issuer: C=US; ST=NE; L=Omaha; O=Webtide; OU=Jetty; CN=localhost * SSL certificate verify result: self-signed certificate (18), continuing anyway. * Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Connected to localhost (::1) port 9433 * using HTTP/1.x > GET / HTTP/1.1 > Host: localhost:9433 > User-Agent: curl/8.14.1 > Accept: */* > * Request completely sent off * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): < HTTP/1.1 404 Not Found < Server: Jetty(12.1.6) < Date: Sat, 21 Feb 2026 10:20:39 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 737 < <!DOCTYPE html> <html lang="en"> <head> <title>Error 404 - Not Found</title> <meta charset="utf-8"> <style>body { font-family: sans-serif; } table, td { border: 1px solid #333; } td, th { padding: 5px; } thead, tfoot { background-color: #333; color: #fff; } </style> </head> <body> <h2>Error 404 - Not Found.</h2> <p>No context on this server matched or handled this request.</p> <p>Contexts known to this server are:</p> <table class="contexts"><thead><tr><th>Context Path</th><th>Display Name</th><th>Status</th><th>LifeCycle</th></tr></thead><tbody> </tbody></table><hr/> <a href="https://jetty.org"><img alt="icon" src="/favicon.ico"/></a>&nbsp;<a href="https://jetty.org">Powered by Eclipse Jetty:// Server</a><hr/> </body> </html> * Connection #0 to host localhost left intact — Reply to this email directly, view it on GitHub <#14539 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCEAHMQPQYXI7H4EA4HNRL4NAXENAVCNFSM6AAAAACVVXO3L6VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTKOBXHE4DINI>. You are receiving this because you authored the thread.