Jetty 9 - Enable OCSP Stapling for domain-validated certificate

2018-04-18 16:43 YuviDroid imported from Stackoverflow

I'm having some issues in enabling OCSP stapling in Jetty 9 and I really hope that someone can help me here...hopefully!

For my tests I purchased an SSL certificate from PositiveSSL (Comodo), which gave me a valid/trusted certificate. The domain in this example is "dev.mydomain.com", and it will simply point to my local ip (127.0.0.1).

I then transformed the provided certificate into the Java keystore format.

# Convert certificate to pkcs12
openssl pkcs12 -export -out dev.mydomain.com.pkcs12 -inkey dev.mydomain.com.key -in dev_mydomain_com.crt

# Create java keystore
keytool -importkeystore -srckeystore dev.mydomain.com.pkcs12 -srcstoretype pkcs12 -destkeystore dev.mydomain.com.keystore -deststoretype JKS

This is the simplified Java code I used for creating the Jetty server, activate the certificate, listen on the 443 port (https), and in theory activate OCSP:

Server _server = new Server(); // org.eclipse.jetty.server.Server

HttpConfiguration httpsConfig = new HttpConfiguration();
HttpConnectionFactory http1 = new HttpConnectionFactory(httpsConfig);

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("dev.mydomain.com.keystore");
sslContextFactory.setKeyStorePassword("mypass");
sslContextFactory.setKeyManagerPassword("mypass");

// sslContextFactory.setValidateCerts(true); // tested
sslContextFactory.setEnableOCSP(true);

SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, http1.getProtocol());

// SSL Connector
ServerConnector sslConnector = new ServerConnector(_server, ssl, http1);

sslConnector.setHost("127.0.0.1");
sslConnector.setPort(443);

_server.addConnector(sslConnector);

_server.start();
_server.join();

On Java VM startup I'm also enabling these system properties:

Security.setProperty("ocsp.enable", "true");
System.setProperty("jdk.tls.server.enableStatusRequestExtension", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");

After several tries, I tried also importing the certificate chain into the keystore, but it didn't make any difference on the outcome.

keytool -import -trustcacerts -alias ca -file COMODORSAAddTrustCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias dv -file COMODORSADomainValidationSecureServerCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias te -file AddTrustExternalCARoot.crt -keystore dev.mydomain.com.keystore

To test whether OCSP was correctly enabled I used a tool called sslyze, but whatever I tried to do the response for OCSP was always negative:

OCSP Stapling - NOT SUPPORTED - Server did not send back an OCSP response

Here is the full output of sslyze:

C:\Tools\sslyze-1_4_1>sslyze --certinfo dev.mydomain.com:443


 AVAILABLE PLUGINS
 -----------------

  OpenSslCipherSuitesPlugin
  RobotPlugin
  CertificateInfoPlugin
  FallbackScsvPlugin
  SessionRenegotiationPlugin
  HeartbleedPlugin
  CompressionPlugin
  OpenSslCcsInjectionPlugin
  SessionResumptionPlugin
  HttpHeadersPlugin



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   dev.mydomain.com:443                       => 127.0.0.1




 SCAN RESULTS FOR DEV.MYDOMAIN.COM:443 - 127.0.0.1
 ------------------------------------------------

 * Certificate Information:
     Content
       SHA1 Fingerprint:                  7c398c59bac3a231efc9823c6958a7bc711bfc0e
       Common Name:                       dev.mydomain.com
       Issuer:                            COMODO RSA Domain Validation Secure Server CA
       Serial Number:                     103185809289011988533713848804380317148
       Not Before:                        2018-04-18 00:00:00
       Not After:                         2019-04-18 23:59:59
       Signature Algorithm:               sha256
       Public Key Algorithm:              RSA
       Key Size:                          2048
       Exponent:                          65537 (0x10001)
       DNS Subject Alternative Names:     ['dev.mydomain.com', 'www.dev.mydomain.com']

     Trust
       Hostname Validation:               OK - Certificate matches dev.mydomain.com
       Android CA Store (8.1.0_r9):       FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       iOS CA Store (11):                 FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       macOS CA Store (High Sierra):      FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Mozilla CA Store (2018-01-14):     FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Windows CA Store (2018-02-09):     FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
       Received Chain:                    dev.mydomain.com
       Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

     Extensions
       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
       Certificate Transparency:          WARNING - Only 2 SCTs included but Google recommends 3 or more

     OCSP Stapling
                                          NOT SUPPORTED - Server did not send back an OCSP response


 SCAN COMPLETED IN 0.78 S
 ------------------------

Sorry for the long post, but I tried to provide as much details as possible!

Thank you! Yuvi

See also questions close to this topic

Returning values from @Bean methods

What happens to the object I return from an @Bean method? Is there anyway to retrieve this object from another class?

Having Problem With Click Listener in Java

I'm making a chess-like game in java and I'm having an issue with the click events. The mouseClicked function isn't responding to my clicks on the window and for no apparent reason.

I have already tried a few things such as changing class names and using different functions but nothing has worked.

package main.game.com;

import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent;     

public class ClickEvent extends MouseAdapter {

    public void mouseClicked(MouseEvent e) {
            System.out.println("hello");
    }

}

package main.game.com;

import java.awt.Canvas;

public class Main extends Canvas {

    private static final long serialVersionUID = 1673528055664762143L;

    private static final int WIDTH = 416, HEIGHT = 439;

    public Main() {
        Window window = new Window(WIDTH, HEIGHT, "DARRAGH", this);
        this.addMouseListener(new ClickEvent());
    }

package main.game.com;

import java.awt.Canvas;
import java.awt.Dimension;

import javax.swing.JFrame;

public class Window extends Canvas {

    private static final long serialVersionUID = 6733885629776844621L;

    public Window(int width, int height, String title, Main main) {

        JFrame frame = new JFrame(title);   

        frame.setPreferredSize(new Dimension(width, height));
        frame.setMaximumSize(new Dimension(width, height));
        frame.setMinimumSize(new Dimension(width, height));

        frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
        frame.setResizable(false);
        frame.add(main);
        frame.setVisible(true);
        main.start();

    }
}

The first set of code is my mouseAdapter library and the second is the first part of my main class containing the clickListener.

JDBC choose NIC to use based on local ip address?

I'm using the PostgreSQL JDBC Driver on a machine that has multiple network cards. Only one of them has a stable connection. Is there anyway to tell JDBC to use that NIC by giving it the IP address of the NIC?
curl command works but C program fails NSS: client certificate not found (nickname not specified)
there are a number of similar posts but I am trying to understand a little more than what those offer. My curl commandline works fine and am able to talk to the server and get the data I want. The command looks like
```
curl -v --tlsv1.2 --cert ./service_cert.pem  --key ./service_private.key  "https://myserver"
```
But when I try to run my C program and examine the http client object I see this
```
errorBuffer = "NSS: client certificate not found (nickname not specified)
```
reading further I realized I have libcurl built with NSS which doesn't support reading cert from a flat file ( .pem)
How is then command line curl utility able to read the pem file ?
How to set up email https tracking links with php and apache?
I have a saas that sends out emails in the name of my customers and I am trying to set up https for the email tracking links (I'm using php and apache), but I have yet to come up with a practical solution. I know how to generate tracking links and do the redirects to the original urls after logging the link clicks, I just don't know how to implement https on those tracking links.

One possible solution could be, to do what a lot of email services providers do for tracking links: I would ask of every customer to create a CNAME record pointing from their domain to my domain (tracking.mycustomersdomain.com -> tracking.mysaasdomain.com). I could then use a php library to dynamically generate a letsencrypt certificate for their subdomain (tracking.mycustomersdomain.com) and would also be able to verify the subdomain for the certificate because the certificate would reside on my own server. The problem is, I'd still need to enable the certificate in the apache vhosts file and restart the apache service, so my server could start encrypting the tracking links with the appropriate certificate (but from what I've been able to research so far, this can't be done neither directly from php nor from .htaccess files, plus, frequent restarts would likely disrupt the operations on a live site).

So this brings me right to my two-part question...
1. Can I programatically enable a just-generated certificate for a given customer domain without (manually) restarting apache?
2. Is there a better / best practice alternative to what I've described above to secure the tracking links in the emails I send out?

How to fix 'unsecured response' from PHP SOAP server over SSL

WCF client initiate secure connection to SOAP server through WSDL. Log show that WS-security autorisation was fine, and SOAP server correctly respond, but client drops connection because response was unsecure. Since I don't have access to client environment I need help to fix that issue on server side. What additional headers should I add to response?

Server have certificate, client have a key.

<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken">
  <wsp:ExactlyOne>
   <wsp:All>
    <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
     <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
     <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
    </wsp:Policy>
   </sp:SupportingTokens>
  </wsp:All>
 </wsp:ExactlyOne>
</wsp:Policy>

Request header:

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2019-02-14T18:30:07.568Z</u:Created>
                <u:Expires>2019-02-14T18:35:07.568Z</u:Expires>
            </u:Timestamp>
                <o:UsernameToken u:Id="xxx" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <o:Username>user</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">xxx</o:Password>
                <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">xxx</o:Nonce>
                <u:Created>2019-02-14T18:30:07.568Z</u:Created>
            </o:UsernameToken>
        </o:Security>
    </s:Header>
    <s:Body>
        <isSystemListening xmlns="urn:xxx"/>
    </s:Body>
</s:Envelope>

Response header:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PasswordDigest" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary" xmlns:ns5="urn:xxx">
    <SOAP-ENV:Header>
        <ns1:Security SOAP-ENV:mustUnderstand="1" SOAP-ENV:actor="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ns1:Timestamp>
            <Created>2019-02-14T18:30:07Z</Created>
            <Expires>2019-02-14T18:35:07Z</Expires>
        </ns1:Timestamp>
            <ns2:UsernameToken>
                <ns2:Username xsi:type="ns1:string">user</ns2:Username>
                <ns1:Password xsi:type="ns3:string">xxx</ns1:Password>
                <ns1:Nonce xsi:type="ns4:string">xxx</ns1:Nonce>
                <ns2:Created xsi:type="ns1:string">2019-02-14T18:30:07.568Z</ns2:Created>
            </ns2:UsernameToken>
        </ns1:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <ns5:isSystemListeningResponse>
            <isUp>true</isUp>
        </ns5:isSystemListeningResponse>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Whatever client get error

Communications error occurred: Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.

Client wants to me to send them a "certificate" to authenticate with their webservice

The IT department of my client wants me to send them a "certificate", so my PHP application can authorize itself to read data from their web service.

At first I haven't thought much about it, since I regularly use ssh keys to establish a secure connection with my servers. But unfortunately I'm completely confused right now.

What do they actually want from me?
can individual apple developer account invite other people to access Certificates, IDs, Provisions?

my friend bought apple developer account about couple days ago and invited me to become a developer of his account. After he invited me, I can access to appstore connect page but I can't access to Certificate, IDs, Provisions page. Can you guys tell me how to access that page, please.

I tried to invite other developer to my company account and I can check to the checkbox "access to Certificates, IDs, Profiles..." but in individual account this checkbox is gray. grayout
How to connect Jenkins and Gieta

I have the problem, that I want to establish a CI/CD Pipeline between my Gitea Repo and Jenkins. So far I created a webhook with the Gitea API to Jenkins. Unfortunatly, when I try to send test packages from Gitea to Jenkins, I get the x509 Error, saying that the Certificates are not valid

Delivery: Post https://*************/jenkins: x509: certificate is valid for xxxxxxxxxxxxx, not yyyyyyyyyyyyyyyy

On the other Hand I cant add my gitea Server in the Jenkins web UI. If I try to do so, I receive an error saying that The connection cannot be established because:

Could not communicate with server: HTTP 403/Forbidden

I am quite desperate by now. I already tried to add Certs to the machine Jenkins is running on, to eliminate the x509 error, but it didnt help. Also if I try to add instead of my server the official try.gitea.io Server, it actually works. But I nedd my server in the config, so it´s not optional to use the official one.

Thanks in advance.

Async support must be enabled on a servlet and for all filters involved in async request processing

I read enough questions with answers on stackoverflow and no one helped me. I tried to insert

<async-supported> true</async-supported>

everywhere but it doesn't help me, I also tried to annotate my custom filter with @Async annotations without any results . I'm using jetty 9.3.9.v20160517 , Java servlet dependency

    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>4.0.1</version>
        <scope>provided</scope>
    </dependency>

Plus I have a spring websocket configuration connected, everything works fine, but when I try to establish a connection to the server via the frontend using SockJS and Stomp, on the server I get this error : IMAGE FROM GOOGLE CHROME AND JAVA EXCEPTION

Caused by: org.springframework.web.socket.sockjs.SockJsTransportFailureException: Failed to open session; nested exception is java.lang.IllegalArgumentException: Async support must be enabled on a servlet and for all filters involved in async request processing. This is done in Java code using the Servlet API or by adding "<async-supported>true</async-supported>" to servlet and filter declarations in web.xml. Also you must use a Servlet 3.0+ container
at org.springframework.web.socket.sockjs.transport.session.AbstractHttpSockJsSession.handleInitialRequest (AbstractHttpSockJsSession.java:221)
at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequestInternal (AbstractHttpSendingTransportHandler.java:75)
at org.springframework.web.socket.sockjs.transport.handler.JsonpPollingTransportHandler.handleRequestInternal (JsonpPollingTransportHandler.java:87)
at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequest (AbstractHttpSendingTransportHandler.java:65)
at org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService.handleTransportRequest (TransportHandlingSockJsService.java:314)
at org.springframework.web.socket.sockjs.support.AbstractSockJsService.handleRequest (AbstractSockJsService.java:433)
at org.springframework.web.socket.sockjs.support.SockJsHttpRequestHandler.handleRequest (SockJsHttpRequestHandler.java:132)
at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle (HttpRequestHandlerAdapter.java:51)
at org.springframework.web.servlet.DispatcherServlet.doDispatch (DispatcherServlet.java:967)
at org.springframework.web.servlet.DispatcherServlet.doService (DispatcherServlet.java:901)
at org.springframework.web.servlet.FrameworkServlet.processRequest (FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doGet (FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service (HttpServlet.java:687)
at org.springframework.web.servlet.FrameworkServlet.service (FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service (HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle (ServletHolder.java:845)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1689)
at tnt.dom2.filter.HttpStatusFilter.doFilter (HttpStatusFilter.java:24)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at tnt.dom2.user.filter.UserActivityFilter.doFilter (UserActivityFilter.java:25)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at finch.portal.v3.web.controller.RequestHolderImpl.doFilter (RequestHolderImpl.java:48)
at finch.portal.v3.web.controller.RequestHolderFilter.doFilter (RequestHolderFilter.java:25)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:316)
at tnt.dom2.admin.AdminConfirmFilter.doFilter_aroundBody0 (AdminConfirmFilter.java:70)
at tnt.dom2.admin.AdminConfirmFilter$AjcClosure1.run (AdminConfirmFilter.java:1)
at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3eproceed (AbstractAsyncExecutionAspect.aj:63)
at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3e (AbstractAsyncExecutionAspect.aj:68)
at tnt.dom2.admin.AdminConfirmFilter.doFilter (AdminConfirmFilter.java:48)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke (FilterSecurityInterceptor.java:126)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter (FilterSecurityInterceptor.java:90)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter (ExceptionTranslationFilter.java:114)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.session.SessionManagementFilter.doFilter (SessionManagementFilter.java:122)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter (AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter (RememberMeAuthenticationFilter.java:149)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter (SecurityContextHolderAwareRequestFilter.java:169)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter (RequestCacheAwareFilter.java:48)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter (AbstractAuthenticationProcessingFilter.java:205)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter (LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal (HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter (SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal (WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal (FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter (FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate (DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter (DelegatingFilterProxy.java:263)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal (OpenSessionInViewFilter.java:151)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal (CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1668)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter (WebSocketUpgradeFilter.java:225)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.eclipse.jetty.servlet.ServletHandler.doHandle (ServletHandler.java:581)
at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle (SecurityHandler.java:548)
at org.eclipse.jetty.server.session.SessionHandler.doHandle (SessionHandler.java:226)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle (ContextHandler.java:1174)
at org.eclipse.jetty.servlet.ServletHandler.doScope (ServletHandler.java:511)
at org.eclipse.jetty.server.session.SessionHandler.doScope (SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope (ContextHandler.java:1106)
at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle (ContextHandlerCollection.java:213)
at org.eclipse.jetty.server.handler.HandlerCollection.handle (HandlerCollection.java:119)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle (HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle (Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle (HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable (HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded (AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable (FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run (SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume (ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume (ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run (ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob (QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run (QueuedThreadPool.java:589)
at java.lang.Thread.run (Thread.java:748)
Caused by: java.lang.IllegalArgumentException: Async support must be enabled on a servlet and for all filters involved in async request processing. This is done in Java code using the Servlet API or by adding "<async-supported>true</async-supported>" to servlet and filter declarations in web.xml. Also you must use a Servlet 3.0+ container
at org.springframework.util.Assert.isTrue (Assert.java:92)
at org.springframework.http.server.ServletServerHttpAsyncRequestControl.<init> (ServletServerHttpAsyncRequestControl.java:58)
at org.springframework.http.server.ServletServerHttpRequest.getAsyncRequestControl (ServletServerHttpRequest.java:210)
at org.springframework.web.socket.sockjs.transport.session.AbstractHttpSockJsSession.handleInitialRequest (AbstractHttpSockJsSession.java:210)
at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequestInternal (AbstractHttpSendingTransportHandler.java:75)
at org.springframework.web.socket.sockjs.transport.handler.JsonpPollingTransportHandler.handleRequestInternal (JsonpPollingTransportHandler.java:87)
at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequest (AbstractHttpSendingTransportHandler.java:65)
at org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService.handleTransportRequest (TransportHandlingSockJsService.java:314)

at javax.servlet.http.HttpServlet.service (HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle (ServletHolder.java:845)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1689)
at tnt.dom2.filter.HttpStatusFilter.doFilter (HttpStatusFilter.java:24)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at tnt.dom2.user.filter.UserActivityFilter.doFilter (UserActivityFilter.java:25)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at finch.portal.v3.web.controller.RequestHolderImpl.doFilter (RequestHolderImpl.java:48)
at finch.portal.v3.web.controller.RequestHolderFilter.doFilter (RequestHolderFilter.java:25)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:316)
at tnt.dom2.admin.AdminConfirmFilter.doFilter_aroundBody0 (AdminConfirmFilter.java:70)
at tnt.dom2.admin.AdminConfirmFilter$AjcClosure1.run (AdminConfirmFilter.java:1)
at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3eproceed (AbstractAsyncExecutionAspect.aj:63)
at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3e (AbstractAsyncExecutionAspect.aj:68)
at tnt.dom2.admin.AdminConfirmFilter.doFilter (AdminConfirmFilter.java:48)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke (FilterSecurityInterceptor.java:126)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter (FilterSecurityInterceptor.java:90)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter (ExceptionTranslationFilter.java:114)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.session.SessionManagementFilter.doFilter (SessionManagementFilter.java:122)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter (AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter (RememberMeAuthenticationFilter.java:149)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter (SecurityContextHolderAwareRequestFilter.java:169)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter (RequestCacheAwareFilter.java:48)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter (AbstractAuthenticationProcessingFilter.java:205)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter (LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal (HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter (SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal (WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal (FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter (FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate (DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter (DelegatingFilterProxy.java:263)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal (OpenSessionInViewFilter.java:151)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal (CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1668)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter (WebSocketUpgradeFilter.java:225)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676)
at org.eclipse.jetty.servlet.ServletHandler.doHandle (ServletHandler.java:581)
at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle (SecurityHandler.java:548)
at org.eclipse.jetty.server.session.SessionHandler.doHandle (SessionHandler.java:226)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle (ContextHandler.java:1174)
at org.eclipse.jetty.servlet.ServletHandler.doScope (ServletHandler.java:511)
at org.eclipse.jetty.server.session.SessionHandler.doScope (SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope (ContextHandler.java:1106)
at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle (ContextHandlerCollection.java:213)
at org.eclipse.jetty.server.handler.HandlerCollection.handle (HandlerCollection.java:119)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle (HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle (Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle (HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable (HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded (AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable (FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run (SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume (ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume (ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run (ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob (QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run (QueuedThreadPool.java:589)
at java.lang.Thread.run (Thread.java:748)

this is my web.xml :

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <session-config>
        <cookie-config>
            <max-age>1209600</max-age>
        </cookie-config>
    </session-config>
    <context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>classpath:log4j.properties</param-value>
    </context-param>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring-contexts/*Context.xml,</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>
    <filter>
        <display-name>springSecurityFilterChain</display-name>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <async-supported>true</async-supported>
    </filter>
    <filter>
        <filter-name>hvsf</filter-name>
        <filter-class>
            org.springframework.orm.hibernate4.support.OpenSessionInViewFilter
        </filter-class>
        <async-supported>true</async-supported>
    </filter>
    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>requestHolderFilter</filter-name>
        <filter-class>finch.portal.v3.web.controller.RequestHolderFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>
    <filter>
        <filter-name>userActivityFilter</filter-name>
        <filter-class>tnt.dom2.user.filter.UserActivityFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>
    <filter>
        <filter-name>httpStatusFilter</filter-name>
        <filter-class>tnt.dom2.filter.HttpStatusFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>
    <servlet>
        <servlet-name>default</servlet-name>
        <init-param>
            <param-name>useFileMappedBuffer</param-name>
            <param-value>false</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </servlet>
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring-contexts/dispatcher-servlet.xml</param-value>
        </init-param>

        <load-on-startup>1</load-on-startup>
        <async-supported>true</async-supported>
    </servlet>

    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ASYNC</dispatcher>
    </filter-mapping>
    <filter-mapping>
        <filter-name>hvsf</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ASYNC</dispatcher>
    </filter-mapping>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ASYNC</dispatcher>
    </filter-mapping>
    <filter-mapping>
        <filter-name>requestHolderFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ASYNC</dispatcher>
    </filter-mapping>
    <filter-mapping>
        <filter-name>userActivityFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ASYNC</dispatcher>
    </filter-mapping>
    <filter-mapping>
        <filter-name>httpStatusFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ASYNC</dispatcher>
    </filter-mapping>
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/media/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/f/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/dev/f/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/freeze/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <error-page>
        <error-code>404</error-code>
        <location>/404</location>
    </error-page>
</web-app>

websocket configuration

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig  implements WebSocketMessageBrokerConfigurer {
    @Autowired
    private ObjectMapper objectMapper;

    @Override
    public void configureMessageBroker(MessageBrokerRegistry config) {
        config.enableSimpleBroker("/topic");
        config.setApplicationDestinationPrefixes("/app");
    }

    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        registry.addEndpoint("/gs-guide-websocket").setAllowedOrigins("*").withSockJS();
    }

    @Override
    public void configureWebSocketTransport(WebSocketTransportRegistration webSocketTransportRegistration) {
        webSocketTransportRegistration.setSendTimeLimit(15 * 1000).setSendBufferSizeLimit(512 * 1024);
    }


    @Override
    public void configureClientOutboundChannel(ChannelRegistration channelRegistration) {
        channelRegistration.taskExecutor().corePoolSize(4).maxPoolSize(10);
    }


    @Override
    public boolean configureMessageConverters(List<MessageConverter> list) {
        DefaultContentTypeResolver resolver = new DefaultContentTypeResolver();
        resolver.setDefaultMimeType(MimeTypeUtils.APPLICATION_JSON);
        MappingJackson2MessageConverter converter = new MappingJackson2MessageConverter();
        converter.setObjectMapper(objectMapper);
        converter.setContentTypeResolver(resolver);
        list.add(converter);
        return false;
    }
}

Handler error while trying to execute Jetty Server

I get error: incompatible types: org.eclipse.jetty.servlet.ServletHandler cannot be converted to org.mortbay.jetty.Handler While trying to run my below code. I'm new to Java and not sure why this is happening. Any ideas? (I'm using JDK 11 and the latest Jetty versions 9.3 and IDE IntelliJ)

package newJetty;

import newJetty.handler.PingHandler;
import org.eclipse.jetty.servlet.ServletHandler;
import org.mortbay.jetty.Handler;
import org.mortbay.jetty.Server;
/**
 * Hello world!
 *
 */
public class JettyServer
{
    public static void main( String[] args ) throws Exception {
        Server server = new Server(8080);

        ServletHandler handler = new ServletHandler();

        handler.addServletWithMapping(PingHandler.class, "/ping");
        server.setHandler(handler);
        //

        server.start();
        server.join();
    }
}

Detect half-open websockets with PING/PONG

I'm using Jetty 9.2.24 as a WebSocket server. I want to detect half-open connections, so that no more messages are sent over this connection and buffered instead.

I know PING/PONG frames are used for this, so I tried sending PINGs periodically and set a low maxIdleTimeout. I modified my client to NOT return a PONG to see if Jetty would regard this as a failed connection since the RFC-6455 spec dictates that the remote endpoint MUST respond with a PONG. Apparently Jetty does not detect missing PONGs or I am doing something wrong.

What is the best way to continue. Should I implement the PING/PONG timeouts myself by explicitly receiving all PONG messages and detect a timeout? I would think this would be responsibility of the underlying websocket managing framework.
Is it ok to return certificate status without OCSP(Online Certificate Status Protocol)

I created the certificate authority server using Node.js and some cryptographic library supporting RSA sign, verification and generating X.509. When I added the certificate revocation feature with Online Certificate Status Protocol(OCSP), I thought of why I have to send a request and receive a response with OCSP because only what I want to know is not OCSP Request/Response object but just certificate status(Good or revoked.)

Does it make sense requesting not OCSP response object(.PEM or something else) but the certificate status value like HTTP status code(200: OK, 400: NOT FOUND)?
Java SSL OCSP checks fail to validate the entire chain of trust with Certificate does not specify OCSP responder
I have a Java application that recently moved to SSL and it has a problem when performing checks on all certificates in the chain of trust, but works fine when I set it to check the server certification only.

Checks are performed using OCSP only (cannot do CRL here).

So, if I'm setting in Java Control Panel the 'Perform TLS certification checks on' - 'All certificates in the chain of trust' , java application is saying that certification is untrusted with the following error message:
```
com.sun.deploy.security.RevocationChecker$StatusUnknownException: 
Certificate does not specify OCSP responder
```
In the same time, if I change to 'Perform TLS certification checks on' - 'Server certificate only' everything works fine, hence the certificate is valid.

My certificate has this chain: rootCA - intermediateCA - server

I checked the Authority Information Access value for all the 3 certificates and it looks that the root one does't have one set and implicitly it doesn't have an OCSP url where to check the validity, however I checked other certificates and looks like most of the rootCA doesn't have it.

Any idea what can be the problem or how I can continue to debug it?

Thanks!
Certificate Revocation check failing in Windows Server 2016

Command

certuil.exe -verify

fails with the error - 'Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)' in Windows server 2016. The error is not seen in 2012 \ 2008.

Any help would be appreciated.

Related questions

Jetty 9 - Enable OCSP Stapling for domain-validated certificate

See also questions close to this topic