jclouds-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cen <imba...@gmail.com>
Subject Re: JClouds TLS SNI support?
Date Thu, 15 Sep 2016 10:20:05 GMT
Sure. Should I open the issue specifically about Apache client and 
another one for default Java client?

The unexplained thing is why the default Java client isn't working with 
SNI by default, even though it should in theory (Java 8 sends SNI 
automatically and by default according to Oracle docs). The closest 
thing I found is this: 
http://stackoverflow.com/questions/30817934/extended-server-name-sni-extension-not-sent-with-jdk1-8-0-but-send-with-jdk1-7

a possible OpenJDK bug.

A quick dig into JClouds code seems to confirm that 
setHostnameVerifier() is used so this could be the case.


Ignasi Barrera je 15. 09. 2016 ob 12:06 napisal:
> Thanks for the feedback and all the details cen!
>
> Would you mind opening an issue in our JIRA so we can track and fix
> the Apache driver?
>
>
>
> On 15 September 2016 at 11:17, cen <imbacen@gmail.com> wrote:
>> Hi
>>
>> Default driver and Apache driver failed me but OkHTTP worked.
>>
>> For Apache, I found a similar bug in Keycloak JIRA:
>> https://issues.jboss.org/browse/KEYCLOAK-2439
>>
>> The interesting part is:
>>
>> "Client adapter uses a deprecated API when setting up HttpClient object in
>> org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch which is
>> part of HttpClient library since version 4.3.2, and which seems to delegate
>> this part to Java SDK classes, where SNI is automatically set, isn't
>> activated."
>>
>> It's a guess on my part but I assume JClouds instantiates the HttpClient in
>> a way that SNI does not get activated.
>>
>> I digged more into Apache driver and the way SSLSocketFactory is used by
>> JClouds is very similar to pre-patched Keycloak from that Jira issue
>> (according to pull requests). Might be worth looking into.
>>
>> Best regards, cen
>>
>>
>> Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:
>>
>> Hi!
>>
>> jclouds supports several HTTP drivers. By default it relies on the java
>> HttpUrlConection, but you can also configure it to use the Apache Http
>> client or OkHttp [1]. Using those drivers is as simple as adding the
>> corresponding Guice module when creating the context (have a look at the
>> OkHttp driver readme for an example [2]) so feel free to use the one that
>> is better for your use case.
>>
>> If you need more control on how the http client is configured, you can take
>> the jclouds Docker api as an example. It configures the OkHttp to support
>> TLS connections. You can have a look at its docker http module [3] and
>> create a similar module that initializes the OkHtttpClient as needed, and
>> then pass it to the ContextBuilder when creating the jclouds context.
>>
>> HTH!
>>
>> I.
>>
>> [1] https://github.com/jclouds/jclouds/tree/master/drivers
>> [2] https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
>> [3]
>> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
>>
>> El 12 sept. 2016 7:02 p. m., "cen" <imbacen@gmail.com> escribió:
>>
>> Hi
>>
>> We have a FakeS3 instance behind a reverse proxy which handles several
>> subdomains over a single IP. We use let's encrypt certificate to sign the
>> subdomains. We have the latest Java 8 installed which has the let's encrypt
>> root in it's truststore. However, JClouds fails to connect to our FakeS3
>> instance over https (http works). We believe it is because TLS SNI is not
>> supported in JClouds since this is the most common problem we found other
>> people having when googling around. I browsed around org.jclouds.http
>> package but I was unable to determine what HTTP client does JClouds use
>> behind the scenes or if it's a custom implementation. Could I get some
>> feedback whether my assumptions are correct and how hard would it be to fix
>> this? This is the stacktrace:
>>
>>
>> PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target connecting to
>> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
>>      at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:121)
>>      at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
>> InvokeHttpMethod.java:90)
>>      at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:73)
>>      at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:44)
>>      at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
>> DelegatesToInvocationFunction.java:156)
>>      at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
>> DelegatesToInvocationFunction.java:123)
>>      at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
>>      at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
>> S3BlobStore.java:131)
>>      at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
>>      at com.redacted.util.storage.BlobStorageImpl.saveBlob(
>> BlobStorageImpl.java:19)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
>> ImagesResourceImpl.java:90)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
>> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
>>      at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>>      at com.redacted.api.rest.v1.interceptors.
>> ValidatePermissionsInterceptor.checkOwnership(
>> ValidatePermissionsInterceptor.java:63)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.
>> invoke(Method.java:498)
>>      at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>      at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
>> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
>> ionContext.java:64)
>>      at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>>      at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
>> manageTransaction(TransactionalInterceptor.java:34)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeAroundInvoke(InterceptorMethodHandler.java:84)
>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeInterception(InterceptorMethodHandler.java:72)
>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
>> InterceptorMethodHandler.java:56)
>>      at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:79)
>>      at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:68)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.glassfish.jersey.server.model.internal.
>> ResourceMethodInvocationHandlerFactory$1.invoke(
>> ResourceMethodInvocationHandlerFactory.java:81)
>>      at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
>> atcher.java:164)
>>      at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
>> atcher.java:181)
>>      at org.glassfish.jersey.server.model.internal.
>> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
>> JavaResourceMethodDispatcherProvider.java:158)
>>      at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.dispatch(
>> AbstractJavaResourceMethodDispatcher.java:101)
>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> invoke(ResourceMethodInvoker.java:389)
>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:347)
>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:102)
>>      at org.glassfish.jersey.server.ServerRuntime$2.run(
>> ServerRuntime.java:305)
>>      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
>>      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
>>      at org.glassfish.jersey.process.internal.RequestScope.
>> runInScope(RequestScope.java:317)
>>      at org.glassfish.jersey.server.ServerRuntime.process(
>> ServerRuntime.java:288)
>>      at org.glassfish.jersey.server.ApplicationHandler.handle(
>> ApplicationHandler.java:1110)
>>      at org.glassfish.jersey.servlet.WebComponent.service(
>> WebComponent.java:401)
>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:386)
>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:335)
>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:222)
>>      at org.eclipse.jetty.servlet.ServletHolder.handle(
>> ServletHolder.java:835)
>>      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1685)
>>      at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:209)
>>      at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:244)
>>      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1668)
>>      at org.eclipse.jetty.servlet.ServletHandler.doHandle(
>> ServletHandler.java:581)
>>      at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:143)
>>      at org.eclipse.jetty.security.SecurityHandler.handle(
>> SecurityHandler.java:513)
>>      at org.eclipse.jetty.server.session.SessionHandler.
>> doHandle(SessionHandler.java:226)
>>      at org.eclipse.jetty.server.handler.ContextHandler.
>> doHandle(ContextHandler.java:1158)
>>      at org.eclipse.jetty.servlet.ServletHandler.doScope(
>> ServletHandler.java:511)
>>      at org.eclipse.jetty.server.session.SessionHandler.
>> doScope(SessionHandler.java:185)
>>      at org.eclipse.jetty.server.handler.ContextHandler.
>> doScope(ContextHandler.java:1090)
>>      at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:141)
>>      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
>> HandlerWrapper.java:119)
>>      at org.eclipse.jetty.server.Server.handle(Server.java:517)
>>      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
>>      at org.eclipse.jetty.server.HttpConnection.onFillable(
>> HttpConnection.java:242)
>>      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
>> AbstractConnection.java:273)
>>      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
>>      at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
>> SelectChannelEndPoint.java:75)
>>      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
>> produceAndRun(ExecuteProduceConsume.java:213)
>>      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
>> ExecuteProduceConsume.java:147)
>>      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
>> QueuedThreadPool.java:654)
>>      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
>> QueuedThreadPool.java:572)
>>      at java.lang.Thread.run(Thread.java:745)
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException:
>> PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>>      at sun.reflect.NativeConstructorAccessorImpl.newInstance(
>> NativeConstructorAccessorImpl.java:62)
>>      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
>> DelegatingConstructorAccessorImpl.java:45)
>>      at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>      at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1890)
>>      at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1885)
>>      at java.security.AccessController.doPrivileged(Native Method)
>>      at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
>> HttpURLConnection.java:1884)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1457)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>>      at java.net.HttpURLConnection.getResponseCode(
>> HttpURLConnection.java:480)
>>      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
>> HttpsURLConnectionImpl.java:338)
>>      at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:105)
>>      at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:65)
>>      at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:99)
>>      ... 89 more
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException:
>> PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>      at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>>      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>      at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1509)
>>      at sun.security.ssl.ClientHandshaker.processMessage(
>> ClientHandshaker.java:216)
>>      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>>      at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>>      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>>      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>>      at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>>      at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>>      at sun.net.www.protocol.https.HttpsClient.afterConnect(
>> HttpsClient.java:559)
>>      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
>> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1513)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>>      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
>> HttpsURLConnectionImpl.java:254)
>>      at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:97)
>>      ... 91 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>>      at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>>      at sun.security.validator.Validator.validate(Validator.java:260)
>>      at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>>      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:229)
>>      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
>> X509TrustManagerImpl.java:124)
>>      at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1491)
>>      ... 104 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.security.provider.certpath.SunCertPathBuilder.
>> build(SunCertPathBuilder.java:141)
>>      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
>> SunCertPathBuilder.java:126)
>>      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>      at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:382)
>>      ... 110 more
>>
>>


Mime
View raw message