jclouds-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ignasi Barrera <n...@apache.org>
Subject Re: JClouds TLS SNI support?
Date Thu, 15 Sep 2016 10:27:12 GMT
Better open one issue with all the details you got. Thanks!

On 15 September 2016 at 12:20, cen <imbacen@gmail.com> wrote:
> Sure. Should I open the issue specifically about Apache client and another
> one for default Java client?
>
> The unexplained thing is why the default Java client isn't working with SNI
> by default, even though it should in theory (Java 8 sends SNI automatically
> and by default according to Oracle docs). The closest thing I found is this:
> http://stackoverflow.com/questions/30817934/extended-server-name-sni-extension-not-sent-with-jdk1-8-0-but-send-with-jdk1-7
> a possible OpenJDK bug.
>
> A quick dig into JClouds code seems to confirm that setHostnameVerifier() is
> used so this could be the case.
>
>
> Ignasi Barrera je 15. 09. 2016 ob 12:06 napisal:
>
>> Thanks for the feedback and all the details cen!
>>
>> Would you mind opening an issue in our JIRA so we can track and fix
>> the Apache driver?
>>
>>
>>
>> On 15 September 2016 at 11:17, cen <imbacen@gmail.com> wrote:
>>>
>>> Hi
>>>
>>> Default driver and Apache driver failed me but OkHTTP worked.
>>>
>>> For Apache, I found a similar bug in Keycloak JIRA:
>>> https://issues.jboss.org/browse/KEYCLOAK-2439
>>>
>>> The interesting part is:
>>>
>>> "Client adapter uses a deprecated API when setting up HttpClient object
>>> in
>>> org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch which
>>> is
>>> part of HttpClient library since version 4.3.2, and which seems to
>>> delegate
>>> this part to Java SDK classes, where SNI is automatically set, isn't
>>> activated."
>>>
>>> It's a guess on my part but I assume JClouds instantiates the HttpClient
>>> in
>>> a way that SNI does not get activated.
>>>
>>> I digged more into Apache driver and the way SSLSocketFactory is used by
>>> JClouds is very similar to pre-patched Keycloak from that Jira issue
>>> (according to pull requests). Might be worth looking into.
>>>
>>> Best regards, cen
>>>
>>>
>>> Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:
>>>
>>> Hi!
>>>
>>> jclouds supports several HTTP drivers. By default it relies on the java
>>> HttpUrlConection, but you can also configure it to use the Apache Http
>>> client or OkHttp [1]. Using those drivers is as simple as adding the
>>> corresponding Guice module when creating the context (have a look at the
>>> OkHttp driver readme for an example [2]) so feel free to use the one that
>>> is better for your use case.
>>>
>>> If you need more control on how the http client is configured, you can
>>> take
>>> the jclouds Docker api as an example. It configures the OkHttp to support
>>> TLS connections. You can have a look at its docker http module [3] and
>>> create a similar module that initializes the OkHtttpClient as needed, and
>>> then pass it to the ContextBuilder when creating the jclouds context.
>>>
>>> HTH!
>>>
>>> I.
>>>
>>> [1] https://github.com/jclouds/jclouds/tree/master/drivers
>>> [2]
>>> https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
>>> [3]
>>>
>>> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
>>>
>>> El 12 sept. 2016 7:02 p. m., "cen" <imbacen@gmail.com> escribió:
>>>
>>> Hi
>>>
>>> We have a FakeS3 instance behind a reverse proxy which handles several
>>> subdomains over a single IP. We use let's encrypt certificate to sign the
>>> subdomains. We have the latest Java 8 installed which has the let's
>>> encrypt
>>> root in it's truststore. However, JClouds fails to connect to our FakeS3
>>> instance over https (http works). We believe it is because TLS SNI is not
>>> supported in JClouds since this is the most common problem we found other
>>> people having when googling around. I browsed around org.jclouds.http
>>> package but I was unable to determine what HTTP client does JClouds use
>>> behind the scenes or if it's a custom implementation. Could I get some
>>> feedback whether my assumptions are correct and how hard would it be to
>>> fix
>>> this? This is the stacktrace:
>>>
>>>
>>> PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target connecting to
>>> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
>>>      at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>>> BaseHttpCommandExecutorService.java:121)
>>>      at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
>>> InvokeHttpMethod.java:90)
>>>      at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>>> InvokeHttpMethod.java:73)
>>>      at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>>> InvokeHttpMethod.java:44)
>>>      at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
>>> DelegatesToInvocationFunction.java:156)
>>>      at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
>>> DelegatesToInvocationFunction.java:123)
>>>      at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
>>>      at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
>>> S3BlobStore.java:131)
>>>      at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
>>>      at com.redacted.util.storage.BlobStorageImpl.saveBlob(
>>> BlobStorageImpl.java:19)
>>>      at
>>> com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
>>> ImagesResourceImpl.java:90)
>>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>>> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>>      at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
>>> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
>>>      at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>>> proceed(AroundInvokeInvocationContext.java:77)
>>>      at com.redacted.api.rest.v1.interceptors.
>>> ValidatePermissionsInterceptor.checkOwnership(
>>> ValidatePermissionsInterceptor.java:63)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>>      at java.lang.reflect.Method.
>>> invoke(Method.java:498)
>>>      at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>>      at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
>>> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
>>> ionContext.java:64)
>>>      at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>>> proceed(AroundInvokeInvocationContext.java:77)
>>>      at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
>>> manageTransaction(TransactionalInterceptor.java:34)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>>      at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>>> executeAroundInvoke(InterceptorMethodHandler.java:84)
>>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>>> executeInterception(InterceptorMethodHandler.java:72)
>>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
>>> InterceptorMethodHandler.java:56)
>>>      at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>>> rStackMethodHandler.java:79)
>>>      at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>>> rStackMethodHandler.java:68)
>>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>>> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
>>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>>> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>>      at org.glassfish.jersey.server.model.internal.
>>> ResourceMethodInvocationHandlerFactory$1.invoke(
>>> ResourceMethodInvocationHandlerFactory.java:81)
>>>      at org.glassfish.jersey.server.model.internal.
>>> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
>>> atcher.java:164)
>>>      at org.glassfish.jersey.server.model.internal.
>>>
>>> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
>>> atcher.java:181)
>>>      at org.glassfish.jersey.server.model.internal.
>>> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
>>> JavaResourceMethodDispatcherProvider.java:158)
>>>      at org.glassfish.jersey.server.model.internal.
>>> AbstractJavaResourceMethodDispatcher.dispatch(
>>> AbstractJavaResourceMethodDispatcher.java:101)
>>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>>> invoke(ResourceMethodInvoker.java:389)
>>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>>> apply(ResourceMethodInvoker.java:347)
>>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>>> apply(ResourceMethodInvoker.java:102)
>>>      at org.glassfish.jersey.server.ServerRuntime$2.run(
>>> ServerRuntime.java:305)
>>>      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
>>>      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
>>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
>>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
>>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
>>>      at org.glassfish.jersey.process.internal.RequestScope.
>>> runInScope(RequestScope.java:317)
>>>      at org.glassfish.jersey.server.ServerRuntime.process(
>>> ServerRuntime.java:288)
>>>      at org.glassfish.jersey.server.ApplicationHandler.handle(
>>> ApplicationHandler.java:1110)
>>>      at org.glassfish.jersey.servlet.WebComponent.service(
>>> WebComponent.java:401)
>>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>>> ServletContainer.java:386)
>>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>>> ServletContainer.java:335)
>>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>>> ServletContainer.java:222)
>>>      at org.eclipse.jetty.servlet.ServletHolder.handle(
>>> ServletHolder.java:835)
>>>      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>>> doFilter(ServletHandler.java:1685)
>>>      at com.thetransactioncompany.cors.CORSFilter.doFilter(
>>> CORSFilter.java:209)
>>>      at com.thetransactioncompany.cors.CORSFilter.doFilter(
>>> CORSFilter.java:244)
>>>      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>>> doFilter(ServletHandler.java:1668)
>>>      at org.eclipse.jetty.servlet.ServletHandler.doHandle(
>>> ServletHandler.java:581)
>>>      at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>>> ScopedHandler.java:143)
>>>      at org.eclipse.jetty.security.SecurityHandler.handle(
>>> SecurityHandler.java:513)
>>>      at org.eclipse.jetty.server.session.SessionHandler.
>>> doHandle(SessionHandler.java:226)
>>>      at org.eclipse.jetty.server.handler.ContextHandler.
>>> doHandle(ContextHandler.java:1158)
>>>      at org.eclipse.jetty.servlet.ServletHandler.doScope(
>>> ServletHandler.java:511)
>>>      at org.eclipse.jetty.server.session.SessionHandler.
>>> doScope(SessionHandler.java:185)
>>>      at org.eclipse.jetty.server.handler.ContextHandler.
>>> doScope(ContextHandler.java:1090)
>>>      at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>>> ScopedHandler.java:141)
>>>      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
>>> HandlerWrapper.java:119)
>>>      at org.eclipse.jetty.server.Server.handle(Server.java:517)
>>>      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
>>>      at org.eclipse.jetty.server.HttpConnection.onFillable(
>>> HttpConnection.java:242)
>>>      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
>>> AbstractConnection.java:273)
>>>      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
>>>      at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
>>> SelectChannelEndPoint.java:75)
>>>      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
>>> produceAndRun(ExecuteProduceConsume.java:213)
>>>      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
>>> ExecuteProduceConsume.java:147)
>>>      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
>>> QueuedThreadPool.java:654)
>>>      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
>>> QueuedThreadPool.java:572)
>>>      at java.lang.Thread.run(Thread.java:745)
>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException:
>>> PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>>      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method)
>>>      at sun.reflect.NativeConstructorAccessorImpl.newInstance(
>>> NativeConstructorAccessorImpl.java:62)
>>>      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
>>> DelegatingConstructorAccessorImpl.java:45)
>>>      at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>>      at sun.net.www.protocol.http.HttpURLConnection$10.run(
>>> HttpURLConnection.java:1890)
>>>      at sun.net.www.protocol.http.HttpURLConnection$10.run(
>>> HttpURLConnection.java:1885)
>>>      at java.security.AccessController.doPrivileged(Native Method)
>>>      at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
>>> HttpURLConnection.java:1884)
>>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>>> HttpURLConnection.java:1457)
>>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>>> HttpURLConnection.java:1441)
>>>      at java.net.HttpURLConnection.getResponseCode(
>>> HttpURLConnection.java:480)
>>>      at
>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
>>> HttpsURLConnectionImpl.java:338)
>>>      at
>>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>>> JavaUrlHttpCommandExecutorService.java:105)
>>>      at
>>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>>> JavaUrlHttpCommandExecutorService.java:65)
>>>      at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>>> BaseHttpCommandExecutorService.java:99)
>>>      ... 89 more
>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException:
>>> PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>>      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>      at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>>>      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>>      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>>      at sun.security.ssl.ClientHandshaker.serverCertificate(
>>> ClientHandshaker.java:1509)
>>>      at sun.security.ssl.ClientHandshaker.processMessage(
>>> ClientHandshaker.java:216)
>>>      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>>>      at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>>>      at
>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>>>      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>>> SSLSocketImpl.java:1375)
>>>      at sun.security.ssl.SSLSocketImpl.startHandshake(
>>> SSLSocketImpl.java:1403)
>>>      at sun.security.ssl.SSLSocketImpl.startHandshake(
>>> SSLSocketImpl.java:1387)
>>>      at sun.net.www.protocol.https.HttpsClient.afterConnect(
>>> HttpsClient.java:559)
>>>      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
>>> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
>>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>>> HttpURLConnection.java:1513)
>>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>>> HttpURLConnection.java:1441)
>>>      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
>>> HttpsURLConnectionImpl.java:254)
>>>      at
>>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>>> JavaUrlHttpCommandExecutorService.java:97)
>>>      ... 91 more
>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>>      at sun.security.validator.PKIXValidator.doBuild(
>>> PKIXValidator.java:387)
>>>      at sun.security.validator.PKIXValidator.engineValidate(
>>> PKIXValidator.java:292)
>>>      at sun.security.validator.Validator.validate(Validator.java:260)
>>>      at sun.security.ssl.X509TrustManagerImpl.validate(
>>> X509TrustManagerImpl.java:324)
>>>      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>>> X509TrustManagerImpl.java:229)
>>>      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
>>> X509TrustManagerImpl.java:124)
>>>      at sun.security.ssl.ClientHandshaker.serverCertificate(
>>> ClientHandshaker.java:1491)
>>>      ... 104 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>>      at sun.security.provider.certpath.SunCertPathBuilder.
>>> build(SunCertPathBuilder.java:141)
>>>      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
>>> SunCertPathBuilder.java:126)
>>>      at
>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>>      at sun.security.validator.PKIXValidator.doBuild(
>>> PKIXValidator.java:382)
>>>      ... 110 more
>>>
>>>
>

Mime
View raw message