jclouds-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cen <imba...@gmail.com>
Subject Re: JClouds TLS SNI support?
Date Thu, 15 Sep 2016 09:17:09 GMT
Hi

Default driver and Apache driver failed me but OkHTTP worked.

For Apache, I found a similar bug in Keycloak JIRA: 
https://issues.jboss.org/browse/KEYCLOAK-2439

The interesting part is:

"Client adapter uses a deprecated API when setting up HttpClient object 
in org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch 
<https://issues.apache.org/jira/browse/HTTPCLIENT-1119> which is part of 
HttpClient library since version 4.3.2 
<http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.5.x.txt>, 
and which seems to delegate this part to Java SDK classes, where SNI is 
automatically set, isn't activated."

It's a guess on my part but I assume JClouds instantiates the HttpClient 
in a way that SNI does not get activated.

I digged more into Apache driver and the way SSLSocketFactory is used by 
JClouds is very similar to pre-patched Keycloak from that Jira issue 
(according to pull requests). Might be worth looking into.

Best regards, cen


Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:
> Hi!
>
> jclouds supports several HTTP drivers. By default it relies on the java
> HttpUrlConection, but you can also configure it to use the Apache Http
> client or OkHttp [1]. Using those drivers is as simple as adding the
> corresponding Guice module when creating the context (have a look at the
> OkHttp driver readme for an example [2]) so feel free to use the one that
> is better for your use case.
>
> If you need more control on how the http client is configured, you can take
> the jclouds Docker api as an example. It configures the OkHttp to support
> TLS connections. You can have a look at its docker http module [3] and
> create a similar module that initializes the OkHtttpClient as needed, and
> then pass it to the ContextBuilder when creating the jclouds context.
>
> HTH!
>
> I.
>
> [1] https://github.com/jclouds/jclouds/tree/master/drivers
> [2] https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
> [3]
> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
>
> El 12 sept. 2016 7:02 p. m., "cen" <imbacen@gmail.com> escribió:
>
>> Hi
>>
>> We have a FakeS3 instance behind a reverse proxy which handles several
>> subdomains over a single IP. We use let's encrypt certificate to sign the
>> subdomains. We have the latest Java 8 installed which has the let's encrypt
>> root in it's truststore. However, JClouds fails to connect to our FakeS3
>> instance over https (http works). We believe it is because TLS SNI is not
>> supported in JClouds since this is the most common problem we found other
>> people having when googling around. I browsed around org.jclouds.http
>> package but I was unable to determine what HTTP client does JClouds use
>> behind the scenes or if it's a custom implementation. Could I get some
>> feedback whether my assumptions are correct and how hard would it be to fix
>> this? This is the stacktrace:
>>
>>
>> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target connecting to
>> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
>>      at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:121)
>>      at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
>> InvokeHttpMethod.java:90)
>>      at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:73)
>>      at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:44)
>>      at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
>> DelegatesToInvocationFunction.java:156)
>>      at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
>> DelegatesToInvocationFunction.java:123)
>>      at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
>>      at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
>> S3BlobStore.java:131)
>>      at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
>>      at com.redacted.util.storage.BlobStorageImpl.saveBlob(
>> BlobStorageImpl.java:19)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
>> ImagesResourceImpl.java:90)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
>> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
>>      at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>>      at com.redacted.api.rest.v1.interceptors.
>> ValidatePermissionsInterceptor.checkOwnership(
>> ValidatePermissionsInterceptor.java:63)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>      at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
>> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
>> ionContext.java:64)
>>      at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>>      at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
>> manageTransaction(TransactionalInterceptor.java:34)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeAroundInvoke(InterceptorMethodHandler.java:84)
>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeInterception(InterceptorMethodHandler.java:72)
>>      at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
>> InterceptorMethodHandler.java:56)
>>      at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:79)
>>      at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:68)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
>>      at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.glassfish.jersey.server.model.internal.
>> ResourceMethodInvocationHandlerFactory$1.invoke(
>> ResourceMethodInvocationHandlerFactory.java:81)
>>      at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
>> atcher.java:164)
>>      at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
>> atcher.java:181)
>>      at org.glassfish.jersey.server.model.internal.
>> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
>> JavaResourceMethodDispatcherProvider.java:158)
>>      at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.dispatch(
>> AbstractJavaResourceMethodDispatcher.java:101)
>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> invoke(ResourceMethodInvoker.java:389)
>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:347)
>>      at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:102)
>>      at org.glassfish.jersey.server.ServerRuntime$2.run(
>> ServerRuntime.java:305)
>>      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
>>      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
>>      at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
>>      at org.glassfish.jersey.process.internal.RequestScope.
>> runInScope(RequestScope.java:317)
>>      at org.glassfish.jersey.server.ServerRuntime.process(
>> ServerRuntime.java:288)
>>      at org.glassfish.jersey.server.ApplicationHandler.handle(
>> ApplicationHandler.java:1110)
>>      at org.glassfish.jersey.servlet.WebComponent.service(
>> WebComponent.java:401)
>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:386)
>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:335)
>>      at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:222)
>>      at org.eclipse.jetty.servlet.ServletHolder.handle(
>> ServletHolder.java:835)
>>      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1685)
>>      at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:209)
>>      at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:244)
>>      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1668)
>>      at org.eclipse.jetty.servlet.ServletHandler.doHandle(
>> ServletHandler.java:581)
>>      at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:143)
>>      at org.eclipse.jetty.security.SecurityHandler.handle(
>> SecurityHandler.java:513)
>>      at org.eclipse.jetty.server.session.SessionHandler.
>> doHandle(SessionHandler.java:226)
>>      at org.eclipse.jetty.server.handler.ContextHandler.
>> doHandle(ContextHandler.java:1158)
>>      at org.eclipse.jetty.servlet.ServletHandler.doScope(
>> ServletHandler.java:511)
>>      at org.eclipse.jetty.server.session.SessionHandler.
>> doScope(SessionHandler.java:185)
>>      at org.eclipse.jetty.server.handler.ContextHandler.
>> doScope(ContextHandler.java:1090)
>>      at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:141)
>>      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
>> HandlerWrapper.java:119)
>>      at org.eclipse.jetty.server.Server.handle(Server.java:517)
>>      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
>>      at org.eclipse.jetty.server.HttpConnection.onFillable(
>> HttpConnection.java:242)
>>      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
>> AbstractConnection.java:273)
>>      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
>>      at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
>> SelectChannelEndPoint.java:75)
>>      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
>> produceAndRun(ExecuteProduceConsume.java:213)
>>      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
>> ExecuteProduceConsume.java:147)
>>      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
>> QueuedThreadPool.java:654)
>>      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
>> QueuedThreadPool.java:572)
>>      at java.lang.Thread.run(Thread.java:745)
>> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
>> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>>      at sun.reflect.NativeConstructorAccessorImpl.newInstance(
>> NativeConstructorAccessorImpl.java:62)
>>      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
>> DelegatingConstructorAccessorImpl.java:45)
>>      at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>      at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1890)
>>      at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1885)
>>      at java.security.AccessController.doPrivileged(Native Method)
>>      at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
>> HttpURLConnection.java:1884)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1457)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>>      at java.net.HttpURLConnection.getResponseCode(
>> HttpURLConnection.java:480)
>>      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
>> HttpsURLConnectionImpl.java:338)
>>      at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:105)
>>      at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:65)
>>      at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:99)
>>      ... 89 more
>> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
>> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>      at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>>      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>      at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1509)
>>      at sun.security.ssl.ClientHandshaker.processMessage(
>> ClientHandshaker.java:216)
>>      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>>      at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>>      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>>      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>>      at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>>      at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>>      at sun.net.www.protocol.https.HttpsClient.afterConnect(
>> HttpsClient.java:559)
>>      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
>> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1513)
>>      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>>      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
>> HttpsURLConnectionImpl.java:254)
>>      at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:97)
>>      ... 91 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>>      at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>>      at sun.security.validator.Validator.validate(Validator.java:260)
>>      at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>>      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:229)
>>      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
>> X509TrustManagerImpl.java:124)
>>      at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1491)
>>      ... 104 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>      at sun.security.provider.certpath.SunCertPathBuilder.
>> build(SunCertPathBuilder.java:141)
>>      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
>> SunCertPathBuilder.java:126)
>>      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>      at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:382)
>>      ... 110 more
>>


Mime
View raw message