search

Ecwid / consul-api

Java client for Consul HTTP API
Apache License 2.0
417 stars 175 forks source link

2-way SSL from Spring to Consul fails. (Keystore is not being read) #121

Open rsmolin opened 7 years ago

rsmolin commented 7 years ago

I have same problem as described #67, for me -Djavax.net.ssl.keyStore property is still not being read. If I use SSLPoke.class with same parameters I can successfully connect to consul server.

Here is my code: 

public class Application {

    @RequestMapping("/")
    public String home() {
        return "Hello World";

    }

    public static void main(String[] args) {

        System.setProperty("javax.net.ssl.trustStore", "REDACTED");
        System.setProperty("javax.net.ssl.keyStore",  "REDACTED");
        System.setProperty("javax.net.ssl.keyStorePassword", "REDACTED");
        System.setProperty("javax.net.ssl.trustStorePassword", "REDACTED");
        SpringApplication.run(Application.class, args);
    }

}

2017-08-09 13:29:32.348  INFO 29913 --- [           main] f.a.AutowiredAnnotationBeanPostProcessor : JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
2017-08-09 13:29:32.373  INFO 29913 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'configurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$9497abe0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
trustStore is: <REDACTED>
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
<REDACTED>

trigger seeding of SecureRandom
done seeding SecureRandom

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _ | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v1.5.2.RELEASE)

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1485435420 bytes = { 92, 68, 118, 90, 129, 203, 17, 41, 191, 111, 133, 174, 241, 236, 116, 177, 213, 9, 144, 212, 151, 158, 222, 197, 126, 82, 77, 233 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
[write] MD5 and SHA1 hashes:  len = 209
0000: 01 00 00 CD 03 03 59 8A   F2 1C 5C 44 76 5A 81 CB  ......Y...\DvZ..
0010: 11 29 BF 6F 85 AE F1 EC   74 B1 D5 09 90 D4 97 9E  .).o....t.......
0020: DE C5 7E 52 4D E9 00 00   64 C0 24 C0 28 00 3D C0  ...RM...d.$.(.=.
0030: 26 C0 2A 00 6B 00 6A C0   0A C0 14 00 35 C0 05 C0  &.*.k.j.....5...
0040: 0F 00 39 00 38 C0 23 C0   27 00 3C C0 25 C0 29 00  ..9.8.#.'.<.%.).
0050: 67 00 40 C0 09 C0 13 00   2F C0 04 C0 0E 00 33 00  g.@...../.....3.
0060: 32 C0 2C C0 2B C0 30 00   9D C0 2E C0 32 00 9F 00  2.,.+.0.....2...
0070: A3 C0 2F 00 9C C0 2D C0   31 00 9E 00 A2 C0 08 C0  ../...-.1.......
0080: 12 00 0A C0 03 C0 0D 00   16 00 13 00 FF 01 00 00  ................
0090: 40 00 0A 00 16 00 14 00   17 00 18 00 19 00 09 00  @...............
00A0: 0A 00 0B 00 0C 00 0D 00   0E 00 16 00 0B 00 02 01  ................
00B0: 00 00 0D 00 1C 00 1A 06   03 06 01 05 03 05 01 04  ................
00C0: 03 04 01 04 02 03 03 03   01 03 02 02 03 02 01 02  ................
00D0: 02                                                 .
main, WRITE: TLSv1.2 Handshake, length = 209
[Raw write]: length = 214
0000: 16 03 03 00 D1 01 00 00   CD 03 03 59 8A F2 1C 5C  ...........Y...\
0010: 44 76 5A 81 CB 11 29 BF   6F 85 AE F1 EC 74 B1 D5  DvZ...).o....t..
0020: 09 90 D4 97 9E DE C5 7E   52 4D E9 00 00 64 C0 24  ........RM...d.$
0030: C0 28 00 3D C0 26 C0 2A   00 6B 00 6A C0 0A C0 14  .(.=.&.*.k.j....
0040: 00 35 C0 05 C0 0F 00 39   00 38 C0 23 C0 27 00 3C  .5.....9.8.#.'.<
0050: C0 25 C0 29 00 67 00 40   C0 09 C0 13 00 2F C0 04  .%.).g.@...../..
0060: C0 0E 00 33 00 32 C0 2C   C0 2B C0 30 00 9D C0 2E  ...3.2.,.+.0....
0070: C0 32 00 9F 00 A3 C0 2F   00 9C C0 2D C0 31 00 9E  .2...../...-.1..
0080: 00 A2 C0 08 C0 12 00 0A   C0 03 C0 0D 00 16 00 13  ................
0090: 00 FF 01 00 00 40 00 0A   00 16 00 14 00 17 00 18  .....@..........
00A0: 00 19 00 09 00 0A 00 0B   00 0C 00 0D 00 0E 00 16  ................
00B0: 00 0B 00 02 01 00 00 0D   00 1C 00 1A 06 03 06 01  ................
00C0: 05 03 05 01 04 03 04 01   04 02 03 03 03 01 03 02  ................
00D0: 02 03 02 01 02 02                                  ......
[Raw read]: length = 5
0000: 16 03 03 00 31                                     ....1
[Raw read]: length = 49
0000: 02 00 00 2D 03 03 22 91   92 0D 53 9B B1 25 68 85  ...-.."...S..%h.
0010: 33 CB 9A 60 C7 9D 87 DA   6D 40 6C E0 60 3F CE 93  3......m@l.?..
0020: 15 DF C2 25 B5 64 00 C0   14 00 00 05 FF 01 00 01  ...%.d..........
0030: 00                                                 .
main, READ: TLSv1.2 Handshake, length = 49
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 563122701 bytes = { 83, 155, 177, 37, 104, 133, 51, 203, 154, 96, 199, 157, 135, 218, 109, 64, 108, 224, 96, 63, 206, 147, 21, 223, 194, 37, 181, 100 }
Session ID:  {}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[read] MD5 and SHA1 hashes:  len = 49
0000: 02 00 00 2D 03 03 22 91   92 0D 53 9B B1 25 68 85  ...-.."...S..%h.
0010: 33 CB 9A 60 C7 9D 87 DA   6D 40 6C E0 60 3F CE 93  3......m@l.?..
0020: 15 DF C2 25 B5 64 00 C0   14 00 00 05 FF 01 00 01  ...%.d..........
0030: 00                                                 .
[Raw read]: length = 5
0000: 16 03 03 03 59                                     ....Y
[Raw read]: length = 857
REDACTED
main, READ: TLSv1.2 Handshake, length = 857
*** Certificate chain
chain [0] = [
REDACTED
]

]
***
Found trusted certificate:
[
REDACTED
]
*** CertificateRequest
Cert Types: RSA, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withECDSA, SHA384withRSA, SHA384withECDSA, SHA1withRSA, SHA1withECDSA
Cert Authorities:
[read] MD5 and SHA1 hashes:  len = 108
0000: 16 03 03 00 04                                     .....
[Raw read]: length = 4
0000: 0E 00 00 00                                        ....
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
[write] MD5 and SHA1 hashes:  len = 77
REDACTED
main, WRITE: TLSv1.2 Handshake, length = 77
[Raw write]: length = 82
REDACTED
SESSION KEYGEN:
PreMaster Secret:
REDACTED
CONNECTION KEYGEN:
Client Nonce:
REDACTED
Server Nonce:
REDACTED
Master Secret:
REDACTED
Client MAC write Secret:
REDACTED
Server MAC write Secret:
REDACTED
Client write key:
REDACTED
Server write key:
REDACTED
*** Finished
verify_data:  { 233, 249, 154, 229, 213, 66, 143, 69, 87, 27, 151, 7 }
***
[write] MD5 and SHA1 hashes:  len = 16
REDACTED 

Padded plaintext before ENCRYPTION:  len = 64
main, WRITE: TLSv1.2 Handshake, length = 64
main, waiting for close_notify or alert: state 1
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 2A                                              .*
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, bad_certificate
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
main, called closeSocket()
main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
2017-08-09 13:29:33.037 ERROR 29913 --- [           main] o.s.c.c.c.ConsulPropertySourceLocator    : Fail fast is set and there was an error reading configuration from consul.
2017-08-09 13:29:33.038  WARN 29913 --- [           main] o.s.boot.SpringApplication               : Error handling failed (ApplicationEventMulticaster not initialized - call 'refresh' before multicasting events via the context: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@37ff4054: startup date [Thu Jan 01 01:00:00 CET 1970]; parent: org.springframework.context.annotation.AnnotationConfigApplicationContext@770d3326)
2017-08-09 13:29:33.045 ERROR 29913 --- [           main] o.s.boot.SpringApplication               : Application startup failed

com.ecwid.consul.transport.TransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:96) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.transport.AbstractHttpTransport.makeGetRequest(AbstractHttpTransport.java:55) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.v1.ConsulRawClient.makeGetRequest(ConsulRawClient.java:81) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.v1.kv.KeyValueConsulClient.getKVValues(KeyValueConsulClient.java:150) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.v1.ConsulClient.getKVValues(ConsulClient.java:492) ~[consul-api-1.2.3.jar:na]
    at org.springframework.cloud.consul.config.ConsulPropertySource.init(ConsulPropertySource.java:66) ~[spring-cloud-consul-config-1.2.1.RELEASE.jar:1.2.1.RELEASE]
    at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.create(ConsulPropertySourceLocator.java:157) ~[spring-cloud-consul-config-1.2.1.RELEASE.jar:1.2.1.RELEASE]
    at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.locate(ConsulPropertySourceLocator.java:131) ~[spring-cloud-consul-config-1.2.1.RELEASE.jar:1.2.1.RELEASE]
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:93) ~[spring-cloud-context-1.2.3.RELEASE.jar:1.2.3.RELEASE]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:611) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:348) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:312) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1162) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1151) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at hello.Application.main(Application.java:52) [main/:na]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_141]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779) ~[na:1.8.0_141]
    at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124) ~[na:1.8.0_141]
    at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1130) ~[na:1.8.0_141]
    at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1216) ~[na:1.8.0_141]
    at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1128) ~[na:1.8.0_141]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) ~[na:1.8.0_141]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[na:1.8.0_141]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[na:1.8.0_141]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140) ~[httpclient-4.5.3.jar:4.5.3]
    at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:80) ~[consul-api-1.2.3.jar:na]
    ... 14 common frames omitted

Process finished with exit code 1```
lfmunoz commented 3 years ago

I have same issue, anyone got a solution?