search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.37k stars 162 forks source link

Web proxy to acces internet error #228

Closed ovcrash closed 2 months ago

ovcrash commented 1 year ago

Describe the bug We are using the AzureAD OIDC integration. This integration needs to acces the well-know to get configuration information. We are behind a web proxy for internet connexion. We have used this help to set the web proxy in the env file (https://github.com/SecurityRiskAdvisors/VECTR/issues/163) . The problem we have, is that we are using SSL inspection, and the certificate used is an internal certificate from our CA. We get SSL error.

Expected behavior Configure proxy settings in the java options. Add certificate in trusted certs. Communication to the AzureAD OIDC should work.

Logs

2023-04-04 12:42:58,372 ERROR [com.sra.auth.web.service.IdentityProviderService] - Stack trace: vectr-tomcat_1 | org.pac4j.core.exception.TechnicalException: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:190) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient.java:48) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:33) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.tryInitClient(IdentityProviderService.java:318) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.validateClientConfiguration(IdentityProviderService.java:171) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.reloadProviderIntoPac4j(IdentityProviderService.java:155) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.reloadProviderConfiguration(IdentityProviderService.java:132) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.api.v1.resources.IdentityProviderResource.reloadConfiguration(IdentityProviderResource.java:71) ~[classes/:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1071) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:964) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:528) ~[servlet-api.jar:4.0.FR] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:596) ~[servlet-api.jar:4.0.FR] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-websocket.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at com.sra.purpletools.servlet.filters.CharacterSetFilter.doFilter(CharacterSetFilter.java:15) ~[sra-purpletools-servlet.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at com.sra.purpletools.servlet.filters.CacheControlFilter.doFilter(CacheControlFilter.java:42) ~[sra-purpletools-servlet.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at com.sra.auth.web.filters.GenericRequestFilter.doFilterInternal(GenericRequestFilter.java:33) ~[classes/:?] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:337) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:109) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:221) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-web-2.17.2.jar:2.17.2] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2156) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.73] vectr-tomcat_1 | at java.lang.Thread.run(Unknown Source) ~[?:?] vectr-tomcat_1 | Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.handleEOF(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 121 more vectr-tomcat_1 | Caused by: java.io.EOFException: SSL peer shut down incorrectly vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.read(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.readHeader(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLTransport.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 121 more

Question Which cacerts file does the tomcat use? Is there some security settings to change to do TLS 1.2 & + ? Any other settings should be changed, to correctly use a webproxy that does ssl inspect.

ovcrash commented 1 year ago

Hi, I also think that the OIDC configuration/function doesn't use the https.proxy setting in the .env file. I can't confirm, but i suspect that also.

SRAPSpencer commented 1 year ago

I can confirm with the next release we're moving to Tomcat 10, which defaults to TLS 1.2+.

Let me check with the team on the rest of this and get back to you.

ovcrash commented 1 year ago

Is there a way to configure Tomcat 9x to use TLS 1.2 ?

But i also think that is not the only problem, if that is a problem.

Maybe, the OIDC part doesn't use the httpProxy settings. I suspect this pretty much. Because when we hit the web proxy, it's clearly coming in transparent mode.

SRAPSpencer commented 1 year ago

The current release supports TLS 1.2 but does not force it. You may be able to disable older ciphers by modifying the container but I would not recommend it. Keep in mind modifying any of the configuration while the container is running would likely not take effect, and if the main process is restarted the container may believe it is unhealthy and recreate it. Nullifying any configuration changes.

We anticipate the release being out this week, I'd advise waiting for it. Afterwards I should have an answer on the httpProxy setting and it's implications.

ovcrash commented 1 year ago

The current release supports TLS 1.2 but does not force it. You may be able to disable older ciphers by modifying the container but I would not recommend it. Keep in mind modifying any of the configuration while the container is running would likely not take effect, and if the main process is restarted the container may believe it is unhealthy and recreate it. Nullifying any configuration changes.

We anticipate the release being out this week, I'd advise waiting for it. Afterwards I should have an answer on the httpProxy setting and it's implications.

Any pre-release i can try?

SRAPSpencer commented 1 year ago

We don't make pre-releases public but I will bump this thread when the release is out.

ovcrash commented 1 year ago

I have updated to the latest relase, and got the same error. I will try to get logs and put them here.

ovcrash commented 1 year ago

2023-04-20 19:12:46,242 ERROR [com.sra.vectr.auth.web.service.IdentityProviderService] - Stack trace: vectr-tomcat_1 | org.pac4j.core.exception.TechnicalException: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:190) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient.java:48) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:33) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.tryInitClient(IdentityProviderService.java:318) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.validateClientConfiguration(IdentityProviderService.java:171) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.reloadProviderIntoPac4j(IdentityProviderService.java:155) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.reloadProviderConfiguration(IdentityProviderService.java:132) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.api.v1.resources.IdentityProviderResource.reloadConfiguration(IdentityProviderResource.java:71) ~[classes/:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:207) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:152) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:118) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:884) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1081) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1011) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:914) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:563) ~[servlet-api.jar:6.0] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:631) ~[servlet-api.jar:6.0] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-websocket.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at com.sra.vectr.libs.servlet.filters.CharacterSetFilter.doFilter(CharacterSetFilter.java:15) ~[servlet-filters.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at com.sra.vectr.libs.servlet.filters.CacheControlFilter.doFilter(CacheControlFilter.java:42) ~[servlet-filters.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at com.sra.vectr.auth.web.filters.GenericRequestFilter.doFilterInternal(GenericRequestFilter.java:33) ~[classes/:?] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:124) ~[spring-boot-3.0.5.jar:3.0.5] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:99) ~[spring-boot-3.0.5.jar:3.0.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:117) ~[spring-boot-3.0.5.jar:3.0.5] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-jakarta-web-2.19.0.jar:2.19.0] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:166) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:676) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1664) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1219) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeWriteCompletionHandler.completed(SecureNio2Channel.java:120) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeWriteCompletionHandler.completed(SecureNio2Channel.java:113) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at sun.nio.ch.Invoker.invokeUnchecked(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.Invoker.invokeDirect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.UnixAsynchronousSocketChannelImpl.implWrite(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.AsynchronousSocketChannelImpl.write(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.AsynchronousSocketChannelImpl.write(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:300) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:221) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1641) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1219) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:103) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:96) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at sun.nio.ch.Invoker.invokeUnchecked(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.Invoker$2.run(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:10.1.7] vectr-tomcat_1 | at java.lang.Thread.run(Unknown Source) ~[?:?] vectr-tomcat_1 | Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.handleEOF(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 136 more vectr-tomcat_1 | Caused by: java.io.EOFException: SSL peer shut down incorrectly vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.read(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.readHeader(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLTransport.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 136 more

Seem to point to a SSL error. So i'm guessing that it points to a certificate error.

Is there a way to add a certificate authorite into the store tha tomcat/java uses to communicate to the AzureAD endpoint?

doodleincode commented 1 year ago

You'll need to add your CA (the entire chain if using intermediate certs) to the JVM's trust store in the vectr-tomcat container.

We do not support custom CA certs and do not have any plans on doing so. If you go down this route, you'll be on your own. Feel free to ask for help on our Discord channel. One thing to keep in mind however is that modifications to a container are temporary.