search

apache / pekko-http

The Streaming-first HTTP server/module of Apache Pekko
https://pekko.apache.org/
Apache License 2.0
148 stars 34 forks source link

Invalid session value in Tls-Session-Info header #485

Closed randomkoder closed 1 day ago

randomkoder commented 5 months ago

Hi, I am using mutual TLS (TLS v1.3) authentication with client certificates for one of my pekko http server routes and encounter occasional failures when using Tls-Session-Info header. For some client connections it returns an invalid session value - Session(1707843603849|SSL_NULL_WITH_NULL_NULL) instead of Session(1707843600698|TLS_AES_256_GCM_SHA384), so client certificate details can not be extracted for the use in my application.

Here is the simplified route that I am using for the test purposes


    val route =
      headerValueByType [`Tls-Session-Info`](`Tls-Session-Info`) { tlsInfo =>
        path("tls") {
          get {
            println(s"TLS info -${tlsInfo.toString}")
            complete(HttpEntity(ContentTypes.`text/html(UTF-8)`, s"Client certificate - ${tlsInfo.session.getPeerCertificates.head.toString}"))
          }
        }
      }

Log entry for successful connections (200 Status code)

18:13:54.582 [my-system-pekko.actor.default-dispatcher-13] DEBUG org.apache.pekko.io.TcpListener -- New connection accepted
TLS info -Tls-Session-Info: Session(1707844434606|TLS_AES_256_GCM_SHA384)

Log entry for failed connections (500 Status code)

18:16:26.729 [my-system-pekko.actor.default-dispatcher-13] DEBUG org.apache.pekko.io.TcpListener -- New connection accepted
TLS info -Tls-Session-Info: Session(1707844586732|SSL_NULL_WITH_NULL_NULL)
18:16:26.868 [my-system-pekko.actor.default-dispatcher-19] ERROR org.apache.pekko.actor.ActorSystemImpl -- Error during processing of request: 'peer not authenticated'. Completing with 500 Internal Server Error response. To change default exception handling behavior, provide a custom ExceptionHandler.
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:560)

Pekko http client is used as client.

Versions of software used: pekko-http - 1.0.1 pekko-actor-typed - 1.0.2 pekko-stream - 1.0.2 scala - 2.13.12 openjdk - 11.0.22

pjfanning commented 5 months ago

This looks like https://github.com/akka/akka-http/issues/3920

Unfortunately, the fix was committed to akka-http after they made their license change. We may need to do a clean room change because we can't copy akka-http changes that are made to releases that are not Apache licensed.

pjfanning commented 5 months ago

@randomkoder Thanks for reporting this. Is there any chance that you can could try using TLS v1.2 to see if things are more stable there? We will look at this issue but we may not be able to get a fix out for a few weeks.

randomkoder commented 5 months ago

Thanks for your quick response! I've tried with TLS v1.2 (explicitly enabling it both on client and server sides) and could not reproduce the issue.

pjfanning commented 1 day ago

We have a change in pekko-stream jar - v1.1.0-M1 - that should fix this.