search

aws / aws-sdk-java-v2

The official AWS SDK for Java - Version 2
Apache License 2.0
2.16k stars 833 forks source link

IotDataPlaneClient should use ATS endpoint when available #1533

Open zeapo opened 4 years ago

zeapo commented 4 years ago

When using the client with a recent JDK, and as Oracle has distristed the Symantec CA, we get an error: 

TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Expected Behavior

The IotDataPlane client should use the ATS endpoint when available as described in AWS's blog post https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/

Current Behavior

The client uses (by default) the VeriSign endpoint. Which leads to the aforementioned error.

Possible Solution

Use the ATS endpoint by default when available.

Steps to Reproduce (for bugs)

Using this way to create the client 

IotDataPlaneClient.builder()
                                .region(Region.US_EAST_1)
                                .build();

Will lead the aforementioned error when calling a publish() action.

Your Environment

zoewangg commented 4 years ago

From the blog post, seems the ATS endpoint needs to be created first and we don't think the SDK should create it automatically under the hood especially for those who do not want to use it.

Once you create the endpoint, you can pass it to the builder using 

IotDataPlaneClient.builder()
                  .region(Region.US_EAST_1)
                  .endpointOverride(URI.create("ATS endpoint"))
                  .build();
zeapo commented 4 years ago

Hi,

Thanks for taking the time.

The blog post makes it seem like you have to create the endpoint beforehand. Which seems weird as the endpoints just exist (created by default by IoT Core, no interaction needed) whenever you change the region. The describe endpoint just shows the endpoints available.

The authors also strongly recommend to use the ATS endpoint rather than the Verizon one:

We strongly recommend that all customers use the following instructions to get their new Amazon Trust Services endpoint and use it in mobile and browser apps that connect to AWS IoT Core. We also recommend that customers start migrating their device fleets to trust Amazon Trust Services root CAs and connect to Amazon Trust Services endpoints.

Wouldn't it make sense to make it the default in the sdk? Especially that any JVM version higher than 8_u212 and 7_u221 will raise the exception. The user ought to manually seek an undocumented issue.

Moreover, the only way I've found this blog post is by first going through the integration tests in this sdk (https://github.com/aws/aws-sdk-java-v2/blob/8b68f90f5adca86a1ce62162f303639ac23c882c/services/iotdataplane/src/it/java/software/amazon/awssdk/services/iotdataplane/ServiceIntegrationTest.java#L76-L85) where the ATS endpoint is used and looking up why the ATS is required.

I understand that you do not want to change the default behaviour of the SDK. However, would it possible to document this behaviour here https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/iotdataplane/IotDataPlaneClient.html ? This would make it clear that users should only rely on the ATS endpoint starting form Java clients (8u212 or above, 7u221 or above, 11.0.3 or above).

Thank you.

zoewangg commented 4 years ago

Thank you for the feedback and I agree this is a bit unclear and we could have better documentation. Will forward this issue to the docs team to improve the documentation.

Raniz85 commented 4 years ago

A method on the client builder to switch to the ATS endpoint would be better than having to manually override the endpoint

Something like:

IotDataPlaneClient.builder()
        .region(Region.EU_WEST_1)
        .atsEndpoint()
        .build();