AWS Java SDK does not respect custom JDK TrustStore

[rcha]

The SDK uses a custom HttpClientBuilder that does not respect the majority of system properties.

[spfink]

Which system properties are you trying to use?

[shorea]

This is a feature request to honor more system properties like javax.net.ssl.trustStore.

http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/client/HttpClientBuilder.html

[apfritts]

It would also be beneficial if we could provide a specific trust store just for the AWS SDK. In production, we remove root certificates from all servers and only trust a root certificate generated in-house.

[shorea]

@apfritts I believe you can do that via a custom socket factory. https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ApacheHttpClientConfig.html#withSslSocketFactory-org.apache.http.conn.socket.ConnectionSocketFactory-

ClientConfiguration config = new ClientConfiguration();
config.getApacheHttpClientConfig().setSslSocketFactory(....);

[toroc]

@shorea are there any plans to support this feature to override the JDK truststore location? We are trying to use the Redshift JDBC driver with the AWS Java SDK in a containerized environment. We maintain a truststore in a persistent volume and need to have the driver pick up certificates from that truststore.

[shorea]

Hey no longer with the SDK team but I'm pretty sure the SDK now respects the Java system properties for custom trust stores. Can you give that a try and report your results?

-Djavax.net.ssl.trustStore -Djavax.net.ssl.trustStorePassword

[apfritts]

@apfritts I believe you can do that via a custom socket factory. https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ApacheHttpClientConfig.html#withSslSocketFactory-org.apache.http.conn.socket.ConnectionSocketFactory-

ClientConfiguration config = new ClientConfiguration();
config.getApacheHttpClientConfig().setSslSocketFactory(....);

@shorea yes! Sorry I didn't respond earlier but this works fabulously. Thanks!

[chandrabipin]

@apfritts I believe you can do that via a custom socket factory. https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ApacheHttpClientConfig.html#withSslSocketFactory-org.apache.http.conn.socket.ConnectionSocketFactory-

ClientConfiguration config = new ClientConfiguration();
config.getApacheHttpClientConfig().setSslSocketFactory(....);

@shorea yes! Sorry I didn't respond earlier but this works fabulously. Thanks!

Can you provide more details as how can we set the truststore here...

[wojtasskorcz]

Joining @chandrabipin question to @apfritts. Also, question to the repo maintainers -- could you confirm if what @shorea said above is true?

Hey no longer with the SDK team but I'm pretty sure the SDK now respects the Java system properties for custom trust stores. Can you give that a try and report your results?

-Djavax.net.ssl.trustStore -Djavax.net.ssl.trustStorePassword

[apfritts]

@wojtasskorcz @chandrabipin

I’m no longer with Box so I can look up what I did and I don’t play in the Java world any more. Sorry!

[debora-ito]

Yes, Java SDK v1 honors the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword.

[github-actions[bot]]

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.