search

gravitee-io / issues

Gravitee.io - API Platform - Issues
64 stars 26 forks source link

SSL handshake failure for some urls #1119

Closed DaspawnW closed 6 years ago

DaspawnW commented 6 years ago

Expected Behavior

If I add a trustStore I would be able to access environments with self signed certificates.

Current Behavior

I tried to connect to some internal Services that use self signed certificates and also tried to access https://ifconfig.co that seems to be signed by Let's Encrypt. When I try to use it in the gateway an exception is thrown:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
    at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:392)
    at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:359)
    at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:342)
    at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1010)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1354)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
    at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:917)
    at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:822)
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:463)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:219)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:292)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1159)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
    ... 18 common frames omitted

Steps to Reproduce (for bugs)

  1. Setup an environment as available with the docker-compose tutorial provided on gravitee url
  2. Add an api endpoint that points to https://ifconfig.co
  3. Publish the api
  4. Try to access the endpoint via gateway, now you should see the exception

Context

I tried to find some solution for it, but currently I don't know how to handle the problem.

Your Environment

NicolasGeraud commented 6 years ago

Hi @DaspawnW

I've just configured an api following your steps and it works.

$ curl -vv http://localhost:8082/ifconfig
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8082 (#0)
> GET /ifconfig HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Gravitee-Transaction-Id: 0838dbff-3923-460d-b8db-ff3923660d59
< Server: nginx
< Date: Fri, 02 Mar 2018 08:46:09 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 14
< Connection: keep-alive
< Strict-Transport-Security: max-age=15768000; includeSubdomains; preload
<
xxx.xxx.xxx.xxx
* Connection #0 to host localhost left intact

do you have a proxy or something else between the gateway and internet ?

DaspawnW commented 6 years ago

Hi @NicolasGeraud,

I've the following architecture: One Instance with management-ui, management-api, mongodb, elasticsearch and in front of the ui and api I've a nginx proxy for ssl... One Instance with gateway and in front of the gateway also a nginx proxy with ssl...

We use no proxy (thank god for that)... Currently I try to build my own docker image I hope this can fix the issue for us

[Update] My own Java 8 Docker image fixed the issue.

NicolasGeraud commented 6 years ago

@DaspawnW you mean that with our docker image it doesn't work ?

what is different between yours and ours ?

DaspawnW commented 6 years ago

That's a good question, I don't know I used them directly from docker hub

NicolasGeraud commented 6 years ago

@DaspawnW can you give me the java version of your ubuntu ?

NicolasGeraud commented 6 years ago

Please try this :