search

lightbend / ssl-config

SSL configuration logic, extracted from Play's WS (for use in Akka et al).
https://lightbend.github.io/ssl-config/
Other
66 stars 40 forks source link

SSLLooseConfig.acceptAnyCertificate doesn't seem to do anything #69

Open pkoryzna opened 6 years ago

pkoryzna commented 6 years ago

While using akka-http, I need to have an option to trust all the certificates when connecting via HTTPS. I follow the instructions on http://lightbend.github.io/ssl-config/LooseSSL.html#loose-options and https://doc.akka.io/docs/akka-http/10.0.10/scala/http/client-side/client-https-support.html#disabling-tls-security-features-at-your-own-risk, but had no success - the certificate still seems to be validated regardless of the setting. Opening a connection just keeps throwing a stack trace like one below.

Why: I'm writing a plugin for a certain application which bundles its own JDK. The certificate authorities more often than not will not be under my control, and I cannot expect users to add certificates to cacerts or supply thier own files.

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:367)
    at akka.stream.impl.io.TLSActor.doInbound(TLSActor.scala:290)
    at akka.stream.impl.io.TLSActor.$anonfun$bidirectional$1(TLSActor.scala:225)
    at akka.stream.impl.Pump.pump(Transfer.scala:199)
    at akka.stream.impl.Pump.pump$(Transfer.scala:197)
    at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:48)
    at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:90)
    at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:141)
    at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:34)
    at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
    at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:234)
    at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:34)
    at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
    at akka.stream.impl.SubReceive.apply(Transfer.scala:12)
    at scala.PartialFunction.applyOrElse(PartialFunction.scala:123)
    at scala.PartialFunction.applyOrElse$(PartialFunction.scala:122)
    at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:12)
    at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:171)
    at akka.actor.Actor.aroundReceive(Actor.scala:502)
    at akka.actor.Actor.aroundReceive$(Actor.scala:500)
    at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:48)
    at akka.actor.ActorCell.receiveMessage(ActorCell.scala:526)
    at akka.actor.ActorCell.invoke(ActorCell.scala:495)
    at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257)
    at akka.dispatch.Mailbox.run(Mailbox.scala:224)
    at akka.dispatch.Mailbox.exec(Mailbox.scala:234)
    at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
    at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
    at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
    at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
    at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:402)
    at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:371)
    ... 29 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1493)
    ... 37 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 43 more
juwalter commented 6 years ago

I wonder if this actually an issue for ssl-config or the underlying akka-http dependency?

juwalter commented 6 years ago

@pkoryzna - can you please include a minimal example, ie pointing to some site with a self-signed certificate? I made one here: https://139.59.135.117/

pkoryzna commented 6 years ago

Minimal example here: https://gist.github.com/pkoryzna/f288d8471c7e1c8822b3594d043d7017

iRevive commented 6 years ago

Custom SSL context works for me. Example: https://gist.github.com/iRevive/4a3c7cb96374da5da80d4538f3da17cb And 'on demand' trustful ssl context: https://gist.github.com/iRevive/7d17144284a7a2227487635ec815860d

drewhk commented 5 years ago

I confirm, this setting does not work.

Gangareddy commented 4 years ago 
java.lang.RuntimeException: Delegated task threw Exception/Error
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:385)
    at akka.stream.impl.io.TLSActor.doInbound(TLSActor.scala:295)
    at akka.stream.impl.io.TLSActor.$anonfun$bidirectional$1(TLSActor.scala:230)
    at akka.stream.impl.Pump.pump(Transfer.scala:202)
    at akka.stream.impl.Pump.pump$(Transfer.scala:200)
    at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:50)
    at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:96)
    at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:147)
    at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:38)
    at akka.stream.impl.SubReceive.apply(Transfer.scala:18)
    at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:242)
    at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:38)
    at akka.stream.impl.SubReceive.apply(Transfer.scala:18)
    at akka.stream.impl.SubReceive.apply(Transfer.scala:14)
    at scala.PartialFunction.applyOrElse(PartialFunction.scala:127)
    at scala.PartialFunction.applyOrElse$(PartialFunction.scala:126)
    at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:14)
    at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:175)
    at akka.actor.Actor.aroundReceive(Actor.scala:539)
    at akka.actor.Actor.aroundReceive$(Actor.scala:537)
    at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:50)
    at akka.actor.ActorCell.receiveMessage(ActorCell.scala:612)
    at akka.actor.ActorCell.invoke(ActorCell.scala:581)
    at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:268)
    at akka.dispatch.Mailbox.run(Mailbox.scala:229)
    at akka.dispatch.Mailbox.exec(Mailbox.scala:241)
    at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
    at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
    at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
    at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.lang.NullPointerException
    at sun.net.util.IPAddressUtil.textToNumericFormatV4(IPAddressUtil.java:49)
    at sun.net.util.IPAddressUtil.isIPv4LiteralAddress(IPAddressUtil.java:241)
    at sun.security.util.HostnameChecker.isIpAddress(HostnameChecker.java:124)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:92)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
    at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:423)
    at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:392)
    ... 29 more

This is the exception I got when I tried to use loose SSL settings in Akka