Service SSL configuration is being ignored

[carlosbarragan]

Thanks for reporting an issue for Micronaut, please review the task list below before submitting the issue. Your issue report will be closed if the issue is incomplete and the below tasks not completed.

NOTE: If you are unsure about something and the issue is more of a question a better place to ask questions is on Stack Overflow (http://stackoverflow.com/tags/micronaut) or Gitter (https://gitter.im/micronautfw/). DO NOT use the issue tracker to ask questions.

Task List

• [x] Steps to reproduce provided
• [x] Stacktrace (if present) provided
• [x] Example that reproduces the problem uploaded to Github
• [x] Full description of the issue provided (see below)

Steps to Reproduce

1. Configure a service as follows

http:
  services:
     myservice:
        url: https//somehost.com
        ssl-configuration:  
          enable: true
          key-store:
            path: classpath:PATH_TO_CERTIFICATE.pfx
            type: PKCS12
            password: ${certificate.password}

Expected Behaviour

Configuration should be taken into account and therefore, it is possible to call the service with the specified certificate.

Actual Behaviour

SSL Handshake failure error occurred.

Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

The configuration works if I configure the default client like this:

 http:
    services:
      my-service:
        url: https//somehost.com
      ssl-configuration:
        enable: true
    client:
      ssl:
        enable: true
        key-store:
          path: classpath:PATH_TO_CERTIFICATE.pfx
          type: PKCS12
          password: ${certificate.password}

I am able to call the service with the certificate and everything works fine.

Environment Information

• Operating System: Mac OS Mojave
• Micronaut Version: 1.1.2
• JDK Version: 1.8.0_152

Example Application

I don't have one since the certificate stuff is not public.

[sdelamo]

I believe the indentation in your issue report is incorrect:

[carlosbarragan]

@sdelamo sorry, I fixed it.

[carlosbarragan]

@jameskleeh I updated my project to the 1.1.3 and I can now verify that the configuration is being picked up, however, it seems that it is still ignored when making the client call. I still get a handshake error.

If I configure the default client with ssl it works.

Another thing I noticed is that the proper way to configure the service ssl is to use the ssl key instead of ssl-configuration like this:

http:
  services:
     myservice:
        url: https//somehost.com
        ssl:  
          enable: true

So, to sum up, the following configuration still does not work:

http:
  services:
     myservice:
        url: https//somehost.com
        ssl:  
          enable: true
          key-store:
            path: classpath:PATH_TO_CERTIFICATE.pfx
            type: PKCS12
            password: ${certificate.password}

[carlosbarragan]

So, it seems this bug is finally fixed in #2229

Is that right @jameskleeh ?

[jameskleeh]

@carlosbarragan Thats right. Back when this was reported the issue had multiple layers and I fixed the first one. I didn't see your comment in July. Had I seen it the issue may have been fixed much sooner. In the future file a new issue so it will be more visible.

[carlosbarragan]

@jameskleeh no problem, I just wanted to be sure the other issue is related to this.

Thanks!