rbeckman-nextgen / test-mc

test-migration
1 stars 0 forks source link

HttpsURLConnection Timeout and allowUnsafeRenegotiation #1300

Open rbeckman-nextgen opened 4 years ago

rbeckman-nextgen commented 4 years ago

My company has been successfully using the HttpsURLConnection class in an external Java package which we've been referencing though a JavaScript Writer. We use the class to do secure POSTs and GETs.

We now have a case where we need to introduce a trusted certificate and a keystore to create a secure SSLSocketFactory. We add the trusted certificate to the CACERTS file of the server and reference the keystore file within the class as follows:

SSLSocketFactory sslSocketFactory = getFactory(new File(CERTIFICATE_PATH), CERTIFICATE_PASSWORD);

The SSLSocketFactory simply adds the keystore to the KeyManagerFactory and returns the appropriate SSLContext in the SSLSocketFactory.

Now for the problem: When executing the methods on the class that do a GET or POST outside of the Mirth environment, it works without error. When we package up the JAR and include it as a custom library within the Mirth environment, we receive a Socket timeout as a result of a call to the following method:

.getInputStream() The code is identical to the class that runs outside of Mirth. When running the classes within Mirth, we will see that after the "Encrypted Handshake Message" is received, we get an "Encrypted Alert" message. This prevents the negotiation from succeeding and thus will prevent a successfully GET or POST. When running the same class outside of Mirth, it works just fine (in fact, we execute the method on the same JAR file we include within Mirth). One thing to note that is of interest: For this application to run correctly, we must set the following Java property: systemProps.put("sun.security.ssl.allowUnsafeRenegotiation", "true"); From what I gather, Mirth might be either ignoring it or perhaps preventing it. We've been trying various scenarios with no success for a number of days now. I've even added this property to the standard Mirth startup with no success. Another difference we can see is that we use the Javascript Writer to call into the Java class. We haven't had any issues with it in the past. Perhaps there is something with that method that is preventing the Handshake to complete successfully? Any suggestions would be much appreciated. We've really come to a point where this is blocking our progress. Mirth is a fantastic product and we intend to continue using it for a number of solutions. Many thanks in advance. Imported Issue. Original Details: Reporter: rutzelt Created: 2012-06-04T06:21:54.000-0700
rbeckman-nextgen commented 4 years ago

FWIW, this system property can be set in mcserver.vmoptions.

By the time your Javascript runs, this property has already probably been read by the underlying code and later changes will be ignored.

Imported Comment. Original Details: Author: cschultz@chadis.com Created: 2018-12-12T17:28:11.000-0800