search

spring-cloud / spring-cloud-netflix

Integration with Netflix OSS components
http://cloud.spring.io/spring-cloud-netflix/
Apache License 2.0
4.87k stars 2.44k forks source link

[Question] Two-Way SSL doesn't work for zuul #2869

Closed MasterColor closed 6 years ago

MasterColor commented 6 years ago

hi spring-cloud-netflix team

I meet a problem while i tried to make the communication between zuul and the backend service a Two-Way SSL https.

when we enable the Two-Way SSL we recived the following exptions from zuul randomly:

1.[2018-04-21 15:59:26][WARN][http-nio-7100-exec-2][org.springframework.cloud.netflix.zuul.filters.post.SendErrorFilter][run][78]-Error during filtering com.netflix.zuul.exception.ZuulException: Received fatal alert: bad_certificate at org.springframework.cloud.netflix.zuul.util.ZuulRuntimeException.<init>(ZuulRuntimeException.java:33) ~[spring-cloud-netflix-core-1.4.3.RELEASE.jar:1.4.3.RELEASE] ... Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_101]

2.[2018-04-21 15:59:26][WARN][http-nio-7100-exec-2][org.springframework.cloud.netflix.zuul.filters.post.SendErrorFilter][run][78]-Error during filtering com.netflix.zuul.exception.ZuulException: Software caused connection abort: recv failed at org.springframework.cloud.netflix.zuul.util.ZuulRuntimeException.<init>(ZuulRuntimeException.java:33) ~[spring-cloud-netflix-core-1.4.3.RELEASE.jar:1.4.3.RELEASE] ... Caused by: java.net.SocketException: Software caused connection abort: recv failed at java.net.SocketInputStream.socketRead0(Native Method) ~[?:1.8.0_101]

and the following execption from the backend web container:

[DEBUG] 2018-04-21 14:41:00,939 [http-bio-7443-exec-4] - Handshake failed -org.apache.tomcat.util.net.JIoEndpoint java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:291) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:304) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

I also tried Two-Way SSL with browser and java application(with httpclient) as client to the backend server, and it turned out ok, so we have to raise this question to your team.

maybe you can provide me a demo or some segguestions about this .

thanks a lot.

ryanjbaxter commented 6 years ago

I am not sure how you can help. I will tell you what I know in general about how SSL works in general but I cant say for sure what the problem is.

Zuul, in most cases, will use the Apache HTTP Client when proxying requests (its hard to say if this is true for you because you have only provided part of the stack trace). The Apache HTTP Client by default will check if the SSL certificate is trusted by the JVM. If it is not trusted by the JVM and exception will be thrown. To solve this problem you can use a trusted cert, or import the certificate into the JVM of the machine Zuul is running on.

stiyyagura commented 6 years ago

Based on this error i believe it is worth to check the validity and correctness of the certificates. Thank you. com.netflix.zuul.exception.ZuulException: Received fatal alert: bad_certificate

ryanjbaxter commented 6 years ago

Please reopen this is you still believe there is a problem