aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard

Published 20 hours ago verified publisher icon aws

AWS Java SDK does not respect custom JDK TrustStore

Open rcha opened this issue 7 years ago • 10 comments

The SDK uses a custom HttpClientBuilder that does not respect the majority of system properties.

rcha avatar Sep 08 '17 19:09 rcha

Which system properties are you trying to use?

spfink avatar Sep 14 '17 17:09 spfink

This is a feature request to honor more system properties like javax.net.ssl.trustStore.

http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/client/HttpClientBuilder.html

shorea avatar Sep 25 '17 14:09 shorea

It would also be beneficial if we could provide a specific trust store just for the AWS SDK. In production, we remove root certificates from all servers and only trust a root certificate generated in-house.

apfritts avatar Nov 01 '18 18:11 apfritts

@apfritts I believe you can do that via a custom socket factory. https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ApacheHttpClientConfig.html#withSslSocketFactory-org.apache.http.conn.socket.ConnectionSocketFactory-

ClientConfiguration config = new ClientConfiguration();
config.getApacheHttpClientConfig().setSslSocketFactory(....);

shorea avatar Nov 01 '18 19:11 shorea

@shorea are there any plans to support this feature to override the JDK truststore location? We are trying to use the Redshift JDBC driver with the AWS Java SDK in a containerized environment. We maintain a truststore in a persistent volume and need to have the driver pick up certificates from that truststore.

toroc avatar Apr 23 '20 18:04 toroc

Hey no longer with the SDK team but I'm pretty sure the SDK now respects the Java system properties for custom trust stores. Can you give that a try and report your results?

-Djavax.net.ssl.trustStore -Djavax.net.ssl.trustStorePassword

shorea avatar Apr 23 '20 18:04 shorea

@apfritts I believe you can do that via a custom socket factory. https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ApacheHttpClientConfig.html#withSslSocketFactory-org.apache.http.conn.socket.ConnectionSocketFactory-

ClientConfiguration config = new ClientConfiguration();
config.getApacheHttpClientConfig().setSslSocketFactory(....);

@shorea yes! Sorry I didn't respond earlier but this works fabulously. Thanks!

apfritts avatar Jun 21 '20 03:06 apfritts

@apfritts I believe you can do that via a custom socket factory. https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ApacheHttpClientConfig.html#withSslSocketFactory-org.apache.http.conn.socket.ConnectionSocketFactory-

ClientConfiguration config = new ClientConfiguration();
config.getApacheHttpClientConfig().setSslSocketFactory(....);

@shorea yes! Sorry I didn't respond earlier but this works fabulously. Thanks!

Can you provide more details as how can we set the truststore here...

chandrabipin avatar Feb 25 '21 15:02 chandrabipin

Joining @chandrabipin question to @apfritts. Also, question to the repo maintainers -- could you confirm if what @shorea said above is true?

Hey no longer with the SDK team but I'm pretty sure the SDK now respects the Java system properties for custom trust stores. Can you give that a try and report your results?

-Djavax.net.ssl.trustStore -Djavax.net.ssl.trustStorePassword

wojtasskorcz avatar Jan 17 '22 07:01 wojtasskorcz

@wojtasskorcz @chandrabipin

I’m no longer with Box so I can look up what I did and I don’t play in the Java world any more. Sorry!

apfritts avatar Feb 16 '22 06:02 apfritts