aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard
verified publisher icon aws

unable to use amazon sdk via corporate proxy with self-signed certificates

Open adrian-herscu opened this issue 4 years ago • 1 comments

I need to run system tests for a service running on AWS, using a Cognito authentication token, via a corporate proxy which on every connection generates a new self-signed SSL certificate.

Since that proxy generates a new SSL certificate on every connection adding that certificate to the trusted certificate store is impractical.

Describe the bug

I am building:

AWSCognitoIdentityProviderClientBuilder
            .standard()
            .withCredentials(
                new AWSStaticCredentialsProvider(
                    new AnonymousAWSCredentials()))
            .withRegion(region)
            .build()

then calling initiateAuth.

Expected Behavior

Receive a InitiateAuthResult

Current Behavior

Throws:

com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1207)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1153)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.doInvoke(AWSCognitoIdentityProviderClient.java:8410)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.anonymousInvoke(AWSCognitoIdentityProviderClient.java:8387)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.executeInitiateAuth(AWSCognitoIdentityProviderClient.java:5642)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.initiateAuth(AWSCognitoIdentityProviderClient.java:5611)
	at com.ge.acutecare.qa.tester.utils.rest.AwsCognitoSrpAuthenticator.authChallengeResultWithoutCaching(AwsCognitoSrpAuthenticator.java:351)
	at com.ge.acutecare.qa.tester.utils.rest.AwsCognitoSrpAuthenticator.lambda$authChallengeResult$0(AwsCognitoSrpAuthenticator.java:339)
	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4876)
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2277)
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154)
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044)
	... 31 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:191)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:390)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
	at com.amazonaws.http.conn.$Proxy51.upgrade(Unknown Source)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:428)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1331)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
	... 49 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at sun.security.validator.Validator.validate(Validator.java:271)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
	... 78 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 84 more

Steps to Reproduce

  1. setup an SSL proxy with a self-signed certificate, which is not added to Java trust store.
  2. connect to Cognito via that proxy

Possible Solution

Somehow allow SSLContext to be specified globally or at least per connection, such in JAX-RS:

ClientBuilder.newBuilder()
            .sslContext(TRUST_ALL_SSL_CONTEXT)
            .build();

Context

as escribed above

Your Environment

  • AWS Java SDK version used: 1.12.12
  • JDK version used: 1.8
  • Operating System and version: Windows 10

adrian-herscu avatar Jun 28 '21 12:06 adrian-herscu

Hi @adrian-herscu I'm sorry for the lack of response here.

This is an ask to add a new configuration to the client or the request, so I'm changing this to feature request.

If you are able to use the Java SDK 2.x, this is already supported by using one HTTP Client configuration option available in the SdkHttpConfigurationOption class : TRUST_ALL_CERTIFICATES, setting it to true will disable SSL Certificate verification. Please note that this is not a safe setting and should only be used for testing.

Since this is already supported in SDK 2.x this will have little chance to be implemented in 1.x I'm afraid.

Let me know if this helps.

debora-ito avatar Sep 01 '21 23:09 debora-ito