ssl-config
ssl-config copied to clipboard
Published
20 hours ago •
lightbend
lightbend
SSLLooseConfig.acceptAnyCertificate doesn't seem to do anything
While using akka-http, I need to have an option to trust all the certificates when connecting via HTTPS. I follow the instructions on http://lightbend.github.io/ssl-config/LooseSSL.html#loose-options and https://doc.akka.io/docs/akka-http/10.0.10/scala/http/client-side/client-https-support.html#disabling-tls-security-features-at-your-own-risk, but had no success - the certificate still seems to be validated regardless of the setting. Opening a connection just keeps throwing a stack trace like one below.
Why: I'm writing a plugin for a certain application which bundles its own JDK. The certificate authorities more often than not will not be under my control, and I cannot expect users to add certificates to cacerts or supply thier own files.
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:367)
at akka.stream.impl.io.TLSActor.doInbound(TLSActor.scala:290)
at akka.stream.impl.io.TLSActor.$anonfun$bidirectional$1(TLSActor.scala:225)
at akka.stream.impl.Pump.pump(Transfer.scala:199)
at akka.stream.impl.Pump.pump$(Transfer.scala:197)
at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:48)
at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:90)
at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:141)
at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:34)
at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:234)
at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:34)
at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
at akka.stream.impl.SubReceive.apply(Transfer.scala:12)
at scala.PartialFunction.applyOrElse(PartialFunction.scala:123)
at scala.PartialFunction.applyOrElse$(PartialFunction.scala:122)
at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:12)
at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:171)
at akka.actor.Actor.aroundReceive(Actor.scala:502)
at akka.actor.Actor.aroundReceive$(Actor.scala:500)
at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:48)
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:526)
at akka.actor.ActorCell.invoke(ActorCell.scala:495)
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257)
at akka.dispatch.Mailbox.run(Mailbox.scala:224)
at akka.dispatch.Mailbox.exec(Mailbox.scala:234)
at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:402)
at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:371)
... 29 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1493)
... 37 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 43 more
I wonder if this actually an issue for ssl-config or the underlying akka-http dependency?
@pkoryzna - can you please include a minimal example, ie pointing to some site with a self-signed certificate? I made one here: https://139.59.135.117/
Minimal example here: https://gist.github.com/pkoryzna/f288d8471c7e1c8822b3594d043d7017
Custom SSL context works for me. Example: https://gist.github.com/iRevive/4a3c7cb96374da5da80d4538f3da17cb And 'on demand' trustful ssl context: https://gist.github.com/iRevive/7d17144284a7a2227487635ec815860d
java.lang.RuntimeException: Delegated task threw Exception/Error
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:385)
at akka.stream.impl.io.TLSActor.doInbound(TLSActor.scala:295)
at akka.stream.impl.io.TLSActor.$anonfun$bidirectional$1(TLSActor.scala:230)
at akka.stream.impl.Pump.pump(Transfer.scala:202)
at akka.stream.impl.Pump.pump$(Transfer.scala:200)
at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:50)
at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:96)
at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:147)
at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:38)
at akka.stream.impl.SubReceive.apply(Transfer.scala:18)
at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:242)
at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:38)
at akka.stream.impl.SubReceive.apply(Transfer.scala:18)
at akka.stream.impl.SubReceive.apply(Transfer.scala:14)
at scala.PartialFunction.applyOrElse(PartialFunction.scala:127)
at scala.PartialFunction.applyOrElse$(PartialFunction.scala:126)
at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:14)
at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:175)
at akka.actor.Actor.aroundReceive(Actor.scala:539)
at akka.actor.Actor.aroundReceive$(Actor.scala:537)
at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:50)
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:612)
at akka.actor.ActorCell.invoke(ActorCell.scala:581)
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:268)
at akka.dispatch.Mailbox.run(Mailbox.scala:229)
at akka.dispatch.Mailbox.exec(Mailbox.scala:241)
at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.lang.NullPointerException
at sun.net.util.IPAddressUtil.textToNumericFormatV4(IPAddressUtil.java:49)
at sun.net.util.IPAddressUtil.isIPv4LiteralAddress(IPAddressUtil.java:241)
at sun.security.util.HostnameChecker.isIpAddress(HostnameChecker.java:124)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:92)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:423)
at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:392)
... 29 more
This is the exception I got when I tried to use loose SSL settings in Akka
