opentelemetry-java icon indicating copy to clipboard operation
opentelemetry-java copied to clipboard
verified publisher icon open-telemetry

Insecure skip verification property

Open serrodcal opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. It is not a problem, but searching on the documentation seems like there is no an specific property to skip CA verification using HTTPS. It should be fine to have something like this.

Describe the solution you'd like I'd like to have a parameter like -Dotel.tls.insecure=true (false by default) just to allow insecure traffic or debugging purpose.

Describe alternatives you've considered N/A

Additional context N/A

serrodcal avatar Feb 09 '24 12:02 serrodcal

@serrodcal Thanks, can you help us understand specifically which exporters and which HTTP senders you'd like to target with this?

breedx-splk avatar Feb 09 '24 21:02 breedx-splk

Defining new environment variables has to be driven through the spec. You might think that we could piggyback off the OTEL_EXPORTER_OTLP_INSECURE env var defined here, the but spec clearly states that we should use the scheme (i.e. http vs. https) to infer.

It is possible to programmatically configure your own SSLContext which should be able to accomplish the behavior you want.

jack-berg avatar Feb 09 '24 23:02 jack-berg

Hi, @breedx-splk and @jack-berg. Thanks for the information you provide. I'm using OpenTelemetry for Java through the implementation of WSO2 Micro-Integrator. I was look into the documentation but I didn't found anything related. Thanks @jack-berg for the link you provide.

Regarding SSLContext I'm not sure if I can configure my own SSLContext because the implementation is provided by WSO2. I've just opened a ticket to WSO2 about this.

My question was related to an specific property because I was trying to force the behaviour through JVM parameter.

serrodcal avatar Feb 13 '24 12:02 serrodcal

Hi, one question more, is there any way of enabling debug mode in SSLContext? I'm getting the following error: ERROR {OkHttpGrpcExporter} - Failed to export spans. The request could not be executed. Full error message: Received fatal alert: bad_certificate but I cannot enable debug mode to be able to get further information about the error.

serrodcal avatar Feb 15 '24 09:02 serrodcal

Hi, one question more, is there any way of enabling debug mode in SSLContext?

I'm not sure. May be worth reading the javadoc to see if there is anyway to enable more verbose logging. You can also run with a debugger and set a break point.

My question was related to an specific property because I was trying to force the behaviour through JVM parameter.

Unfortunately there is no environment variable or system property you can set to force that today. I'm not familiar with ws02, but reading the docs here, it seems to be possible to provide a OpenTelemetrySdk instance which has been programmatically configured. It may be cumbersome, but you should be able to manually configure an OpenTelemetrySdk with the configuration you want.

jack-berg avatar Feb 16 '24 00:02 jack-berg

Yes, that's the point, is cumbersome.

Thanks a lot for your help. I'll close this ticket.

serrodcal avatar Feb 16 '24 08:02 serrodcal

Hi @jack-berg ,

Unfortunately there is no environment variable or system property you can set to force that today Given that there's no env variable / system property currently to set OTEL_EXPORTER_OTLP_INSECURE, as you said, if we wish to provide this property to the OpenTelemetry SDK, how can we do that?

Below is the snippet of how WSO2 MI builds the tracer using OpenTelemetry SDK. Is there any way to provide this through OtlpGrpcSpanExporter.builder().addHeader() (If so, what would be the headerKey)? or do you have any other way to do this?

        OtlpGrpcSpanExporterBuilder otlpGrpcSpanExporterBuilder = OtlpGrpcSpanExporter.builder()
                .setEndpoint(endPointURL)
                .setCompression("gzip")
                .addHeader(headerKey, headerValue);

        Resource serviceNameResource = Resource.create(Attributes.of(ResourceAttributes.SERVICE_NAME,
                TelemetryConstants.SERVICE_NAME));

        sdkTracerProvider = SdkTracerProvider.builder()
                .addSpanProcessor(BatchSpanProcessor.builder(otlpGrpcSpanExporterBuilder.build()).build())
                .setResource(Resource.getDefault().merge(serviceNameResource))
                .build();

        openTelemetry = OpenTelemetrySdk.builder()
                .setTracerProvider(sdkTracerProvider)
                .setPropagators(ContextPropagators.create(W3CTraceContextPropagator.getInstance()))
                .build();

Furthermore, is there any plan to add support for honoring such environment variables in upcoming releases? IMHO, these are defined parameters in the OpenTelemetry spec, so there should be a way to directly provide these to the OpenTelemetry SDK. We have observed that certain attributes are not honored by the Java OpenTelemetry SDK (eg: OTEL_RESOURCE_ATTRIBUTES which was fixed in a later version) although Python/Go SDKs honor the attributes.

senthuran16 avatar Feb 16 '24 09:02 senthuran16

I found a property to view the SSL handshake. If it helps, the property is -Djavax.net.debug=ssl:all. Now I have something to go on.

serrodcal avatar Feb 16 '24 11:02 serrodcal