scalaj-http icon indicating copy to clipboard operation
scalaj-http copied to clipboard

Published 20 hours ago verified publisher icon scalaj

Https error in AWS Lambda

Open PanAeon opened this issue 7 years ago • 7 comments

scalaj-http version: 2.3.0 scala version: 2.11

When I try to make vanilla https request in AWS Lambda (Java 8 Runtime) I've got the following error:

invalid key or spec in GCM mode: java.lang.RuntimeException
java.lang.RuntimeException: invalid key or spec in GCM mode
at sun.security.ssl.CipherBox.createExplicitNonce(CipherBox.java:1033)
at sun.security.ssl.OutputRecord.encrypt(OutputRecord.java:248)
at sun.security.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:869)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:857)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:727)
at sun.security.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:2079)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1953)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1899)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1420)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at scalaj.http.StringBodyConnectFunc.apply(Http.scala:500)
at scalaj.http.StringBodyConnectFunc.apply(Http.scala:497)
at scalaj.http.HttpRequest.scalaj$http$HttpRequest$$doConnection(Http.scala:355)
at scalaj.http.HttpRequest.exec(Http.scala:335)
at scalaj.http.HttpRequest.asString(Http.scala:455)
at java.util.ArrayList.forEach(ArrayList.java:1249)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
Caused by: java.security.InvalidKeyException: No installed provider supports this key: javax.crypto.spec.SecretKeySpec
at javax.crypto.Cipher.chooseProvider(Cipher.java:893)
at javax.crypto.Cipher.init(Cipher.java:1396)
at sun.security.ssl.CipherBox.createExplicitNonce(CipherBox.java:1029)
... 28 more

PanAeon avatar Oct 17 '17 10:10 PanAeon

This is most likely a problem with the JRE's installed crypto keys. Have you checked to see if the JRE you are running has the "strong crypto" extension jars installed?

dbuschman7 avatar Oct 17 '17 15:10 dbuschman7

I'm running the code in AWS Lambda, and I'm almost completely sure they don't have strong crypto extension jars installed. But since other clients, including default jvm client, work fine with https, I suggest to make "strong crypto" as an opt-out future. Lambda is a hosted environment, and it's not known when they implement jre security extensions, if at all.

PanAeon avatar Oct 18 '17 11:10 PanAeon

Hi, do you have a code example which reproduces outside of the Lambda environment?

On Wed, Oct 18, 2017 at 7:16 AM, PanAeon [email protected] wrote:

I'm running the code in AWS Lambda, and I'm almost completely sure they don't have strong crypto extension jars installed. But since other clients, including default jvm client, work fine with https, I suggest to make "strong crypto" as an opt-out future. Lambda is a hosted environment, and it's not known when they implement jre security extensions, if at all.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/scalaj/scalaj-http/issues/141#issuecomment-337557653, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfWDtRESKdVmZ6wKmnWJMJ9wSWMKZgks5std3zgaJpZM4P76Gk .

hoffrocket avatar Oct 18 '17 15:10 hoffrocket

No, I don't have one at the moment.

PanAeon avatar Oct 18 '17 15:10 PanAeon

@PanAeon I think your are missing the real issue here.

I believe that it is not a problem with scalaj-http but a problem with the remote site your are trying to connect to, its crypto requirements and the JVM you are running in. If the remote HTTPS site requires a "strong protocol" like TLS 1.2, then your JVM will need to have strong crypto added to the JRE in order for any client to connect a HTTPS connection to it. No client will be able to connect to that site without the JRE "strong" cipher support to handle this.

Find out what the SSL/TLS requirements for the remote site your are trying to connect to.

dbuschman7 avatar Oct 19 '17 15:10 dbuschman7

@PanAeon I ran into the same problem a day ago. I switched from scalaj-http to akka-http. It works perfectly. Code are here.

One problem is the jar file after sbt> assembly is kinda big (mine was 20mb) and I have to increase the Lambda function size. Im still looking for a work around with scalaj-http since I prefer no dependencies.

quybeans avatar Feb 04 '18 06:02 quybeans

I was not able to duplicate this issue. What region are you running your lambda functions in? I'm running the lambda function which calls an https endpoint from this repo in us-east-1 without issues: https://github.com/hoffrocket/scalaj-http-lambda-test

hoffrocket avatar Mar 06 '18 16:03 hoffrocket