Eureka Client over SSL with NoopHostnameVerifier

[rodrigorodrigues]

Hi folks,

I'm trying to overwrite default SSL configuration for Eureka Client using NoopHostnameVerifier but for some reason still trying to verify the hostname, anyone could help me on that please?

Followed code example from https://github.com/spring-cloud/spring-cloud-netflix/issues/1711#issuecomment-282340580

@Profile("prod")
@Configuration
class SslNoopHostnameVerifierConfiguration {

    @Value("${service.security.trustStorePath:/etc/ssl/truststore.jks}")
    private String trustStorePath;

    @Value("${service.security.trustStorePassword:changeit}")
    private String trustStorePassword;

    @Value("${service.security.trustStoreType:JKS}")
    private String trustStoreType;

    @Value("${server.port:8443}")
    private Integer serverPort;

    @Autowired
    EurekaClientConfig config;

    @Bean
    public DiscoveryClient.DiscoveryClientOptionalArgs getTrustStoredEurekaClient()
        throws Exception {
        final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
        trustStore.load(new FileSystemResource(trustStorePath).getInputStream(), trustStorePassword.toCharArray());

        SSLConnectionSocketFactory systemSocketFactory = new SSLConnectionSocketFactory(
            SSLContexts
                .custom()
                .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
                .build(),
            new NoopHostnameVerifier());

        SchemeRegistry sslSchemeRegistry = new SchemeRegistry();
        Scheme schema = new Scheme("https", serverPort, new SSLSocketFactoryAdapter(systemSocketFactory));
        sslSchemeRegistry.register(schema);
        String name = "Custom-Discovery-Client";
        MonitoredConnectionManager connectionManager = new MonitoredConnectionManager(name, sslSchemeRegistry);
        ClientConfig clientConfig = new DefaultClientConfig();
        clientConfig.getProperties().put(ApacheHttpClient4Config.PROPERTY_CONNECTION_MANAGER, connectionManager);

        DiscoveryJerseyProvider discoveryJerseyProvider = new DiscoveryJerseyProvider(
            CodecWrappers.getEncoder(config.getEncoderName()),
            CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()));

        clientConfig.getSingletons().add(discoveryJerseyProvider);

        DiscoveryClient.DiscoveryClientOptionalArgs clientOptionalArgs = new DiscoveryClient.DiscoveryClientOptionalArgs();
        clientOptionalArgs.setEurekaJerseyClient(new EurekaJerseyClientImpl(
            config.getEurekaServerConnectTimeoutSeconds() * 1000,
            config.getEurekaServerReadTimeoutSeconds() * 1000,
            config.getEurekaConnectionIdleTimeoutSeconds() * 1000,
            clientConfig));
        return clientOptionalArgs;
    }

}

Exception

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't match any of the subject alternative names: [www.spendingbetter.com, spendingbetter.com]
	at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) ~[jersey-apache-client4-1.19.1.jar:1.19.1]
	at com.netflix.eureka.cluster.DynamicGZIPContentEncodingFilter.handle(DynamicGZIPContentEncodingFilter.java:48) ~[eureka-core-1.9.8.jar:1.9.8]
	at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27) ~[eureka-client-1.9.8.jar:1.9.8]
	at com.sun.jersey.api.client.Client.handle(Client.java:652) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.netflix.eureka.transport.JerseyReplicationClient.submitBatchUpdates(JerseyReplicationClient.java:116) ~[eureka-core-1.9.8.jar:1.9.8]
	at com.netflix.eureka.cluster.ReplicationTaskProcessor.process(ReplicationTaskProcessor.java:80) ~[eureka-core-1.9.8.jar:1.9.8]
	at com.netflix.eureka.util.batcher.TaskExecutors$BatchWorkerRunnable.run(TaskExecutors.java:193) [eureka-core-1.9.8.jar:1.9.8]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]

Version Spring Boot: 2.1.2.RELEASE Spring Cloud: Greenwich.RC2

[TYsewyn]

AFAIS this isn't a service discovery issue but a peer replication/update issue. And if I'm not mistaken there is no way to bypass SSL verification between peers during replication.

[spencergibb]

There's an open pr for customizing the jersey client for peer replication

[bberto]

@spencergibb can you link the open pr you're referring to?

[spencergibb]

https://github.com/Netflix/eureka/pull/1212

[bberto]

Thanks. I think was then merged with #3572. However I think it doesn't relates to this issue, regarding SSL configuration on jersey client for peer replication.

The only workaround I found is declaring a bean that extends PeerEurekaNodes overriding createPeerEurekaNode(). In this way I can create my own JerseyReplicationClient with a client obtained from EurekaJerseyClientBuilder.withCustomSSL()

[spencergibb]

We could add an extension point to allow a custom Producer<JerseyReplicationClient>

[rodrigorodrigues]

Hi @spencergibb if I can help somehow it would be great, just need to know more details.

[spencergibb]

If this constructor https://github.com/spring-cloud/spring-cloud-netflix/blob/master/spring-cloud-netflix-eureka-server/src/main/java/org/springframework/cloud/netflix/eureka/server/EurekaServerAutoConfiguration.java#L291 had an optional JerseyReplicationClient we could use it rather than construct our own.