akka-http: SSL disableHostnameVerification issue
1,464 views
Skip to first unread message
Arnaud Gourlay
Jan 5, 2016, 7:32:49 AM1/5/16
to Akka User List
Hi dear Akka team,
I am currently facing an issue concerning the configuration of SSL when trying to disable hostname verification.
Using akka-http 2.0.1 and running on java 8 with the following config
akka {
event-handlers = ["akka.event.Logging$DefaultLogger"]
loglevel = "INFO"
log-dead-letters-during-shutdown = false
log-dead-letters = false
log-config-on-start = "on" // used to check that the config is loaded
ssl-config{
loose {
disableHostnameVerification = true
}
}
}
when doing a GET request to an host having a bad certificate I get the following stack-trace
javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1421) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doUnwrap(SslTlsCipherActor.scala:381) at akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doInbound(SslTlsCipherActor.scala:304) at akka.stream.impl.io.SslTlsCipherActor$$anonfun$1.apply$mcV$sp(SslTlsCipherActor.scala:240) at akka.stream.impl.Pump$class.pump(Transfer.scala:199) at akka.stream.impl.io.SslTlsCipherActor.pump(SslTlsCipherActor.scala:45) at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:90) at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:141) at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) at akka.stream.impl.SubReceive.apply(Transfer.scala:16) at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:234) at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) at akka.stream.impl.SubReceive.apply(Transfer.scala:16) at akka.stream.impl.SubReceive.apply(Transfer.scala:12) at scala.PartialFunction$class.applyOrElse(PartialFunction.scala:123) at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:12) at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:170) at akka.actor.Actor$class.aroundReceive(Actor.scala:467) at akka.stream.impl.io.SslTlsCipherActor.aroundReceive(SslTlsCipherActor.scala:45) at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516) at akka.actor.ActorCell.invoke(ActorCell.scala:487) at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:238) at akka.dispatch.Mailbox.run(Mailbox.scala:220) at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397) at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) at sun.security.ssl.Handshaker$1.run(Handshaker.java:909) at sun.security.ssl.Handshaker$1.run(Handshaker.java:906) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1359) at akka.stream.impl.io.SslTlsCipherActor.runDelegatedTasks(SslTlsCipherActor.scala:416) at akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doUnwrap(SslTlsCipherActor.scala:385) ... 26 more Caused by: java.security.cert.CertificateException: No name matching {REPLACED-URL} found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208) at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1465) ... 34 moreI believe this change was introduced by https://github.com/akka/akka/pull/19219/files but I do not understand why disableHostnameVerification is not handled by akka-http in my case.
It looks like I am missing something, could someone help me out?
Thanks!
Arnaud
Konrad Malawski
Jan 5, 2016, 8:36:27 AM1/5/16
to akka...@googlegroups.com, Arnaud Gourlay
Hi Arnaud,
Thanks for reporting.
Obligatory disclaimer: disabling hostname verification is a very bad idea, please don't.
I looked into it and it's a mix of issues actually... ssl-config should be improved, but that's not what's causing your error actually.
Since you're on JDK8, hostname verification is built-in and enabled by default.
`ssl-config` aims to enable this on JDK6 where this is not even available.
It does not disable the JDK's check as well – so that's what tripped you up.
In the stacktrace you see it's the JDK itself, not the typesafe ssl-config hostname verification blowing up:
Caused by: java.security.cert.CertificateException: No name matching {REPLACED-URL} foundat sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
I'll look into how we should best handle it in tandem with ssl-config.
For the time being, to disable the JDK built-in you'll have to use the usual trick:
which you'd apply to Akka client code like this:
val ssl = SSLContext.getInstance("SSL")
// configure here...
private val context = HttpsContext(ssl)
Http().superPool(httpsContext = Some(context))
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+...@googlegroups.com.
To post to this group, send email to akka...@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
Arnaud Gourlay
Jan 5, 2016, 10:52:39 AM1/5/16
to Akka User List, arnaud....@gmail.com
Hi Konrad,
Thanks for the quick reply and the obligatory disclaimer :)
I tried previously this Stackoverflow link but I could not manually feed an HttpsContext as akka-http is actually used behind the scene by one of the library in my project.
That means that this very library will have to expose the SSL config. in its interface and forward it to the underlying client instance.
I now understand the purpose of `ssl-config` and indeed it would be great if it could be used to tweak the SSL knobs while being agnostic to the JDK's version.
Thanks for the hard work.
Cheers,
Arnaud
Reply all
Reply to author
Forward
0 new messages