Sure. Should I open the issue specifically about Apache client and another one for default Java client?

The unexplained thing is why the default Java client isn't working with SNI by default, even though it should in theory (Java 8 sends SNI automatically and by default according to Oracle docs). The closest thing I found is this: http://stackoverflow.com/questions/30817934/extended-server-name-sni-extension-not-sent-with-jdk1-8-0-but-send-with-jdk1-7 a possible OpenJDK bug.

A quick dig into JClouds code seems to confirm that setHostnameVerifier() is used so this could be the case.


Ignasi Barrera je 15. 09. 2016 ob 12:06 napisal:
Thanks for the feedback and all the details cen!

Would you mind opening an issue in our JIRA so we can track and fix
the Apache driver?



On 15 September 2016 at 11:17, cen <imba...@gmail.com> wrote:
Hi

Default driver and Apache driver failed me but OkHTTP worked.

For Apache, I found a similar bug in Keycloak JIRA:
https://issues.jboss.org/browse/KEYCLOAK-2439

The interesting part is:

"Client adapter uses a deprecated API when setting up HttpClient object in
org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch which is
part of HttpClient library since version 4.3.2, and which seems to delegate
this part to Java SDK classes, where SNI is automatically set, isn't
activated."

It's a guess on my part but I assume JClouds instantiates the HttpClient in
a way that SNI does not get activated.

I digged more into Apache driver and the way SSLSocketFactory is used by
JClouds is very similar to pre-patched Keycloak from that Jira issue
(according to pull requests). Might be worth looking into.

Best regards, cen


Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:

Hi!

jclouds supports several HTTP drivers. By default it relies on the java
HttpUrlConection, but you can also configure it to use the Apache Http
client or OkHttp [1]. Using those drivers is as simple as adding the
corresponding Guice module when creating the context (have a look at the
OkHttp driver readme for an example [2]) so feel free to use the one that
is better for your use case.

If you need more control on how the http client is configured, you can take
the jclouds Docker api as an example. It configures the OkHttp to support
TLS connections. You can have a look at its docker http module [3] and
create a similar module that initializes the OkHtttpClient as needed, and
then pass it to the ContextBuilder when creating the jclouds context.

HTH!

I.

[1] https://github.com/jclouds/jclouds/tree/master/drivers
[2] https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
[3]
https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java

El 12 sept. 2016 7:02 p. m., "cen" <imba...@gmail.com> escribió:

Hi

We have a FakeS3 instance behind a reverse proxy which handles several
subdomains over a single IP. We use let's encrypt certificate to sign the
subdomains. We have the latest Java 8 installed which has the let's encrypt
root in it's truststore. However, JClouds fails to connect to our FakeS3
instance over https (http works). We believe it is because TLS SNI is not
supported in JClouds since this is the most common problem we found other
people having when googling around. I browsed around org.jclouds.http
package but I was unable to determine what HTTP client does JClouds use
behind the scenes or if it's a custom implementation. Could I get some
feedback whether my assumptions are correct and how hard would it be to fix
this? This is the stacktrace:


PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target connecting to
HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
     at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
BaseHttpCommandExecutorService.java:121)
     at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
InvokeHttpMethod.java:90)
     at org.jclouds.rest.internal.InvokeHttpMethod.apply(
InvokeHttpMethod.java:73)
     at org.jclouds.rest.internal.InvokeHttpMethod.apply(
InvokeHttpMethod.java:44)
     at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
DelegatesToInvocationFunction.java:156)
     at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
DelegatesToInvocationFunction.java:123)
     at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
     at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
S3BlobStore.java:131)
     at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
     at com.redacted.util.storage.BlobStorageImpl.saveBlob(
BlobStorageImpl.java:19)
     at com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
ImagesResourceImpl.java:90)
     at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
     at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
proceed(AroundInvokeInvocationContext.java:77)
     at com.redacted.api.rest.v1.interceptors.
ValidatePermissionsInterceptor.checkOwnership(
ValidatePermissionsInterceptor.java:63)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.
invoke(Method.java:498)
     at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
     at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
ionContext.java:64)
     at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
proceed(AroundInvokeInvocationContext.java:77)
     at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
manageTransaction(TransactionalInterceptor.java:34)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
     at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
executeAroundInvoke(InterceptorMethodHandler.java:84)
     at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
executeInterception(InterceptorMethodHandler.java:72)
     at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
InterceptorMethodHandler.java:56)
     at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
rStackMethodHandler.java:79)
     at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
rStackMethodHandler.java:68)
     at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
     at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at org.glassfish.jersey.server.model.internal.
ResourceMethodInvocationHandlerFactory$1.invoke(
ResourceMethodInvocationHandlerFactory.java:81)
     at org.glassfish.jersey.server.model.internal.
AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
atcher.java:164)
     at org.glassfish.jersey.server.model.internal.
AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
atcher.java:181)
     at org.glassfish.jersey.server.model.internal.
JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
JavaResourceMethodDispatcherProvider.java:158)
     at org.glassfish.jersey.server.model.internal.
AbstractJavaResourceMethodDispatcher.dispatch(
AbstractJavaResourceMethodDispatcher.java:101)
     at org.glassfish.jersey.server.model.ResourceMethodInvoker.
invoke(ResourceMethodInvoker.java:389)
     at org.glassfish.jersey.server.model.ResourceMethodInvoker.
apply(ResourceMethodInvoker.java:347)
     at org.glassfish.jersey.server.model.ResourceMethodInvoker.
apply(ResourceMethodInvoker.java:102)
     at org.glassfish.jersey.server.ServerRuntime$2.run(
ServerRuntime.java:305)
     at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
     at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
     at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
     at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
     at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
     at org.glassfish.jersey.process.internal.RequestScope.
runInScope(RequestScope.java:317)
     at org.glassfish.jersey.server.ServerRuntime.process(
ServerRuntime.java:288)
     at org.glassfish.jersey.server.ApplicationHandler.handle(
ApplicationHandler.java:1110)
     at org.glassfish.jersey.servlet.WebComponent.service(
WebComponent.java:401)
     at org.glassfish.jersey.servlet.ServletContainer.service(
ServletContainer.java:386)
     at org.glassfish.jersey.servlet.ServletContainer.service(
ServletContainer.java:335)
     at org.glassfish.jersey.servlet.ServletContainer.service(
ServletContainer.java:222)
     at org.eclipse.jetty.servlet.ServletHolder.handle(
ServletHolder.java:835)
     at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
doFilter(ServletHandler.java:1685)
     at com.thetransactioncompany.cors.CORSFilter.doFilter(
CORSFilter.java:209)
     at com.thetransactioncompany.cors.CORSFilter.doFilter(
CORSFilter.java:244)
     at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
doFilter(ServletHandler.java:1668)
     at org.eclipse.jetty.servlet.ServletHandler.doHandle(
ServletHandler.java:581)
     at org.eclipse.jetty.server.handler.ScopedHandler.handle(
ScopedHandler.java:143)
     at org.eclipse.jetty.security.SecurityHandler.handle(
SecurityHandler.java:513)
     at org.eclipse.jetty.server.session.SessionHandler.
doHandle(SessionHandler.java:226)
     at org.eclipse.jetty.server.handler.ContextHandler.
doHandle(ContextHandler.java:1158)
     at org.eclipse.jetty.servlet.ServletHandler.doScope(
ServletHandler.java:511)
     at org.eclipse.jetty.server.session.SessionHandler.
doScope(SessionHandler.java:185)
     at org.eclipse.jetty.server.handler.ContextHandler.
doScope(ContextHandler.java:1090)
     at org.eclipse.jetty.server.handler.ScopedHandler.handle(
ScopedHandler.java:141)
     at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
HandlerWrapper.java:119)
     at org.eclipse.jetty.server.Server.handle(Server.java:517)
     at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
     at org.eclipse.jetty.server.HttpConnection.onFillable(
HttpConnection.java:242)
     at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
AbstractConnection.java:273)
     at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
     at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
SelectChannelEndPoint.java:75)
     at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
produceAndRun(ExecuteProduceConsume.java:213)
     at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
ExecuteProduceConsume.java:147)
     at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
QueuedThreadPool.java:654)
     at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
QueuedThreadPool.java:572)
     at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(
NativeConstructorAccessorImpl.java:62)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
DelegatingConstructorAccessorImpl.java:45)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
     at sun.net.www.protocol.http.HttpURLConnection$10.run(
HttpURLConnection.java:1890)
     at sun.net.www.protocol.http.HttpURLConnection$10.run(
HttpURLConnection.java:1885)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
HttpURLConnection.java:1884)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
HttpURLConnection.java:1457)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
HttpURLConnection.java:1441)
     at java.net.HttpURLConnection.getResponseCode(
HttpURLConnection.java:480)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
HttpsURLConnectionImpl.java:338)
     at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
JavaUrlHttpCommandExecutorService.java:105)
     at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
JavaUrlHttpCommandExecutorService.java:65)
     at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
BaseHttpCommandExecutorService.java:99)
     ... 89 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
     at sun.security.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:1509)
     at sun.security.ssl.ClientHandshaker.processMessage(
ClientHandshaker.java:216)
     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
     at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
SSLSocketImpl.java:1375)
     at sun.security.ssl.SSLSocketImpl.startHandshake(
SSLSocketImpl.java:1403)
     at sun.security.ssl.SSLSocketImpl.startHandshake(
SSLSocketImpl.java:1387)
     at sun.net.www.protocol.https.HttpsClient.afterConnect(
HttpsClient.java:559)
     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
tion.connect(AbstractDelegateHttpsURLConnection.java:185)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
HttpURLConnection.java:1513)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
HttpURLConnection.java:1441)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
HttpsURLConnectionImpl.java:254)
     at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
JavaUrlHttpCommandExecutorService.java:97)
     ... 91 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
     at sun.security.validator.PKIXValidator.doBuild(
PKIXValidator.java:387)
     at sun.security.validator.PKIXValidator.engineValidate(
PKIXValidator.java:292)
     at sun.security.validator.Validator.validate(Validator.java:260)
     at sun.security.ssl.X509TrustManagerImpl.validate(
X509TrustManagerImpl.java:324)
     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
X509TrustManagerImpl.java:229)
     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:124)
     at sun.security.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:1491)
     ... 104 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
     at sun.security.provider.certpath.SunCertPathBuilder.
build(SunCertPathBuilder.java:141)
     at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
SunCertPathBuilder.java:126)
     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
     at sun.security.validator.PKIXValidator.doBuild(
PKIXValidator.java:382)
     ... 110 more



Reply via email to