Hi Arnaud,
Thanks for reporting.
Obligatory disclaimer: disabling hostname verification is a very bad idea,
please don't.
I looked into it and it's a mix of issues actually... ssl-config should be
improved, but that's not what's causing your error actually.
Since you're on JDK8, hostname verification is built-in and enabled by default.
`ssl-config` aims to enable this on JDK6 where this is not even available.
It does not disable the JDK's check as well – so that's what tripped you up.
In the stacktrace you see it's the JDK itself, not the typesafe ssl-config
hostname verification blowing up:
Caused by: java.security.cert.CertificateException: No name matching
{REPLACED-URL} found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
I'll look into how we should best handle it in tandem with ssl-config.
For the time being, to disable the JDK built-in you'll have to use the usual
trick:
http://stackoverflow.com/questions/6031258/java-ssl-how-to-disable-hostname-verification
which you'd apply to Akka client code like this:
val ssl = SSLContext.getInstance("SSL")
// configure here...
private val context = HttpsContext(ssl)
Http().superPool(httpsContext = Some(context))
In the mean time, we're working on smoothing out the SSL/TLS experience and
I'll look into that specifically too.
--
Cheers,
Konrad 'ktoso’ Malawski
Akka @ Typesafe
On 5 January 2016 at 13:32:53, Arnaud Gourlay ([email protected]) wrote:
Hi dear Akka team,
I am currently facing an issue concerning the configuration of SSL when trying
to disable hostname verification.
Using akka-http 2.0.1 and running on java 8 with the following config
akka {
event-handlers = ["akka.event.Logging$DefaultLogger"]
loglevel = "INFO"
log-dead-letters-during-shutdown = false
log-dead-letters = false
log-config-on-start = "on" // used to check that the config is loaded
ssl-config{
loose {
disableHostnameVerification = true
}
}
}
when doing a GET request to an host having a bad certificate I get the
following stack-trace
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1421)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at
akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doUnwrap(SslTlsCipherActor.scala:381)
at
akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doInbound(SslTlsCipherActor.scala:304)
at
akka.stream.impl.io.SslTlsCipherActor$$anonfun$1.apply$mcV$sp(SslTlsCipherActor.scala:240)
at akka.stream.impl.Pump$class.pump(Transfer.scala:199)
at akka.stream.impl.io.SslTlsCipherActor.pump(SslTlsCipherActor.scala:45)
at
akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:90)
at
akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:141)
at
scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36)
at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
at
akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:234)
at
scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36)
at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
at akka.stream.impl.SubReceive.apply(Transfer.scala:12)
at scala.PartialFunction$class.applyOrElse(PartialFunction.scala:123)
at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:12)
at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:170)
at akka.actor.Actor$class.aroundReceive(Actor.scala:467)
at
akka.stream.impl.io.SslTlsCipherActor.aroundReceive(SslTlsCipherActor.scala:45)
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516)
at akka.actor.ActorCell.invoke(ActorCell.scala:487)
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:238)
at akka.dispatch.Mailbox.run(Mailbox.scala:220)
at
akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397)
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
at
scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
at
scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
at
scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:909)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:906)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1359)
at
akka.stream.impl.io.SslTlsCipherActor.runDelegatedTasks(SslTlsCipherActor.scala:416)
at
akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doUnwrap(SslTlsCipherActor.scala:385)
... 26 more
Caused by: java.security.cert.CertificateException: No name matching
{REPLACED-URL} found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1465)
... 34 more
I believe this change was introduced by
https://github.com/akka/akka/pull/19219/files but I do not understand why
disableHostnameVerification is not handled by akka-http in my case.
It looks like I am missing something, could someone help me out?
Thanks!
Arnaud
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ:
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ:
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
