Hi Konrad,
Thanks for the quick reply and the obligatory disclaimer :)
I tried previously this Stackoverflow link but I could not manually feed an
HttpsContext as akka-http is actually used behind the scene by one of the
library in my project.
That means that this very library will have to expose the SSL config. in
its interface and forward it to the underlying client instance.
I now understand the purpose of `ssl-config` and indeed it would be great
if it could be used to tweak the SSL knobs while being agnostic to the
JDK's version.
Thanks for the hard work.
Cheers,
Arnaud
On Tuesday, January 5, 2016 at 2:36:27 PM UTC+1, Konrad Malawski wrote:
>
> Hi Arnaud,
> Thanks for reporting.
>
> Obligatory disclaimer: disabling hostname verification is a very bad idea,
> please don't.
>
> I looked into it and it's a mix of issues actually... ssl-config should be
> improved, but that's not what's causing your error actually.
>
> Since you're on JDK8, hostname verification is built-in and enabled by
> default.
> `ssl-config` aims to enable this on JDK6 where this is not even available.
> It does not disable the JDK's check as well – so that's what tripped you
> up.
>
> In the stacktrace you see it's the JDK itself, not the typesafe ssl-config
> hostname verification blowing up:
>
> Caused by: java.security.cert.CertificateException: No name matching
> {REPLACED-URL} found
> at
> sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
>
>
> I'll look into how we should best handle it in tandem with ssl-config.
> For the time being, to disable the JDK built-in you'll have to use the
> usual trick:
>
> http://stackoverflow.com/questions/6031258/java-ssl-how-to-disable-hostname-verification
>
> which you'd apply to Akka client code like this:
>
> val ssl = SSLContext.getInstance("SSL")
> // configure here...
> private val context = HttpsContext(ssl)
> Http().superPool(httpsContext = Some(context))
>
> In the mean time, we're working on smoothing out the SSL/TLS experience
> and I'll look into that specifically too.
>
> --
> Cheers,
> Konrad 'ktoso’ Malawski
> Akka <http://akka.io> @ Typesafe <http://typesafe.com>
>
> On 5 January 2016 at 13:32:53, Arnaud Gourlay ([email protected]
> <javascript:>) wrote:
>
> Hi dear Akka team,
>
> I am currently facing an issue concerning the configuration of SSL when
> trying to disable hostname verification.
>
> Using akka-http 2.0.1 and running on java 8 with the following config
>
> akka {
> event-handlers = ["akka.event.Logging$DefaultLogger"]
> loglevel = "INFO"
> log-dead-letters-during-shutdown = false
> log-dead-letters = false
>
> log-config-on-start = "on" // used to check that the config is loaded
> ssl-config{
> loose {
> disableHostnameVerification = true
> }
> }
> }
>
>
>
> when doing a GET request to an host having a bad certificate I get the
> following stack-trace
>
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1421)
> at
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at
> sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at
> akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doUnwrap(SslTlsCipherActor.scala:381)
> at
> akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doInbound(SslTlsCipherActor.scala:304)
> at
> akka.stream.impl.io.SslTlsCipherActor$$anonfun$1.apply$mcV$sp(SslTlsCipherActor.scala:240)
> at akka.stream.impl.Pump$class.pump(Transfer.scala:199)
> at
> akka.stream.impl.io.SslTlsCipherActor.pump(SslTlsCipherActor.scala:45)
> at
> akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:90)
> at
> akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:141)
> at
> scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36)
> at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
> at
> akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:234)
> at
> scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36)
> at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
> at akka.stream.impl.SubReceive.apply(Transfer.scala:12)
> at scala.PartialFunction$class.applyOrElse(PartialFunction.scala:123)
> at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:12)
> at
> scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:170)
> at akka.actor.Actor$class.aroundReceive(Actor.scala:467)
> at
> akka.stream.impl.io.SslTlsCipherActor.aroundReceive(SslTlsCipherActor.scala:45)
> at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516)
> at akka.actor.ActorCell.invoke(ActorCell.scala:487)
> at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:238)
> at akka.dispatch.Mailbox.run(Mailbox.scala:220)
> at
> akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397)
> at
> scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
> at
> scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
> at
> scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
> at
> scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine
> problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:909)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:906)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1359)
> at
> akka.stream.impl.io.SslTlsCipherActor.runDelegatedTasks(SslTlsCipherActor.scala:416)
> at
> akka.stream.impl.io.SslTlsCipherActor.akka$stream$impl$io$SslTlsCipherActor$$doUnwrap(SslTlsCipherActor.scala:385)
> ... 26 more
> Caused by: java.security.cert.CertificateException: No name matching
> {REPLACED-URL} found
> at
> sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1465)
> ... 34 more
>
>
> I believe this change was introduced by
> https://github.com/akka/akka/pull/19219/files but I do not understand
> why disableHostnameVerification is not handled by akka-http in my case.
>
> It looks like I am missing something, could someone help me out?
>
> Thanks!
>
> Arnaud
>
>
>
>
>
> --
> >>>>>>>>>> Read the docs: http://akka.io/docs/
> >>>>>>>>>> Check the FAQ:
> http://doc.akka.io/docs/akka/current/additional/faq.html
> >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
> ---
> You received this message because you are subscribed to the Google Groups
> "Akka User List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> To post to this group, send email to [email protected]
> <javascript:>.
> Visit this group at https://groups.google.com/group/akka-user.
> For more options, visit https://groups.google.com/d/optout.
>
>
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ:
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
