Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mp-rest-client ignores SSL configuration #4692

Closed
olotenko opened this issue Jan 18, 2021 · 1 comment · Fixed by #4724
Closed

mp-rest-client ignores SSL configuration #4692

olotenko opened this issue Jan 18, 2021 · 1 comment · Fixed by #4724
Assignees
@Verdent

Comments

@olotenko
Copy link

bc67ee3#r46079691

When configuring MP REST Client:

book-service/mp-rest/url: https://127.0.0.1:8480
book-service/mp-rest/trustStore: classpath:keystore.p12
book-service/mp-rest/trustStoreType: PKCS12
book-service/mp-rest/trustStorePassword: password
book-service/mp-rest/hostnameVerifier: org.org.AcceptAnyHostname
book-service/mp-rest/providers:
   - org.glassfish.jersey.netty.connector.NettyConnectorProvider

The TLS configuration is totally ignored. This is caused by the routine that applies the configuration is in RestClientBuilderImpl.

This seems to be the correct way, and correct order:

diff --git a/ext/microprofile/mp-rest-client/src/main/java/org/glassfish/jersey/microprofile/restclient/RestClientBuilderImpl.java b/ext/microprofile/mp-rest-client/src/main/java/org/glassfish/jers
ey/microprofile/restclient/RestClientBuilderImpl.java
index 16abf1fae..c1e1e58d1 100644
--- a/ext/microprofile/mp-rest-client/src/main/java/org/glassfish/jersey/microprofile/restclient/RestClientBuilderImpl.java
+++ b/ext/microprofile/mp-rest-client/src/main/java/org/glassfish/jersey/microprofile/restclient/RestClientBuilderImpl.java
@@ -160,37 +160,52 @@ class RestClientBuilderImpl implements RestClientBuilder {
         //sort all AsyncInvocationInterceptorFactory by priority
         asyncInterceptorFactories.sort(Comparator.comparingInt(AsyncInvocationInterceptorFactoryPriorityWrapper::getPriority));
 
+        if (connector != null) {
+            ClientConfig config = new ClientConfig();
+            config.loadFrom(getConfiguration());
+            config.connectorProvider(connector);
+            clientBuilder = clientBuilder.withConfig(config); // apply config...
+        }
+       // override ClientConfig with values that have been set explicitly
         clientBuilder.executorService(new ExecutorServiceWrapper(executorService.get()));

         if (null != sslContext) {
             clientBuilder.sslContext(sslContext);
         }
 
         if (null != sslHostnameVerifier) {
             clientBuilder.hostnameVerifier(sslHostnameVerifier);
         }
 
         if (null != sslTrustStore) {
             clientBuilder.trustStore(sslTrustStore);
         }
 
         if (null != sslKeyStore) {
             clientBuilder.keyStore(sslKeyStore, sslKeyStorePassword);
         }
 
-        Client client;
-        if (connector == null) {
-            client = clientBuilder.build();
-        } else {
-            ClientConfig config = new ClientConfig();
-            config.loadFrom(getConfiguration());
-            config.connectorProvider(connector);
-            client = ClientBuilder.newClient(config);
-        }
+        Client client = clientBuilder.build();
 
         if (client instanceof Initializable) {
             ((Initializable) client).preInitialize();
         }
@Verdent Verdent mentioned this issue Feb 16, 2021
Merged
@jiaxiaguang
Copy link 

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082) at sun.security.ssl.Handshaker.process_record(Handshaker.java:1010) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1416) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1400) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352) at org.glassfish.jersey.client.internal.HttpUrlConnector.handleException(HttpUrlConnector.java:544) at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:374) at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:266) ... 45 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1670) ... 61 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445) ... 67 more

After I upgraded the Jersey version from 2.32 to 2.34, the program ran for a period of time and reported the above error. Do you know why?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Verdent Verdent

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Rest client 2.0 updates Verdent/jersey
3 participants
@Verdent @jiaxiaguang @olotenko