Proxy fails to open https/ssl streams

[HentschelT]

When creating a Video widget with a encrypted data stream (https), the proxy fails to open the connection, and the log shows:

2018-01-14 00:36:25.841 [DEBUG] [.s.u.c.i.servlet.WebAppServlet:114  ] - Servlet request received!
2018-01-14 00:36:25.843 [DEBUG] [.s.u.c.i.servlet.WebAppServlet:139  ] - reading sitemap demo widgetId null async false poll false
2018-01-14 00:36:26.060 [DEBUG] [.s.u.i.proxy.AsyncProxyServlet:71   ] - 1226592353 rewriting: http://localhost:8080/proxy?sitemap=demo.sitemap&widgetId=00 -> https://webcam1.lpl.org/axis-cgi/mjpg/video.cgi
2018-01-14 00:36:26.064 [DEBUG] [.s.u.i.proxy.AsyncProxyServlet:539  ] - 1226592353 proxying to upstream:
GET /proxy?sitemap=demo.sitemap&widgetId=00 HTTP/1.1
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Referer: http://localhost:8080/classicui/app
Host: localhost:8080
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,de;q=0.8

HttpRequest[GET /axis-cgi/mjpg/video.cgi HTTP/1.1]@6433d5eb

2018-01-14 00:36:27.042 [DEBUG] [.s.u.i.proxy.AsyncProxyServlet:627  ] - 1226592353 proxying failedjavax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:744)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:114)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:70)
	at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:90)
	at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:115)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)
	at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
	at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:593)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:114)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:70)

2018-01-14 00:36:27.045 [DEBUG] [.s.u.i.proxy.AsyncProxyServlet:240  ] - 1226592353 proxying complete
2018-01-14 00:36:28.565 [DEBUG] [.s.u.c.i.servlet.WebAppServlet:114  ] - Servlet request received!

The video widget is defined as:
Video encoding="mjpeg" url="https://webcam1.lpl.org/axis-cgi/mjpg/video.cgi"

Cheers,
-Th

[lolodomo]

I can reproduce but I am just asking myself if it is normal or not ?
This is a question of certificate I think.
But I agree that this URL is working in Firefox.
Maybe the solution would be to disable the SSL handshake in our Jetty proxy server ?

[lolodomo]

It may be a question of used TLS version or cipher. I am not enough expert in SSL to analyze that.

[lolodomo]

For information, if I update Basic UI code to disable the proxy and use directly the video URL, the video is correctly rendered.

[kaikreuzer]

Maybe the solution would be to disable the SSL handshake in our Jetty proxy server ?

We should imho turn off the certificate validation (while of course supporting TLS encrypted communication between ESH and the webcam).

The main use case is to have IP cams in the local network, which most likely won't have a valid certificate anyhow. Failing to verify the certificate should thus not crash the runtime.

We could think about logging a warning, if the validation fails, although that might clutter the logs. Maybe better to introduce an optional "strict mode" in the proxy configuration.

@lolodomo Would you want to have a look?

[lolodomo]

I already tried but without success.