New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL handshake failure for some urls #1119

Closed
DaspawnW opened this Issue Mar 2, 2018 · 6 comments

Comments

Projects
None yet
3 participants
@DaspawnW

DaspawnW commented Mar 2, 2018

Expected Behavior

If I add a trustStore I would be able to access environments with self signed certificates.

Current Behavior

I tried to connect to some internal Services that use self signed certificates and also tried to access https://ifconfig.co that seems to be signed by Let's Encrypt.
When I try to use it in the gateway an exception is thrown:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:392)
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:359)
	at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:342)
	at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1010)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1354)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
	at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:917)
	at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:822)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:463)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:219)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
	at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:292)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1159)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
	... 18 common frames omitted

Steps to Reproduce (for bugs)

  1. Setup an environment as available with the docker-compose tutorial provided on gravitee url
  2. Add an api endpoint that points to https://ifconfig.co
  3. Publish the api
  4. Try to access the endpoint via gateway, now you should see the exception

Context

I tried to find some solution for it, but currently I don't know how to handle the problem.

  • tried to add my own cacerts keystore via -Djavax.net.ssl.trustStore=/opt/graviteeio-gateway/config/cacerts -Djavax.net.ssl.trustStorePassword=changeit
  • tried to enable other protocols -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1
  • tried to add Java Cryptography Extension to JAVA_HOME/jre/lib/security
  • tried to set configuration for gateway:
# Gateway HTTP server
http:
#  port: 8082
#  host: 0.0.0.0
#  idleTimeout: 0
#  tcpKeepAlive: true
#  compressionSupported: false
#  instances: 0
#  secured: false
#  alpn: false
  ssl:
#    clientAuth: false
#    keystore:
#      path: ${gravitee.home}/security/keystore.jks
#      password: secret
    truststore:
      path: /opt/graviteeio-gateway/config/cacerts
      password: changeit

Your Environment

  • graviteeio/gateway:1.14.1
  • Ubuntu 16:04
@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Mar 2, 2018

Hi @DaspawnW

I've just configured an api following your steps and it works.

$ curl -vv http://localhost:8082/ifconfig
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8082 (#0)
> GET /ifconfig HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Gravitee-Transaction-Id: 0838dbff-3923-460d-b8db-ff3923660d59
< Server: nginx
< Date: Fri, 02 Mar 2018 08:46:09 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 14
< Connection: keep-alive
< Strict-Transport-Security: max-age=15768000; includeSubdomains; preload
<
xxx.xxx.xxx.xxx
* Connection #0 to host localhost left intact

do you have a proxy or something else between the gateway and internet ?

@DaspawnW

This comment has been minimized.

DaspawnW commented Mar 2, 2018

Hi @NicolasGeraud,

I've the following architecture:
One Instance with management-ui, management-api, mongodb, elasticsearch and in front of the ui and api I've a nginx proxy for ssl...
One Instance with gateway and in front of the gateway also a nginx proxy with ssl...

We use no proxy (thank god for that)...
Currently I try to build my own docker image I hope this can fix the issue for us

[Update]
My own Java 8 Docker image fixed the issue.

@DaspawnW DaspawnW closed this Mar 2, 2018

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Mar 2, 2018

@DaspawnW you mean that with our docker image it doesn't work ?

what is different between yours and ours ?

@DaspawnW

This comment has been minimized.

DaspawnW commented Mar 2, 2018

That's a good question, I don't know I used them directly from docker hub

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Mar 2, 2018

@DaspawnW can you give me the java version of your ubuntu ?

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Mar 2, 2018

Please try this :

@NicolasGeraud NicolasGeraud added this to the 1.14.2 milestone Mar 2, 2018

@NicolasGeraud NicolasGeraud reopened this Mar 2, 2018

NicolasGeraud added a commit to gravitee-io/gravitee-gateway that referenced this issue Mar 2, 2018

@NicolasGeraud NicolasGeraud self-assigned this Mar 2, 2018

aelamrani added a commit to gravitee-io/gravitee-gateway that referenced this issue Mar 5, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment