HTTPS Sender

[iori-yja]

Which problem is this PR solving?

• Allow to send to collector via https, even when the collector's https sidecar is self-signed, key-continuity-based backend: HTTPS sender #595
• Related: Allow secure communication between components jaeger#458

Short description of the changes

Added those below:

• Optional Certificate Pinning
• Optional Certificate verification disabling (used only with pinning)
• Integration test over HTTPS

[jpkrohling]

Looks like it failed the checkstyle:

[ant:checkstyle] [ERROR] /home/travis/build/jaegertracing/jaeger-client-java/jaeger-crossdock/src/main/java/io/jaegertracing/crossdock/JerseyServer.java:147: Line is longer than 120 characters (found 140). [LineLength]

https://travis-ci.org/jaegertracing/jaeger-client-java/jobs/503139012#L2534

[iori-yja]

Oh, that was too stupid. I believe it's fixed now.
Also, crossdock check is still broken. It turns out that the cause is Bad Gateway on call to jaeger-collector from its https-proxy, but it seems weird...

[yurishkuro]

Also, crossdock check is still broken. It turns out that the cause is Bad Gateway on call to jaeger-collector from its https-proxy, but it seems weird...

if you found this in the build logs, could you copy them here? Many PRs have been seeing crossdock failures recently, I suspect a common cause.

[iori-yja]

I've added an nginx proxy in the docker-compose.yml. This service's log shows no route to host(pasted below).
For debug purpose, I added host-port mapping (14443:14443) as in the current diff and saw Bad Gateway response from localhost:14443 with my browser (chromium, curl) on the host machine.

% docker-compose -f jaeger-crossdock/docker-compose.yml -f jaeger-crossdock/jaeger-docker-compose.yml logs jaeger-collector-https-proxy
Attaching to jaeger-crossdock_jaeger-collector-https-proxy_1
jaeger-collector-https-proxy_1  | 2019/03/10 11:55:40 [error] 6#6: *1 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.64.8, server: jaeger-collector-https-proxy, request: "POST /api/traces?format=jaeger.thrift HTTP/1.1", upstream: "http://192.168.64.9:14268/api/traces?format=jaeger.thrift", host: "jaeger-collector-https-proxy:14443"
jaeger-collector-https-proxy_1  | 192.168.64.8 - - [10/Mar/2019:11:55:40 +0000] "POST /api/traces?format=jaeger.thrift HTTP/1.1" 502 157 "-" "okhttp/3.9.0" "-"

I don't think the network problem is caused by reporter misconfiguration (as I changed it) because it succeeded to establish a session to the proxy, and also I don't think collector's issue because plain http version (java-http) is able to report to it.

This failure happens very likely but merely it succeeds, if I remember correctly (I couldn't reproduce now).

[iori-yja]

I tried once again which was successful this time (no change).

% make crossdock-clean && make
(snip)
2019/03/10 15:57:22 HTTP: HEAD http://test_driver:8080/
HTTP: Service test_driver:8080 is up

All services are up after 15.10839437s!

Executing Matrix...

...................................................................................................................................

131/131 passed (0/131 skipped)

Tests passed!

% git diff
% docker-compose -f jaeger-crossdock/docker-compose.yml -f jaeger-crossdock/jaeger-docker-compose.yml logs jaeger-collector-https-proxy
Attaching to jaeger-crossdock_jaeger-collector-https-proxy_1
jaeger-collector-https-proxy_1  | 192.168.80.8 - - [10/Mar/2019:15:57:25 +0000] "POST /api/traces?format=jaeger.thrift HTTP/1.1" 202 0 "-" "okhttp/3.9.0" "-"

[codecov]

Codecov Report

Merging #602 into master will increase coverage by 0.12%.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##             master     #602      +/-   ##
============================================
+ Coverage     89.53%   89.66%   +0.12%     
- Complexity      542      563      +21     
============================================
  Files            68       69       +1     
  Lines          1949     2070     +121     
  Branches        251      263      +12     
============================================
+ Hits           1745     1856     +111     
- Misses          129      133       +4     
- Partials         75       81       +6     

Impacted Files	Coverage Δ	Complexity Δ
.../src/main/java/io/jaegertracing/Configuration.java	93.33% <100.00%> (-2.18%)	44.00 <0.00> (ø)
...egertracing/internal/reporters/RemoteReporter.java	85.05% <100.00%> (+2.49%)	7.00 <0.00> (ø)
...rtracing/internal/reporters/CompositeReporter.java	71.42% <0.00%> (-28.58%)	6.00% <0.00%> (-1.00%)
...gertracing/internal/reporters/LoggingReporter.java	81.81% <0.00%> (-9.10%)	4.00% <0.00%> (-1.00%)
...a/io/jaegertracing/internal/utils/RateLimiter.java	94.73% <0.00%> (-5.27%)	5.00% <0.00%> (ø%)
...ernal/baggage/RemoteBaggageRestrictionManager.java	94.91% <0.00%> (-5.09%)	11.00% <0.00%> (+1.00%)	⬇️
...n/java/io/jaegertracing/internal/JaegerTracer.java	88.96% <0.00%> (-0.05%)	26.00% <0.00%> (ø%)
...aegertracing/internal/propagation/BinaryCodec.java	100.00% <0.00%> (ø)	17.00% <0.00%> (?%)
...ain/java/io/jaegertracing/internal/JaegerSpan.java	93.51% <0.00%> (+0.06%)	48.00% <0.00%> (+1.00%)
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bb0fa21...4e0a704. Read the comment docs.

[yurishkuro]

Not thrilled with the name. Is it typical to pass certs via env vars? We've recently added many TLS options to Jaeger backend, and the certs are always passed via files.

[iori-yja]

I had three reasons to pass this via environment variable over file.

1. It should be good to be consistent with other reporter configurations most of them can be done via fromEnv() otherwise manipulated with Internal*.
2. This must be SHA256 Hash of Certificate or Public Key (https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinner.html) so this is kept short.
3. In Lambda, one of the motivations for this, managing environment variables is easier than doing so for file. Environment variables are shown and settable plainly in the console, while files are to be uploaded directly or indirectly (S3) to the console as zipped format.

[yurishkuro]

I feel like this is adding way too much code to the client.

[yurishkuro]

it would be better to support TLS in the collector directly, rather than use nginx, since we already added similar functionality to gRPC:

      --collector.grpc.tls                              Enable TLS
      --collector.grpc.tls.cert string                  Path to TLS certificate file
      --collector.grpc.tls.key string                   Path to TLS key file
      --collector.http-port int                         The HTTP port for the collector service (default 14268)

[iori-yja]

This is nice to have for jaeger, and I may add the option to jaeger soon, but this proxy is for client test for now. I will replace this after --collector.http.tls options are merged.

[yurishkuro]

comment would be useful, what is being queried on port 14269?

[iori-yja]

added.

[yurishkuro]

• should this also include jaeger-collector-https-proxy ?
• I would move these into a make var, to DRY

[yurishkuro]

are these being generated by jaeger-crossdock/https-proxy/gen.sh every time?

[iori-yja]

No, this is root certificate which is used to generate proxy's certificate by gen.sh. Hard-coding is ugly by the way, but sometimes test project includes.

The Public key pin is coded here:
https://github.com/jaegertracing/jaeger-client-java/pull/602/files#diff-9d280e9b01ffb0fc60647fe5d2a8286cR74

[jpkrohling]

Could you please document somewhere how you generated these files?

[iori-yja]

OK, I will.

[yurishkuro]

don't we have that elsewhere?

[iori-yja]

That was my mistake not to remove debug code. I will delete.

[yurishkuro]

method comment?

[iori-yja]

Not intended but should be.

[jpkrohling]

What's the expiration date for this one?

[iori-yja]

Noted in gen.sh

(#602 (comment))

[jpkrohling]

Could you please document somewhere how you generated these files?

[jpkrohling]

The indentation here seems a bit off

[jpkrohling]

I know this is only for testing, but could we have a production-grade configuration here? Like, a secure set of ciphers and options like ssl_prefer_server_ciphers on. This way, we'd be testing with production settings, making sure that all involved components are up to modern standards.

For reference, this is what I used to have on a few servers of mine, which was "current" a couple of years ago:

server {
	listen [::]:443 ssl http2;
	listen 443 ssl http2;
	server_name acme.example.com;
	ssl_certificate /etc/pki/tls/certs/acme.example.com.bundle.cert;
	ssl_certificate_key /etc/pki/tls/private/acme.example.com.key;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # probably needs an update to include TLSv1.3?
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
	add_header Strict-Transport-Security max-age=31536000;
	root /usr/share/nginx/html/acme.example.com;
}

[jpkrohling]

This deserves a log message, even if at debug level (but possibly at info or even warn, as this is called only once)

[iori-yja]

I afraid it isn't, because it is very similar to https://github.com/jaegertracing/jaeger-client-java/pull/602/files/a0607f48cd7370959b8f937a208fdc517a03b82f#diff-3330f8a6420c943a90a1b22b0abd0815R56. But it might be OK to fail earlier than build itself.

[jpkrohling]

Not sure I understood what you mean. The code you linked throw an exception, the code here is swallowing one. Instead of swallowing, we should log it at some level (info in my opinion).

[iori-yja]

The try above the catch is needed because of URI to be constructed by the endpoint which is supplied by the configuration. If the endpoint is invalid, building HttpSender at few lines later would fail. But I agree with that it shouldn't swallow all kind of Exception, so I changed it to catch only URISyntaxException and throw it earlier.

[jpkrohling]

If there's anything wrong, it would be very hard to figure out what is wrong. I see the following possible error conditions:

• Empty chain (bad configuration from the user's part)
• No matches between the hostname and the subject CNs from the chain
• The check failed

It would be good to have an exception thrown with the appropriate message, even if it's a bit more code.

[iori-yja]

CertificateException is thrown when the certificate couldn't be verified by the TrustManager. If another (like default) manager might succeed the verification even after this manager failed, and if it eventually turned to be successful, the connection must be sane.

To follow this (strange?) interface, I throw CertificateException whenever this manager fails to verify the connection.

But probably other exception could be thrown to fail in case of "The check failed" but CN matches including server's chain was empty.

[iori-yja]

But probably other exception could be thrown to fail in case of "The check failed" but CN matches including server's chain was empty.

This is good for trust-on-first-use use-case to print actual pins of the server, because calculating the pin by openssl command is a little bothering.

[jpkrohling]

+1 for having different exceptions for the check failed case

[pavolloffay]

@iori-yja is this ready from your side? @jpkrohling could you please check if your review has been fixed?

[jpkrohling]

This PR is missing some tests, but the actual code looks sane to me.

Tests I'd like to see:

• By default, HTTPS URL should not accept self-signed certs
• HTTPS URL succeeds when the server sends a self-signed cert and acceptSelfSigned() is used
• HTTP + acceptSelfSigned() is noop (or has no bad consequences)

[iori-yja]

Sorry, forgot to check; I will catch up this week

Edit: will add some tests

[iori-yja]

HTTPS URL succeeds when the server sends a self-signed cert and acceptSelfSigned() is used

java-https does this in crossdock tests.

By default, HTTPS URL should not accept self-signed certs

This is the difficult part. How can I set "must-fail" test in crossdock?

HTTP + acceptSelfSigned() is noop (or has no bad consequences)

setTLSCertificatePinning() test does this check, but the name may be misleading. I've changed it to sendPlainHttpWithCertificatePinning().