HTTPS Sender

jaeger-core/src/main/java/io/jaegertracing/Configuration.java

@@ -152,6 +152,12 @@ public class Configuration {
    */
   public static final String JAEGER_TRACEID_128BIT = JAEGER_PREFIX + "TRACEID_128BIT";
 
+  /**
+   *  TLS certificates (in comma-separated BASE64 SHA256 Hash) for certificates pinning,
+   *  used in case of HTTPS communication to the endpoint.
+   */
+  public static final String JAEGER_TLS_CERTIFICATE_PINNING = JAEGER_PREFIX + "TLS_CERTIFICATE_PINNING";
+
   /**
    * The supported trace context propagation formats.
    */
@@ -614,6 +620,11 @@ public static class SenderConfiguration {
      */
     private String authPassword;
 
+    /**
+     * The comma-separated certificate list for the endpoint which is self-signed, for example
+     */
+    private String[] serverCertificateHashes;
+
     public SenderConfiguration() {
     }
 
@@ -647,6 +658,13 @@ public SenderConfiguration withAuthPassword(String password) {
       return this;
     }
 
+    public SenderConfiguration withCertificatePinning(String certs) {
+      if (certs != null) {
+        this.serverCertificateHashes = certs.split(",");
+      }
+      return this;
+    }
+
     /**
      * Returns a sender if one was given when creating the configuration, or attempts to create a sender based on the
      * configuration's state.
@@ -671,13 +689,15 @@ public static SenderConfiguration fromEnv() {
       String authToken = getProperty(JAEGER_AUTH_TOKEN);
       String authUsername = getProperty(JAEGER_USER);
       String authPassword = getProperty(JAEGER_PASSWORD);
+      String certHashes = getProperty(JAEGER_TLS_CERTIFICATE_PINNING);
 
       return new SenderConfiguration()
               .withAgentHost(agentHost)
               .withAgentPort(agentPort)
               .withEndpoint(collectorEndpoint)
               .withAuthToken(authToken)
               .withAuthUsername(authUsername)
+              .withCertificatePinning(certHashes)
               .withAuthPassword(authPassword);
     }
   }

jaeger-crossdock/docker-compose.yml

@@ -8,10 +8,11 @@ services:
             - go
             - java-udp
             - java-http
+            - java-https
             - python
             - nodejs
         environment:
-            - WAIT_FOR=test_driver,go,java-udp,java-http,python,nodejs
+            - WAIT_FOR=test_driver,go,java-udp,java-http,java-https,python,nodejs
             - WAIT_FOR_TIMEOUT=60s
 
             - CALL_TIMEOUT=60s
@@ -27,7 +28,7 @@ services:
             - BEHAVIOR_TRACE=client,s1name,sampled,s2name,s2transport,s3name,s3transport
 
             - AXIS_TESTDRIVER=test_driver
-            - AXIS_SERVICES=java-udp,java-http
+            - AXIS_SERVICES=java-udp,java-http,java-https
 
             - BEHAVIOR_ENDTOEND=testdriver,services
 
@@ -64,11 +65,35 @@ services:
         environment:
             - SENDER=http
 
+    java-https:
+        build: .
+        ports:
+            - "8080-8082"
+        environment:
+            - SENDER=https
+            - COLLECTOR_HOST_PIN="sha256/n6Ovey/sJws9vKJpESmWyQf9Oocak9J51mmPKGm4S0E="
+        depends_on:
+            - jaeger-collector
+
+    jaeger-collector-https-proxy:
+        image: nginx
+        ports:
+            - "14443:14443"
+        volumes:
+            - ./https-proxy/build/proxy.conf:/etc/nginx/conf.d/proxy.conf
+            - ./https-proxy/build/proxy.crt:/etc/nginx/proxy.crt
+            - ./https-proxy/build/proxy.key:/etc/nginx/proxy.key
+        restart: on-failure
+        depends_on:
+            - jaeger-collector
+        command: ["nginx", "-g", "daemon off;"]
+
     test_driver:
         image: jaegertracing/test-driver
         depends_on:
             - jaeger-query
             - jaeger-collector
             - jaeger-agent
+            - jaeger-collector-https-proxy
         ports:
             - "8080"

jaeger-crossdock/https-proxy/authority.crt

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARSgAwIBAgIJAJXCC2VdhrxqMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMM
+B1RFU1QgQ0EwHhcNMTkwMzA3MTQzODIwWhcNMjkwMzA3MTQzODIwWjASMRAwDgYD
+VQQDDAdURVNUIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAhYnw9zYU0G3
+VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/0A1Of2zqxbyJpaEIFcqTmTTy
+TXCE7I6B6aNTMFEwHQYDVR0OBBYEFLXSxii6ZFvw427zs7ct/B+eHv2QMB8GA1Ud
+IwQYMBaAFLXSxii6ZFvw427zs7ct/B+eHv2QMA8GA1UdEwEB/wQFMAMBAf8wCgYI
+KoZIzj0EAwIDRwAwRAIgBrX7CX8zNoRLAZ48jGcqI8RuNlpkj0S+UShIQjwez3AC
+IGuqhnGb9JZSiZmIQaYdSE6T/sQaX7iDnwEgKGMI8OB7
+-----END CERTIFICATE-----

jaeger-crossdock/https-proxy/authority.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAA24MB8sxrLG1an0nG1DCH6J32iqrtborxFOjdqWNCmoAoGCCqGSM49
+AwEHoUQDQgAEAhYnw9zYU0G3VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/
+0A1Of2zqxbyJpaEIFcqTmTTyTXCE7I6B6Q==
+-----END EC PRIVATE KEY-----

jaeger-crossdock/https-proxy/gen.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [[ $# -ne 2 ]]; then
+    echo usage: $0 '<proxy-name> <forward-target>'
+    exit 1
+fi
+
+SERVER=$1
+FORWARD=$2
+TARGET=build/proxy
+
+# generate secrets
+cd $(dirname $0)
+mkdir -p ./build
+openssl ecparam -genkey -name prime256v1 -out ${TARGET}.key
+openssl req -new -sha256 -key ${TARGET}.key -out ${TARGET}.csr -subj \
+    "/CN=${SERVER}/"
+openssl x509 -req -sha256 -days 1 -CA authority.crt -CAkey authority.key -CAcreateserial -in ${TARGET}.csr -out ${TARGET}.crt
+chmod 644 ${TARGET}.key
+
+# generate nginx settings
+SERVER=${SERVER} FORWARD=${FORWARD} envsubst < "proxy.template.conf" > build/proxy.conf

jaeger-crossdock/https-proxy/proxy.template.conf

@@ -0,0 +1,11 @@
+server {
+    listen 14443 ssl;
+    server_name ${SERVER};
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_certificate /etc/nginx/proxy.crt;
+    ssl_certificate_key /etc/nginx/proxy.key;
+    location / {
+        proxy_pass http://${FORWARD};
+    }
+}

jaeger-crossdock/rules.mk

@@ -5,10 +5,10 @@ JAEGER_COMPOSE_URL=https://raw.githubusercontent.com/jaegertracing/jaeger/master
 XDOCK_JAEGER_YAML=$(PROJECT)/jaeger-docker-compose.yml
 
 .PHONY: crossdock
-crossdock: gradle-compile crossdock-download-jaeger
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http
+crossdock: gradle-compile crossdock-proxy-secret-gen crossdock-download-jaeger
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http java-https
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http java-https
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http java-https
 	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) run crossdock
 
 .PHONY: crossdock-fresh
@@ -30,3 +30,7 @@ crossdock-clean:
 .PHONY: crossdock-download-jaeger
 crossdock-download-jaeger:
 	curl -o $(XDOCK_JAEGER_YAML) $(JAEGER_COMPOSE_URL)
+
+.PHONY: crossdock-proxy-secret-gen
+crossdock-proxy-secret-gen:
+	$(PROJECT)/https-proxy/gen.sh jaeger-collector-https-proxy jaeger-collector:14268

jaeger-crossdock/src/main/java/io/jaegertracing/crossdock/JerseyServer.java

@@ -53,6 +53,7 @@ public class JerseyServer {
   private static final String SAMPLING_HOST_PORT = "SAMPLING_HOST_PORT";
   private static final String AGENT_HOST = "AGENT_HOST";
   private static final String COLLECTOR_HOST_PORT = "COLLECTOR_HOST_PORT";
+  private static final String COLLECTOR_HOST_PIN = "COLLECTOR_HOST_PIN";
 
   // TODO should not be static, should be final
   public static Client client;
@@ -125,6 +126,8 @@ public static void main(String[] args) throws Exception {
             new EndToEndBehaviorResource(new EndToEndBehavior(getEvn(SAMPLING_HOST_PORT, "jaeger-agent:5778"),
                 "crossdock-" + serviceName,
                 senderFromEnv(getEvn(COLLECTOR_HOST_PORT, "jaeger-collector:14268"),
+                    getEvn(COLLECTOR_HOST_PORT, "jaeger-collector-https-proxy:14443"),
+                    getEvn(COLLECTOR_HOST_PIN, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="),
                     getEvn(AGENT_HOST, "jaeger-agent")))),
             new HealthResource()));
 
@@ -141,17 +144,23 @@ private static String getEvn(String envName, String defaultValue) {
     return env;
   }
 
-  private static Sender senderFromEnv(String collectorHostPort, String agentHost) {
+  private static Sender senderFromEnv(String collectorHostPort,
+      String collectorHttpsHostPort, String collectorHttpsPin, String agentHost) {
     String senderEnvVar = System.getenv(Constants.ENV_PROP_SENDER_TYPE);
     if ("http".equalsIgnoreCase(senderEnvVar)) {
       return new HttpSender.Builder(String.format("http://%s/api/traces", collectorHostPort))
           .build();
+    } else if ("https".equalsIgnoreCase(senderEnvVar)) {
+      return new HttpSender.Builder(String.format("https://%s/api/traces", collectorHttpsHostPort))
+          .withCertificatePinning(new String[] {collectorHttpsPin})
+          .disableCertVerification()
+          .build();
     } else if ("udp".equalsIgnoreCase(senderEnvVar) || senderEnvVar == null || senderEnvVar.isEmpty()) {
       return new UdpSender(agentHost, 0, 0);
     }
 
     throw new IllegalStateException("Env variable " + Constants.ENV_PROP_SENDER_TYPE
-        + ", is not valid, choose 'udp' or 'http'");
+        + ", is not valid, choose 'udp', 'http' or 'https'");
   }
 
   private static String serviceNameFromEnv() {

jaeger-thrift/src/main/java/io/jaegertracing/thrift/internal/senders/HttpSender.java

@@ -19,8 +19,16 @@
 import io.jaegertracing.thriftjava.Process;
 import io.jaegertracing.thriftjava.Span;
 import java.io.IOException;
+import java.net.URI;
 import java.util.List;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.X509TrustManager;
+import javax.net.ssl.TrustManager;
 import lombok.ToString;
+import okhttp3.CertificatePinner;
 import okhttp3.Credentials;
 import okhttp3.HttpUrl;
 import okhttp3.Interceptor;
@@ -46,6 +54,7 @@ protected HttpSender(Builder builder) {
     if (collectorUrl == null) {
       throw new IllegalArgumentException("Could not parse url.");
     }
+
     this.httpClient = builder.clientBuilder.build();
     this.requestBuilder = new Request.Builder().url(collectorUrl);
   }
@@ -88,6 +97,9 @@ public void send(Process process, List<Span> spans) throws SenderException {
 
   public static class Builder {
     private final String endpoint;
+    private CertificatePinner.Builder certificatePinnerBuilder = new CertificatePinner.Builder();
+    private boolean pinning;
+    private boolean disableVerification = false;
     private int maxPacketSize = ONE_MB_IN_BYTES;
     private Interceptor authInterceptor;
     private OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder();
@@ -119,13 +131,61 @@ public Builder withAuth(String authToken) {
       return this;
     }
 
+    public Builder withCertificatePinning(String sha256certs[] /* comma separated */) {
+      String hostname;
+      try {
+        final URI uri = new URI(endpoint);
+        if ("https".equals(uri.getScheme())) {
+            hostname = uri.getHost();
+            this.pinning = true;
+            for (String cert: sha256certs) {
+              certificatePinnerBuilder.add(hostname, String.format("sha256/%s", cert));
+            }
+        }
+      } finally {
+        return this;
+      }
+    }
+
+    public Builder disableCertVerification() {
+      /* This dangerous operation will only take effect if pinning is used. */
+      this.disableVerification = true;
+      return this;
+    }
+
     public HttpSender build() {
       if (authInterceptor != null) {
         clientBuilder.addInterceptor(authInterceptor);
       }
+      if (pinning) {
+        clientBuilder.certificatePinner(certificatePinnerBuilder.build());
+      }
+      if (disableVerification) {
+        disableCertVerification(clientBuilder);
+      }
       return new HttpSender(this);
     }
 
+    private void disableCertVerification(OkHttpClient.Builder clientBuilder) {
+      try {
+        final TrustManager[] unsafeNoopVerificator = new TrustManager[] {
+            new X509TrustManager() {
+                @Override public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {}
+                @Override public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {}
+                @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+                  return new X509Certificate[0];
+                }
+            }
+        };
+        final SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(null, unsafeNoopVerificator, null);
+        clientBuilder.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) unsafeNoopVerificator[0]);
+
+      } catch (Exception e) {
+          throw new RuntimeException(e);
+      }
+    }
+
     private Interceptor getAuthInterceptor(final String headerValue) {
       return new Interceptor() {
         @Override

jaeger-thrift/src/main/java/io/jaegertracing/thrift/internal/senders/ThriftSenderFactory.java

@@ -26,6 +26,10 @@ public Sender getSender(Configuration.SenderConfiguration conf) {
         httpSenderBuilder.withAuth(conf.getAuthToken());
       }
 
+      if (null != conf.getServerCertificateHashes() && 0 != conf.getServerCertificateHashes().length) {
+        httpSenderBuilder.withCertificatePinning(conf.getServerCertificateHashes());
+      }
+
       log.debug("Using the HTTP Sender to send spans directly to the endpoint.");
       return httpSenderBuilder.build();
     }

jaeger-thrift/src/test/java/io/jaegertracing/thrift/internal/senders/HttpSenderTest.java

@@ -52,6 +52,7 @@ public void reset() {
     System.clearProperty(Configuration.JAEGER_AUTH_TOKEN);
     System.clearProperty(Configuration.JAEGER_USER);
     System.clearProperty(Configuration.JAEGER_PASSWORD);
+    System.clearProperty(Configuration.JAEGER_TLS_CERTIFICATE_PINNING);
   }
 
   @Override