New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
quarkus.tls.trust-all does not seem to be a build time property #23680
Comments
CC @radcortez |
@manofthepeace I could use some more information. I did find a couple of usages where the config is being read directly. Can you confirm that this was using the REST Client? A reproducer is also welcomed. Thanks! |
Hi @radcortez sorry indeed the information in the OP was limited. I was referring to the rest-client-reactive. Just to be clear. I was happy that it did work, since we did not have to rebuild for somebody to test with a self signed cert, nor we did add to provide a build with that insecure settings hardcoded to true. Would probably be nice to have different config that are runtime for the places where it can work. Added a reproducer here To reproduce;
For some reason I dont understand why in the reproducer I do not see the following;
and I cannot make it work native.. But I can say it does work with our real app which does not call itself like the reproducer. |
In #18777, the configuration moved to be loaded dynamically. @michalszynkiewicz any thoughts? |
Are there any difficulties in having it a runtime property? |
Not at all. Currently, this is inconsistent in REST Clients and the Config documentation, plus the other extensions that use the fixed config at runtime (Keycloack, Kubernetes, Mail Client, OIDC, and Spring Cloud Config). Are we ok to change the configuration behavior for these extensions? |
I don't know... @sberyozkin @cescoffier @geoand ^ |
This is why we are improving TLS config. That work was out on standby due to the duplicated context work. See #17038 |
Ok, lets do the work as part of #17038 |
BTW, ALL TLS related attributes should be runtime and not build-time. There are some nasty details here (often named security) that need runtime adjustment. |
Famous last word since almost a year 🤣 |
Does it still make sense to set |
trust-all and any TLS related properties should be runtime properties. |
Describe the bug
I was trying to do a https call using a self signed cert on my laptop and as expected, I got the
Failed to create SSL connection
error. This is without settingquarkus.tls.trust-all
so it is false by default.Then I just tried running the app the following way;
QUARKUS_TLS_TRUST_ALL=true java -jar target/quarkus-app/quarkus-run.jar
I got the following warning;
But it still worked, in the end the tls call worked so the property ended up true, and working. So it proves the property does work runtime and not only build time. I did test native as well with the same result.
Expected behavior
I expected not being able to change that property at runtime
Actual behavior
Property can be changed at runtime, and is working.
How to Reproduce?
Reproducer: N/A
Steps to reproduce:
Output of
uname -a
orver
Darwin Kernel Version 20.6.0
Output of
java -version
openjdk version "17.0.2" 2022-01-18
GraalVM version (if different from Java)
21.3.1
Quarkus version or git rev
2.7.1
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.4
Additional information
No response
The text was updated successfully, but these errors were encountered: