-
Notifications
You must be signed in to change notification settings - Fork 633
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does the WebClient not respect the default JVM SSLContext? #640
Comments
@ealexhaywood Can you try setting |
That didn't work :( it still sends credential-less requests. I'm fine with using an SSL context builder, but it would have been nice to somehow just use the default context provided by the JVM similar to the Apache HttpClient's |
Did you at least enable the SSL?
|
Right, that was kind of my point. I didn't think I would have to set an SSL context since the JDK's native web clients And that did not work unfortunately. |
@rstoyanchev What do you think? ^^^ Should there be some SSL configuration enabled by default for WebClient? |
We could indeed enable security by default on the It looks like this won't solve this particular issue; looking at Netty's codebase, it doesn't seem Netty is looking at |
I meant to post back a while back to show how I configured the HttpClient httpClient = HttpClient.create().secure(spec ->
{
try {
String keyStoreLocation = System.getProperty("javax.net.ssl.keyStore");
String keyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");
String trustStoreLocation = System.getProperty("javax.net.ssl.trustStore");
String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(ResourceUtils.getFile(keyStoreLocation)), keyStorePassword.toCharArray());
// Set up key manager factory to use our key store
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
// truststore
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream((ResourceUtils.getFile(trustStoreLocation))), trustStorePassword.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
spec.sslContext(SslContextBuilder.forClient()
.keyManager(keyManagerFactory)
.trustManager(trustManagerFactory)
.build());
} catch (Exception e) {
LOGGER.warn("Unable to set SSL Context", e);
}
});
WebClient webClient = WebClient.builder()
.baseUrl(baseUrl)
.clientConnector(new ReactorClientHttpConnector(httpClient))
.build(); Like I said, not a big deal at all. Just would be nice to have :) |
@ealexhaywood Why do you need to do this by yourself? You can delegate that to Netty. I did the following:
|
@violetagg Did you pass those arguments as a In our environment there is a strong preference to use environment variables for configuration instead of arguments. |
@ealexhaywood JVM options |
Right, which is different from setting the |
I have tried by providing solution and getting below error for https://localhost:8080 io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common And I used http://locahost:8080 and getting below, Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record |
Sorry my bad. I have set |
Seemes like a good solution, but what should I provide in 'path' for keystore, if my app is spring boot app and it's packed in jar (or if )? How to reference my keystore with relevant path? Seems like classpath:client.jks doesn't work, because TrustStoreManager acts like But it worked in @ealexhaywood manual setup solution, as he uses ResourceUtils.getFile |
I tried that, and trustStore gets loaded, however keyStore does not |
|
Hi guys , I know its a bit late but this is a simplest solution: -Djavax.net.ssl.keyStore=/keystore.jks
Just 2 importants things to notice :
You don't need to do any manual SSLContext config anymore. I removed them all and it's perfectly working fine ! I hope it helps |
Expected behavior
When I pass keystore/truststore arguments, such as
-Djavax.net.ssl.keyStore=$(KEYSTORE) -Djavax.net.ssl.keyStorePassword=$(PASSWORD) -Djavax.net.ssl.trustStore=$(TRUSTSTORE) -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD) -Djavax.net.ssl.trustStoreType=$(TRUSTSTORE_TYPE)
in the_JAVA_OPTIONS
environment variable to the JVM, I expected theWebClient
to use the default JavaSSLContext
.Actual behavior
It does not use the default
SSLContext
set by the JVM, resulting inhandshake_failure
s.Steps to reproduce
Pass a similar
_JAVA_OPTIONS
variable and try to make a request to a trusted server configured for 2-way TLS.Here's how I am using the web client:
Reactor Netty version
0.8.4.RELEASE
JVM version (e.g.
java -version
)openjdk version "11" 2018-09-25
OpenJDK Runtime Environment 18.9 (build 11+28)
OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)
OS version (e.g.
uname -a
)JVM ran in an official openJDK docker container --
openjdk:11-jre-slim
The text was updated successfully, but these errors were encountered: