Giter Club home page Giter Club logo

Comments (8)

ptaoussanis avatar ptaoussanis commented on May 25, 2024 1

@hoxu I actually took a quick stab at this myself, could you please try [http-kit "2.8.0-SNAPSHOT"] (now on Clojars), and let me know if that resolves your issue?

Thanks!

from http-kit.

ptaoussanis avatar ptaoussanis commented on May 25, 2024 1

But if it was, I guess one could test that the request throws SSLHandshakeException with a message "unable to find valid certification path to requested target".

That's a good idea, I've added such a test and released v2.8.0-RC1 👍

Cheers!

from http-kit.

ptaoussanis avatar ptaoussanis commented on May 25, 2024

@hoxu Thanks for the clear report Heikki, that's very helpful!

This is definitely an unintended breakage. PR welcome (from you or anyone else interested) that includes a fix and test/s for IP requests 👍

from http-kit.

hoxu avatar hoxu commented on May 25, 2024

That was quick!

2.8.0-SNAPSHOT seems to fix the project/code I'm working on, great!

The repro code now also returns a different exception:

$ clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.8.0-SNAPSHOT"}}}' -M repro.clj
Downloading: http-kit/http-kit/2.8.0-SNAPSHOT/maven-metadata.xml from clojars
Downloading: http-kit/http-kit/2.8.0-SNAPSHOT/http-kit-2.8.0-20240222.135109-5.pom from clojars
Downloading: http-kit/http-kit/2.8.0-SNAPSHOT/http-kit-2.8.0-20240222.135109-5.jar from clojars
{:opts {:method :get, :url https://216.58.209.196}, :error #error {
 :cause unable to find valid certification path to requested target
 :via
 [{:type javax.net.ssl.SSLHandshakeException
   :message PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   :at [sun.security.ssl.Alert createSSLException Alert.java 130]}
  {:type sun.security.validator.ValidatorException
   :message PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   :at [sun.security.validator.PKIXValidator doBuild PKIXValidator.java 388]}
  {:type sun.security.provider.certpath.SunCertPathBuilderException
   :message unable to find valid certification path to requested target
   :at [sun.security.provider.certpath.SunCertPathBuilder build SunCertPathBuilder.java 148]}]
 :trace
 [[sun.security.provider.certpath.SunCertPathBuilder build SunCertPathBuilder.java 148]
  [sun.security.provider.certpath.SunCertPathBuilder engineBuild SunCertPathBuilder.java 129]
  [java.security.cert.CertPathBuilder build CertPathBuilder.java 297]
  [sun.security.validator.PKIXValidator doBuild PKIXValidator.java 383]
  [sun.security.validator.PKIXValidator engineValidate PKIXValidator.java 271]
  [sun.security.validator.Validator validate Validator.java 256]
  [sun.security.ssl.X509TrustManagerImpl checkTrusted X509TrustManagerImpl.java 284]
  [sun.security.ssl.X509TrustManagerImpl checkServerTrusted X509TrustManagerImpl.java 144]
  [sun.security.ssl.CertificateMessage$T13CertificateConsumer checkServerCerts CertificateMessage.java 1296]
  [sun.security.ssl.CertificateMessage$T13CertificateConsumer onConsumeCertificate CertificateMessage.java 1195]
  [sun.security.ssl.CertificateMessage$T13CertificateConsumer consume CertificateMessage.java 1138]
  [sun.security.ssl.SSLHandshake consume SSLHandshake.java 393]
  [sun.security.ssl.HandshakeContext dispatch HandshakeContext.java 476]
  [sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction run SSLEngineImpl.java 1273]
  [sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction run SSLEngineImpl.java 1260]
  [java.security.AccessController doPrivileged AccessController.java 714]
  [sun.security.ssl.SSLEngineImpl$DelegatedTask run SSLEngineImpl.java 1205]
  [org.httpkit.client.HttpsRequest doHandshake HttpsRequest.java 91]
  [org.httpkit.client.HttpClient doRead HttpClient.java 218]
  [org.httpkit.client.HttpClient run HttpClient.java 519]
  [java.lang.Thread run Thread.java 1583]]}}

from http-kit.

ptaoussanis avatar ptaoussanis commented on May 25, 2024

2.8.0-SNAPSHOT seems to fix the project/code I'm working on, great!

Thanks for the confirmation 👍

I'm planning to release v2.8.0-RC1 before the end of this month, which will include the above fix.

The repro code now also returns a different exception

Just to confirm: my understanding is that the new exception is the correct/expected behaviour. I.e. when connecting to an IP-based host over SSL, the certificate would need to specify that IP address.

Such certificates don't seem to be common, but there seems to be one from CloudFlare at https://1.1.1.1 which I've used in the tests.

Does that agree with your understanding? If so, please feel free to close!

Cheers :-)

from http-kit.

hoxu avatar hoxu commented on May 25, 2024

Just to confirm: my understanding is that the new exception is the correct/expected behaviour. I.e. when connecting to an IP-based host over SSL, the certificate would need to specify that IP address.

Seems correct.

I'm just a bit confused about the behavior of https://1.1.1.1 with 2.7.0 - let me demonstrate:

https://216.58.209.196 (self-signed certificate)

clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.6.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://216.58.209.196\"))"
# 200
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.7.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://216.58.209.196\"))"
# javax.net.ssl.SSLHandshakeException "Hostname or IP address is undefined."
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.8.0-SNAPSHOT"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://216.58.209.196\"))"
# javax.net.ssl.SSLHandshakeException "unable to find valid certification path to requested target"

https://1.1.1.1

clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.6.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://1.1.1.1\"))"
# 200
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.7.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://1.1.1.1\"))"
# 200
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.8.0-SNAPSHOT"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://1.1.1.1\"))"
# 200

I would have expected the 2.7.0 case to throw the "Hostname or IP address is undefined." exception.

Does the new test case actually test the problem with 2.7.0 that was fixed?

http-kit/test/org/httpkit/client_test.clj

Line 328 in 9605b90

(is (contains? @(hkc/get "https://1.1.1.1") :status)))

from http-kit.

ptaoussanis avatar ptaoussanis commented on May 25, 2024

I would have expected the 2.7.0 case to throw the "Hostname or IP address is undefined." exception.

That was my expectation too - good catch, thanks. My best guess for why 2.7 isn't throwing here is that 1.1.1.1 and its certificate are configured to actually accept "1.1.1.1" as a valid SNI hostname. That's probably unusual, but indeed does seem to be possible.

I can't currently find an example of a publicly available certificate that behaves like your privately signed one. Ideas welcome if you know of any, otherwise it might be that if we want to test this properly, we'll have to use a custom certificate which'd be a bit more effort to set up.

PR welcome if you or anyone else feels like looking into that.

Otherwise I'm inclined to proceed with the planned release of 2.8.0-RC1 in the meantime, and someone can hopefully provide a working regression test in the future.

But do please let me know if you have another preference or idea. Cheers :-)

from http-kit.

hoxu avatar hoxu commented on May 25, 2024

Unfortunately I don't have any ideas for a public IP that would make a good test case, either. The https://216.58.209.196/ I used is just a random IP for www.google.com, and I have no idea if those IPs are persistent enough for hard-coding into tests.

But if it was, I guess one could test that the request throws SSLHandshakeException with a message "unable to find valid certification path to requested target".

(FWIW, our actual use case is a private IP address with a self-signed certificate with the IP in CN, and we provide a certicate and a key via sslengine - and this case is fixed with 2.8.0-SNAPSHOT.)

Anyway, I'm happy with the fix and from my point of view this can be closed, but I'll leave that up to you.

Thanks for the quick fix and explanations! 🎖️

from http-kit.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.