Comments (8)
@hoxu I actually took a quick stab at this myself, could you please try [http-kit "2.8.0-SNAPSHOT"]
(now on Clojars), and let me know if that resolves your issue?
Thanks!
from http-kit.
But if it was, I guess one could test that the request throws SSLHandshakeException with a message "unable to find valid certification path to requested target".
That's a good idea, I've added such a test and released v2.8.0-RC1 👍
Cheers!
from http-kit.
@hoxu Thanks for the clear report Heikki, that's very helpful!
This is definitely an unintended breakage. PR welcome (from you or anyone else interested) that includes a fix and test/s for IP requests 👍
from http-kit.
That was quick!
2.8.0-SNAPSHOT
seems to fix the project/code I'm working on, great!
The repro code now also returns a different exception:
$ clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.8.0-SNAPSHOT"}}}' -M repro.clj
Downloading: http-kit/http-kit/2.8.0-SNAPSHOT/maven-metadata.xml from clojars
Downloading: http-kit/http-kit/2.8.0-SNAPSHOT/http-kit-2.8.0-20240222.135109-5.pom from clojars
Downloading: http-kit/http-kit/2.8.0-SNAPSHOT/http-kit-2.8.0-20240222.135109-5.jar from clojars
{:opts {:method :get, :url https://216.58.209.196}, :error #error {
:cause unable to find valid certification path to requested target
:via
[{:type javax.net.ssl.SSLHandshakeException
:message PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
:at [sun.security.ssl.Alert createSSLException Alert.java 130]}
{:type sun.security.validator.ValidatorException
:message PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
:at [sun.security.validator.PKIXValidator doBuild PKIXValidator.java 388]}
{:type sun.security.provider.certpath.SunCertPathBuilderException
:message unable to find valid certification path to requested target
:at [sun.security.provider.certpath.SunCertPathBuilder build SunCertPathBuilder.java 148]}]
:trace
[[sun.security.provider.certpath.SunCertPathBuilder build SunCertPathBuilder.java 148]
[sun.security.provider.certpath.SunCertPathBuilder engineBuild SunCertPathBuilder.java 129]
[java.security.cert.CertPathBuilder build CertPathBuilder.java 297]
[sun.security.validator.PKIXValidator doBuild PKIXValidator.java 383]
[sun.security.validator.PKIXValidator engineValidate PKIXValidator.java 271]
[sun.security.validator.Validator validate Validator.java 256]
[sun.security.ssl.X509TrustManagerImpl checkTrusted X509TrustManagerImpl.java 284]
[sun.security.ssl.X509TrustManagerImpl checkServerTrusted X509TrustManagerImpl.java 144]
[sun.security.ssl.CertificateMessage$T13CertificateConsumer checkServerCerts CertificateMessage.java 1296]
[sun.security.ssl.CertificateMessage$T13CertificateConsumer onConsumeCertificate CertificateMessage.java 1195]
[sun.security.ssl.CertificateMessage$T13CertificateConsumer consume CertificateMessage.java 1138]
[sun.security.ssl.SSLHandshake consume SSLHandshake.java 393]
[sun.security.ssl.HandshakeContext dispatch HandshakeContext.java 476]
[sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction run SSLEngineImpl.java 1273]
[sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction run SSLEngineImpl.java 1260]
[java.security.AccessController doPrivileged AccessController.java 714]
[sun.security.ssl.SSLEngineImpl$DelegatedTask run SSLEngineImpl.java 1205]
[org.httpkit.client.HttpsRequest doHandshake HttpsRequest.java 91]
[org.httpkit.client.HttpClient doRead HttpClient.java 218]
[org.httpkit.client.HttpClient run HttpClient.java 519]
[java.lang.Thread run Thread.java 1583]]}}
from http-kit.
2.8.0-SNAPSHOT seems to fix the project/code I'm working on, great!
Thanks for the confirmation 👍
I'm planning to release v2.8.0-RC1 before the end of this month, which will include the above fix.
The repro code now also returns a different exception
Just to confirm: my understanding is that the new exception is the correct/expected behaviour. I.e. when connecting to an IP-based host over SSL, the certificate would need to specify that IP address.
Such certificates don't seem to be common, but there seems to be one from CloudFlare at https://1.1.1.1 which I've used in the tests.
Does that agree with your understanding? If so, please feel free to close!
Cheers :-)
from http-kit.
Just to confirm: my understanding is that the new exception is the correct/expected behaviour. I.e. when connecting to an IP-based host over SSL, the certificate would need to specify that IP address.
Seems correct.
I'm just a bit confused about the behavior of https://1.1.1.1 with 2.7.0 - let me demonstrate:
https://216.58.209.196 (self-signed certificate)
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.6.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://216.58.209.196\"))"
# 200
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.7.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://216.58.209.196\"))"
# javax.net.ssl.SSLHandshakeException "Hostname or IP address is undefined."
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.8.0-SNAPSHOT"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://216.58.209.196\"))"
# javax.net.ssl.SSLHandshakeException "unable to find valid certification path to requested target"
https://1.1.1.1
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.6.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://1.1.1.1\"))"
# 200
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.7.0"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://1.1.1.1\"))"
# 200
clojure -Sdeps '{:deps {http-kit/http-kit {:mvn/version "2.8.0-SNAPSHOT"}}}' -M -e "(do (require '[org.httpkit.client]) @(org.httpkit.client/get \"https://1.1.1.1\"))"
# 200
I would have expected the 2.7.0 case to throw the "Hostname or IP address is undefined." exception.
Does the new test case actually test the problem with 2.7.0 that was fixed?
http-kit/test/org/httpkit/client_test.clj
Line 328 in 9605b90
from http-kit.
I would have expected the 2.7.0 case to throw the "Hostname or IP address is undefined." exception.
That was my expectation too - good catch, thanks. My best guess for why 2.7 isn't throwing here is that 1.1.1.1 and its certificate are configured to actually accept "1.1.1.1" as a valid SNI hostname. That's probably unusual, but indeed does seem to be possible.
I can't currently find an example of a publicly available certificate that behaves like your privately signed one. Ideas welcome if you know of any, otherwise it might be that if we want to test this properly, we'll have to use a custom certificate which'd be a bit more effort to set up.
PR welcome if you or anyone else feels like looking into that.
Otherwise I'm inclined to proceed with the planned release of 2.8.0-RC1 in the meantime, and someone can hopefully provide a working regression test in the future.
But do please let me know if you have another preference or idea. Cheers :-)
from http-kit.
Unfortunately I don't have any ideas for a public IP that would make a good test case, either. The https://216.58.209.196/ I used is just a random IP for www.google.com, and I have no idea if those IPs are persistent enough for hard-coding into tests.
But if it was, I guess one could test that the request throws SSLHandshakeException
with a message "unable to find valid certification path to requested target".
(FWIW, our actual use case is a private IP address with a self-signed certificate with the IP in CN, and we provide a certicate and a key via sslengine - and this case is fixed with 2.8.0-SNAPSHOT
.)
Anyway, I'm happy with the fix and from my point of view this can be closed, but I'll leave that up to you.
Thanks for the quick fix and explanations! 🎖️
from http-kit.
Related Issues (20)
- Race condition in TimerService.scheduleTask HOT 2
- Ring websocket API support HOT 4
- Problem in native-image and HttpUtils when using virtual threads HOT 11
- 2.8.0-beta2 has CIDER dependencies HOT 3
- CURL and finagle failing to parse :set-cookies with '\n' HOT 13
- Unix socket benchmark HOT 1
- It will turn headers into camel format HOT 2
- logger-warn gets rebound HOT 1
- logger-warn and error-warn are passed in wrong order to HttpServer constructor HOT 1
- Requests which throw java.net.ConnectException may actually succeed HOT 3
- Request Map doesn't contain information about authority HOT 8
- http-kit v2.8.0-RC1 HOT 1
- http-kit v2.8.0 final HOT 1
- Consider adding `Content-Type: text/plain` to HTTP 500 response in `org.httpkit.server.HttpHandler#run` HOT 6
- Add options for encoding nested form and query params a la clj-http HOT 7
- WebTransport support HOT 2
- NoSuchMethodError on projects AOT'd on java 21 but run on earlier java versions HOT 13
- [Proposal][Client] Consider more idiomatic bridges with JVM async paradigms HOT 5
- "Unmasked client to server frame" causes 502s HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from http-kit.