Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Quarkus - websocket client , with quarkus.tls.trust-all=true , do not connect to invlid cert on wss #39925

Closed
tecbea opened this issue Apr 6, 2024 · 12 comments
Labels
area/undertow-websockets area/websockets kind/bug Something isn't working triage/wontfix This will not be worked on

Comments

@tecbea
Copy link

tecbea commented Apr 6, 2024

Describe the bug

hi,
using quarkus 3.8.3 , when making a wss client, it gives an assert:

"java.io.IOException: java.util.concurrent.ExecutionException: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

my code:
log.log(Level.INFO, "--------> try connect : "+websocketUri);

		WebSocketContainer wsContainer = ContainerProvider.getWebSocketContainer();
        wsContainer.setAsyncSendTimeout(asyncSendTimeout * 1000);
        wsContainer.setDefaultMaxSessionIdleTimeout(maxIddleTimeout * 1000);
        wsContainer.connectToServer(this, config, URI.create(websocketUri));

i have on properties
quarkus.tls.trust-all=true

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

6.5.0-26-generic #26~22.04.1-Ubuntu

Output of java -version

OpenJDK 64-Bit Server VM GraalVM CE 21.0.2+13.1 (build 21.0.2+13-jvmci-23.1-b30, mixed mode, sharing)

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

mvn 3.8.8

Additional information

No response

@tecbea tecbea added the kind/bug Something isn't working label Apr 6, 2024
@geoand
Copy link
Contributor

geoand commented Apr 8, 2024

Can you please attach a sample application that behaves as you describe?

Thanks

@geoand geoand added the triage/needs-reproducer We are waiting for a reproducer. label Apr 8, 2024
@tecbea
Copy link
Author

tecbea commented Apr 9, 2024

Yes of course
example on
https://github.com/tecbea/testquarkus

after 10s the client will try to connect wss server on the project

it will fail
2024-04-09 21:24:45,230 SEVERE [DlDaemonMain] (executor-thread-1) java.io.IOException: java.util.concurrent.ExecutionException: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

You can see on application properties the:

quarkus.tls.trust-all=true

Questions, this is the good way to bypass sel certificates?

@geoand geoand removed the triage/needs-reproducer We are waiting for a reproducer. label Apr 10, 2024
@geoand
Copy link
Contributor

geoand commented Apr 10, 2024

Indeed this WebSocket client does not respect the trust-all property.

We do plan to create a new WebSocket from the ground up at some point in the near future and handling this property will be one thing that will be done there.

@tecbea
Copy link
Author

tecbea commented Apr 10, 2024

what can i do till than ?
any suggestion to bypass without configuration ?

@geoand
Copy link
Contributor

geoand commented Apr 11, 2024

I have not worked with this old WebSocket stuff so I don't know honestly.

Perhaps @mkouba does

@tecbea
Copy link
Author

tecbea commented Apr 11, 2024

@mkouba any suggestion pls?

@mkouba
Copy link
Contributor

mkouba commented Apr 12, 2024

@mkouba any suggestion pls?

Unfortunately, I have no idea.

@sberyozkin does it ring a bell?

@tecbea
Copy link
Author

tecbea commented Apr 12, 2024

Hi , and thanks for reply
sorry guys, but how this is a new version, and it´s described of old stuff ?
shall not be used the websockets framework on quarkus ?
best

@SidiBecker
Copy link

Hi! I'm facing the same situation. Any fix/workaround?

@mkouba
Copy link
Contributor

mkouba commented Jun 18, 2024

Hi! I'm facing the same situation. Any fix/workaround?

You might try to use the client API from the quarkus-websockets-next. Unfortunately, the client API is not documented yet. However, the ADR document contains a lot of useful info.

@rokkolesa
Copy link

I created a workaround for this, utilizing the io.undertow.websockets.WebsocketClientSslProvider.
You can basically define the SSLContext there for every endpoint, you can implement your custom logic.

The below example shows how you can enable the trust-all functionality for a specific websocket client class.
I also created a new property to enable or disable this functionality.
Feel free to implement your own logic here.

package com.acme;

import java.net.URI;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;

import javax.net.ssl.SSLContext;

import jakarta.websocket.ClientEndpointConfig;
import jakarta.websocket.Endpoint;

import org.eclipse.microprofile.config.ConfigProvider;

import io.netty.channel.EventLoopGroup;
import io.undertow.websockets.WebsocketClientSslProvider;
import io.vertx.core.net.impl.TrustAllTrustManager;

public class TrustAllWebsocketSslProvider
        implements WebsocketClientSslProvider
{
    private static final SSLContext trustAllSslContext;

    private final boolean websocketTrustAll;

    static
    {
        try
        {
            trustAllSslContext = SSLContext.getInstance("SSL");
            trustAllSslContext.init(
                    null,
                    new TrustAllTrustManager[]
                    { TrustAllTrustManager.INSTANCE },
                    new SecureRandom()
            );

        }
        catch (NoSuchAlgorithmException | KeyManagementException e)
        {
            throw new RuntimeException(e);
        }

    }

    public TrustAllWebsocketSslProvider()
    {
        // optionally create your own property to disable this trust-all functionality
        websocketTrustAll = ConfigProvider.getConfig()
                .getOptionalValue("websocket-trust-all", Boolean.class)
                .orElse(false);
    }

    @Override
    public SSLContext getSsl(EventLoopGroup worker, Class<?> annotatedEndpoint, URI uri)
    {
        if (websocketTrustAll && annotatedEndpoint == <websocket client class>.class)
        {
            return trustAllSslContext;
        }
        return null;
    }

    @Override
    public SSLContext getSsl(EventLoopGroup worker, Object annotatedEndpointInstance, URI uri)
    {
        if (websocketTrustAll && annotatedEndpointInstance instanceof <websocket client class>)
        {
            return trustAllSslContext;
        }
        return null;
    }

    @Override
    public SSLContext getSsl(EventLoopGroup worker, Endpoint endpoint, ClientEndpointConfig cec, URI uri)
    {
        // this only works, if the websocket client class is an instance of Endpoint
        if (websocketTrustAll && endpoint instanceof <websocket client class>)
        {
            return trustAllSslContext;
        }
        return null;
    }
}

To make this work, you must create a file called io.undertow.websockets.WebsocketClientSslProvider in the src/main/resources/META-INF/services with the content of the fully-qualified name of your implementation.
In this case this would be com.acme.TrustAllWebsocketSslProvider.

image
image

Hope this helps!

@cescoffier
Copy link
Member

There are 2 approaches (actually, 3 :-))

  1. You want to stay with the Undertow WebSocket client, and yes, it does not use quarkus.tls.trust-all. You can apply the change from @rokkolesa
  2. (Follow up from 1) If you don't want to implement your own SSL context, you can declare a configuration in the TLS registry and use the API to get an SSL Context (See https://quarkus.io/guides/tls-registry-reference#the-registry-api to get the TLS configuration, it has a getSSLContext method).
  3. Use the WebSocket Next client (which is now documented in https://quarkus.io/guides/websockets-next-reference#client-api) which can be configured with the TLS registry and so will handle trust-all.

@cescoffier cescoffier closed this as not planned Won't fix, can't repro, duplicate, stale Oct 23, 2024
@cescoffier cescoffier added the triage/wontfix This will not be worked on label Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/undertow-websockets area/websockets kind/bug Something isn't working triage/wontfix This will not be worked on
Projects
None yet
Development

No branches or pull requests

6 participants