-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quarkus - websocket client , with quarkus.tls.trust-all=true , do not connect to invlid cert on wss #39925
Comments
Can you please attach a sample application that behaves as you describe? Thanks |
Yes of course after 10s the client will try to connect wss server on the project it will fail You can see on application properties the: quarkus.tls.trust-all=true Questions, this is the good way to bypass sel certificates? |
Indeed this WebSocket client does not respect the trust-all property. We do plan to create a new WebSocket from the ground up at some point in the near future and handling this property will be one thing that will be done there. |
what can i do till than ? |
I have not worked with this old WebSocket stuff so I don't know honestly. Perhaps @mkouba does |
@mkouba any suggestion pls? |
Unfortunately, I have no idea. @sberyozkin does it ring a bell? |
Hi , and thanks for reply |
Hi! I'm facing the same situation. Any fix/workaround? |
You might try to use the client API from the quarkus-websockets-next. Unfortunately, the client API is not documented yet. However, the ADR document contains a lot of useful info. |
I created a workaround for this, utilizing the The below example shows how you can enable the package com.acme;
import java.net.URI;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import javax.net.ssl.SSLContext;
import jakarta.websocket.ClientEndpointConfig;
import jakarta.websocket.Endpoint;
import org.eclipse.microprofile.config.ConfigProvider;
import io.netty.channel.EventLoopGroup;
import io.undertow.websockets.WebsocketClientSslProvider;
import io.vertx.core.net.impl.TrustAllTrustManager;
public class TrustAllWebsocketSslProvider
implements WebsocketClientSslProvider
{
private static final SSLContext trustAllSslContext;
private final boolean websocketTrustAll;
static
{
try
{
trustAllSslContext = SSLContext.getInstance("SSL");
trustAllSslContext.init(
null,
new TrustAllTrustManager[]
{ TrustAllTrustManager.INSTANCE },
new SecureRandom()
);
}
catch (NoSuchAlgorithmException | KeyManagementException e)
{
throw new RuntimeException(e);
}
}
public TrustAllWebsocketSslProvider()
{
// optionally create your own property to disable this trust-all functionality
websocketTrustAll = ConfigProvider.getConfig()
.getOptionalValue("websocket-trust-all", Boolean.class)
.orElse(false);
}
@Override
public SSLContext getSsl(EventLoopGroup worker, Class<?> annotatedEndpoint, URI uri)
{
if (websocketTrustAll && annotatedEndpoint == <websocket client class>.class)
{
return trustAllSslContext;
}
return null;
}
@Override
public SSLContext getSsl(EventLoopGroup worker, Object annotatedEndpointInstance, URI uri)
{
if (websocketTrustAll && annotatedEndpointInstance instanceof <websocket client class>)
{
return trustAllSslContext;
}
return null;
}
@Override
public SSLContext getSsl(EventLoopGroup worker, Endpoint endpoint, ClientEndpointConfig cec, URI uri)
{
// this only works, if the websocket client class is an instance of Endpoint
if (websocketTrustAll && endpoint instanceof <websocket client class>)
{
return trustAllSslContext;
}
return null;
}
} To make this work, you must create a file called Hope this helps! |
There are 2 approaches (actually, 3 :-))
|
Describe the bug
hi,
using quarkus 3.8.3 , when making a wss client, it gives an assert:
"java.io.IOException: java.util.concurrent.ExecutionException: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
my code:
log.log(Level.INFO, "--------> try connect : "+websocketUri);
i have on properties
quarkus.tls.trust-all=true
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
6.5.0-26-generic #26~22.04.1-Ubuntu
Output of
java -version
OpenJDK 64-Bit Server VM GraalVM CE 21.0.2+13.1 (build 21.0.2+13-jvmci-23.1-b30, mixed mode, sharing)
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)mvn 3.8.8
Additional information
No response
The text was updated successfully, but these errors were encountered: