You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Yang Yang <yy...@icloud.com.INVALID> on 2019/07/23 13:12:45 UTC

Disable SSL certificate verification with OpenID Connect Authentication

Hello,

I’m testing OpenID Connect Authentication with https on, and got the problem below. Could you help to tell how to disable ssl certificate verification? Is there a “ssl_verify” flag that I can turn off?

17:11:56.117 [http-nio-8080-exec-2] DEBUG org.jose4j.http.Get - HTTP GET of https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs
17:11:56.125 [http-nio-8080-exec-2] INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci...34IfpdFF8g
17:11:56.128 [http-nio-8080-exec-2] DEBUG o.a.g.a.o.t.TokenValidationService - Invalid JWT received.
org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci…34IfpdFF8g

Thanks,
Yang

Re: Disable SSL certificate verification with OpenID Connect Authentication

Posted by Yang Yang <yy...@icloud.com.INVALID>.

Hi Nick,

I am testing with self-signed certificates in internal network, with IP only. Comparing with updating the SAN in server certificate is extra work, skipping the certificate validation is preferred. Of course, it is for testing use only.

I followed Ryan’s guide to skip signature verification, and it works for me.

Thanks,
Yang

> On Jul 23, 2019, at 23:36, Nick Couchman <vn...@apache.org> wrote:
> 
> On Tue, Jul 23, 2019 at 9:13 AM Yang Yang <yy8402@icloud.com.invalid <ma...@icloud.com.invalid>> wrote:
> Hello,
> 
> I’m testing OpenID Connect Authentication with https on, and got the problem below. Could you help to tell how to disable ssl certificate verification? Is there a “ssl_verify” flag that I can turn off?
> 
> 17:11:56.117 [http-nio-8080-exec-2] DEBUG org.jose4j.http.Get - HTTP GET of https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs <https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs>
> 17:11:56.125 [http-nio-8080-exec-2] INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs <https://my-oidc-server-uri/openid-connect/certs>): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci...34IfpdFF8g
> 17:11:56.128 [http-nio-8080-exec-2] DEBUG o.a.g.a.o.t.TokenValidationService - Invalid JWT received.
> org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs <https://my-oidc-server-uri/openid-connect/certs>): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci…34IfpdFF8g
> 
> 
> No, there is no such flag to disable verification, and I doubt you would want it.  The error you're getting isn't because the certificate isn't trusted, it's because it doesn't have all of the information expected - namely, Subject Alternative Names.
> 
> You can make sure that your OID server certificate is added to the Java cacerts keystore, and see if that helps, but I suspect that you need to resolve the issue with the response missing the SAN attribute.
> 
> -Nick

Re: Disable SSL certificate verification with OpenID Connect Authentication

Posted by Nick Couchman <vn...@apache.org>.

On Tue, Jul 23, 2019 at 9:13 AM Yang Yang <yy...@icloud.com.invalid> wrote:

> Hello,
>
> I’m testing OpenID Connect Authentication with https on, and got the
> problem below. Could you help to tell how to disable ssl certificate
> verification? Is there a “ssl_verify” flag that I can turn off?
>
> 17:11:56.117 [http-nio-8080-exec-2] DEBUG org.jose4j.http.Get - HTTP GET
> of https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs
> 17:11:56.125 [http-nio-8080-exec-2] INFO
>  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable
> to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException:
> Unable to find a suitable verification key for JWS w/ header
> {"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected
> exception (javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No subject alternative names
> present) while obtaining or using keys from JWKS endpoint at
> https://MY-OIDC-SERVER-URI/openid-connect/certs):
> JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci...34IfpdFF8g
> 17:11:56.128 [http-nio-8080-exec-2] DEBUG
> o.a.g.a.o.t.TokenValidationService - Invalid JWT received.
> org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object
> (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable
> verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected
> exception (javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No subject alternative names
> present) while obtaining or using keys from JWKS endpoint at
> https://MY-OIDC-SERVER-URI/openid-connect/certs):
> JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci…34IfpdFF8g
>
>
No, there is no such flag to disable verification, and I doubt you would
want it.  The error you're getting isn't because the certificate isn't
trusted, it's because it doesn't have all of the information expected -
namely, Subject Alternative Names.

You can make sure that your OID server certificate is added to the Java
cacerts keystore, and see if that helps, but I suspect that you need to
resolve the issue with the response missing the SAN attribute.

-Nick

Re: Disable SSL certificate verification with OpenID Connect Authentication

Posted by Yang Yang <yy...@icloud.com.INVALID>.

Thank you very much for the information, Ryan! It worked for me.

Thanks,
Yang

> On Jul 23, 2019, at 21:40, Ryan Underwood <ry...@greymarketlabs.com> wrote:
> 
> For testing and non-production use (or production at your own peril), you can add ".setSkipSignatureVerification()" to your JWTConsumerBuilder in the o.a.g.a.o.t.TokenValidationService of the OpenID extension. That worked for me but may not solve your exact problem. 
> 
> -Ryan
> 
> -----Original Message-----
> From: Yang Yang <yy...@icloud.com.INVALID> 
> Sent: Tuesday, July 23, 2019 9:13 AM
> To: user@guacamole.apache.org
> Subject: Disable SSL certificate verification with OpenID Connect Authentication
> 
> Hello,
> 
> I’m testing OpenID Connect Authentication with https on, and got the problem below. Could you help to tell how to disable ssl certificate verification? Is there a “ssl_verify” flag that I can turn off?
> 
> 17:11:56.117 [http-nio-8080-exec-2] DEBUG org.jose4j.http.Get - HTTP GET of https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs
> 17:11:56.125 [http-nio-8080-exec-2] INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci...34IfpdFF8g
> 17:11:56.128 [http-nio-8080-exec-2] DEBUG o.a.g.a.o.t.TokenValidationService - Invalid JWT received.
> org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci…34IfpdFF8g
> 
> Thanks,
> Yang
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

RE: Disable SSL certificate verification with OpenID Connect Authentication

Posted by Ryan Underwood <ry...@greymarketlabs.com>.

For testing and non-production use (or production at your own peril), you can add ".setSkipSignatureVerification()" to your JWTConsumerBuilder in the o.a.g.a.o.t.TokenValidationService of the OpenID extension. That worked for me but may not solve your exact problem. 

-Ryan

-----Original Message-----
From: Yang Yang <yy...@icloud.com.INVALID> 
Sent: Tuesday, July 23, 2019 9:13 AM
To: user@guacamole.apache.org
Subject: Disable SSL certificate verification with OpenID Connect Authentication

Hello,

I’m testing OpenID Connect Authentication with https on, and got the problem below. Could you help to tell how to disable ssl certificate verification? Is there a “ssl_verify” flag that I can turn off?

17:11:56.117 [http-nio-8080-exec-2] DEBUG org.jose4j.http.Get - HTTP GET of https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs
17:11:56.125 [http-nio-8080-exec-2] INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci...34IfpdFF8g
17:11:56.128 [http-nio-8080-exec-2] DEBUG o.a.g.a.o.t.TokenValidationService - Invalid JWT received.
org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present) while obtaining or using keys from JWKS endpoint at https://MY-OIDC-SERVER-URI/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci…34IfpdFF8g

Thanks,
Yang

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org