You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@camel.apache.org by Marko Ritter <ri...@interlix.de> on 2020/10/13 19:58:01 UTC

Sending request via a HTTPS Proxy not working

Hi guys,

I am having trouble using a HTTPS proxy server with Camel.
HTTP is working quite nice. As soon as I switch to proxyAuthScheme=https.

The proxy is using a valid Letsencrypt SSL Cert on port 3128.


Request:

.toD("https://target.domain.com"
				+ "?httpMethod=POST"
				+ "&proxyHost=proxy.mydomain.de"
				+ "&proxyPort=3128"
				+ "&proxyAuthUsername="+ System.getenv("PROXY_UserName")
				+ "&proxyAuthPassword="+ System.getenv("PROXY_Password")
				+ "&proxyAuthMethod=Basic"
				+ "&proxyAuthScheme=https"
			 )

Error Message:

---------------------------------------------------------------------------------------------------------------------------------------   
21:42:28 web.1   |  javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
21:42:28 web.1   |      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na]        
21:42:28 web.1   |      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[na:na]
21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) ~[na:na]
...


What can I do?
Is this a bug?

Best regards
-Marko

Re: Sending request via a HTTPS Proxy not working

Posted by Zoran Regvart <zo...@regvart.com>.

Hi Marko,
that exception is usually caused by not having a trust anchor (a
trusted CA certificate) or an intermediate certificate that forms the
chain present in the trust store. You can troubleshoot this by adding
`-Djavax.net.debug=all` system property[1]. In those debug logs you
can see what trust anchors are used and what certificate was presented
by the server.

Note that it is very common for HTTP proxies, especially ones from
Antivirus vendors, to intercept (MITM) TLS connections (via
CONNECT[2]) and substitute an ad-hoc certificate so they can inspect
the payload.

zoran

[1] https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-31B7E142-B874-46E9-8DD0-4E18EC0EB2CF
[2] https://en.wikipedia.org/wiki/HTTP_tunnel

On Wed, Oct 14, 2020 at 7:29 AM Marko Ritter <ri...@interlix.de> wrote:
>
> Hi guys,
>
> I am having trouble using a HTTPS proxy server with Camel.
> HTTP is working quite nice. As soon as I switch to proxyAuthScheme=https.
>
> The proxy is using a valid Letsencrypt SSL Cert on port 3128.
>
>
> Request:
>
> .toD("https://target.domain.com"
>                                 + "?httpMethod=POST"
>                                 + "&proxyHost=proxy.mydomain.de"
>                                 + "&proxyPort=3128"
>                                 + "&proxyAuthUsername="+ System.getenv("PROXY_UserName")
>                                 + "&proxyAuthPassword="+ System.getenv("PROXY_Password")
>                                 + "&proxyAuthMethod=Basic"
>                                 + "&proxyAuthScheme=https"
>                          )
>
> Error Message:
>
> ---------------------------------------------------------------------------------------------------------------------------------------
> 21:42:28 web.1   |  javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> 21:42:28 web.1   |      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[na:na]
> 21:42:28 web.1   |      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) ~[na:na]
> ...
>
>
> What can I do?
> Is this a bug?
>
> Best regards
> -Marko



-- 
Zoran Regvart