You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Graham Leggett <mi...@sharp.fm.INVALID> on 2022/06/11 09:24:50 UTC
HttpClient + system properties + client certificates - how?
Hi all,
I am trying to pick apart why jackrabbit is ignoring system parameters when using SSL.
According to the javadocs for https://www.javadoc.io/doc/org.apache.httpcomponents/httpclient/4.4/org/apache/http/impl/client/HttpClientBuilder.html "System properties will be taken into account when configuring the default implementations when useSystemProperties() method is called prior to calling build().”
The code in jackrabbit looks like this:
https://github.com/apache/jackrabbit/blob/ed3124e5fe223dada33ce6ddf53bc666063c3f2f/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2dav/RepositoryServiceImpl.java#L365
// request config
RequestConfig requestConfig = RequestConfig.custom().
setConnectTimeout(connectionOptions.getConnectionTimeoutMs()).
setConnectionRequestTimeout(connectionOptions.getRequestTimeoutMs()).
setSocketTimeout(connectionOptions.getSocketTimeoutMs()).build();
hcb.setDefaultRequestConfig(requestConfig);
if (Boolean.getBoolean("jackrabbit.client.useSystemProperties") || connectionOptions.isUseSystemPropertes()) {
log.debug("Using system properties for establishing connection!");
// support Java system proxy? (JCR-3211)
hcb.useSystemProperties();
}
In theory, the above should cause (when properly config’ed) system properties to be used.
We then do this:
// TLS settings (via connection manager)
final SSLContext sslContext;
try {
if (connectionOptions.isAllowSelfSignedCertificates()) {
log.warn("Nonsecure TLS setting: Accepting self-signed certificates!");
sslContext = SSLContextBuilder.create().loadTrustMaterial(new TrustSelfSignedStrategy()).build();
hcb.setSSLContext(sslContext);
Am I right in understanding that the above will override the system properties and create an SSL context that contains no key material from system properties?
} else {
sslContext = SSLContextBuilder.create().build();
Am I also correct in understanding that SSLContextBuilder.create().build() above will create a context with no key material, ignoring the system properties?
}
} catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
throw new RepositoryException(e);
}
final SSLConnectionSocketFactory sslSocketFactory;
if (connectionOptions.isDisableHostnameVerification()) {
log.warn("Nonsecure TLS setting: Host name verification of TLS certificates disabled!");
// we can optionally disable hostname verification.
sslSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
} else {
sslSocketFactory = new SSLConnectionSocketFactory(sslContext);
}
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslSocketFactory)
.build();
I am trying to work out what changes I need to be above code to make this support system properties by default, and then apply changes to the system defaults where coded to do so.
Regards,
Graham
—
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: HttpClient + system properties + client certificates - how?
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Sat, 2022-06-11 at 11:24 +0200, Graham Leggett wrote:
> Hi all,
>
> I am trying to pick apart why jackrabbit is ignoring system
> parameters when using SSL.
>
> According to the javadocs for
> https://www.javadoc.io/doc/org.apache.httpcomponents/httpclient/4.4/org/apache/http/impl/client/HttpClientBuilder.html
> "System properties will be taken into account when configuring the
> default implementations when useSystemProperties() method is called
> prior to calling build().”
>
> The code in jackrabbit looks like this:
>
> https://github.com/apache/jackrabbit/blob/ed3124e5fe223dada33ce6ddf53bc666063c3f2f/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2dav/RepositoryServiceImpl.java#L365
>
> // request config
> RequestConfig requestConfig = RequestConfig.custom().
>
> setConnectTimeout(connectionOptions.getConnectionTimeoutMs()).
>
> setConnectionRequestTimeout(connectionOptions.getRequestTimeoutMs()).
>
> setSocketTimeout(connectionOptions.getSocketTimeoutMs()).build();
> hcb.setDefaultRequestConfig(requestConfig);
> if
> (Boolean.getBoolean("jackrabbit.client.useSystemProperties") ||
> connectionOptions.isUseSystemPropertes()) {
> log.debug("Using system properties for establishing
> connection!");
> // support Java system proxy? (JCR-3211)
> hcb.useSystemProperties();
> }
>
> In theory, the above should cause (when properly config’ed) system
> properties to be used.
>
> We then do this:
>
> // TLS settings (via connection manager)
> final SSLContext sslContext;
> try {
> if (connectionOptions.isAllowSelfSignedCertificates()) {
> log.warn("Nonsecure TLS setting: Accepting self-
> signed certificates!");
> sslContext =
> SSLContextBuilder.create().loadTrustMaterial(new
> TrustSelfSignedStrategy()).build();
> hcb.setSSLContext(sslContext);
>
> Am I right in understanding that the above will override the system
> properties and create an SSL context that contains no key material
> from system properties?
No, you are not. HttpClient will trust certificates with a single self-
signed certificate in the cert chain but all other certificates (with
two or more signators in the cert chain) will still be verified by the
default trust manager.
>
> } else {
> sslContext = SSLContextBuilder.create().build();
>
> Am I also correct in understanding that
> SSLContextBuilder.create().build() above will create a context with
> no key material, ignoring the system properties?
>
You are correct. However, trust material shipped with the JRE will be
loaded by default (this is not by design, this is how Oracle JSSE
provider behaves). That is, standard CAs will be trusted by default.
> }
> } catch (KeyManagementException | NoSuchAlgorithmException |
> KeyStoreException e) {
> throw new RepositoryException(e);
> }
> final SSLConnectionSocketFactory sslSocketFactory;
> if (connectionOptions.isDisableHostnameVerification()) {
> log.warn("Nonsecure TLS setting: Host name verification
> of TLS certificates disabled!");
> // we can optionally disable hostname verification.
> sslSocketFactory = new
> SSLConnectionSocketFactory(sslContext,
> NoopHostnameVerifier.INSTANCE);
> } else {
> sslSocketFactory = new
> SSLConnectionSocketFactory(sslContext);
> }
>
> Registry<ConnectionSocketFactory> socketFactoryRegistry =
> RegistryBuilder.<ConnectionSocketFactory>create()
> .register("http",
> PlainConnectionSocketFactory.getSocketFactory())
> .register("https", sslSocketFactory)
> .build();
>
> I am trying to work out what changes I need to be above code to make
> this support system properties by default, and then apply changes to
> the system defaults where coded to do so.
>
> Regards,
> Graham
> —
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org