You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@pekko.apache.org by "randomkoder (via GitHub)" <gi...@apache.org> on 2024/02/14 13:24:56 UTC
[I] Invalid session value in Tls-Session-Info header [incubator-pekko-http]
randomkoder opened a new issue, #485:
URL: https://github.com/apache/incubator-pekko-http/issues/485
Hi,
I am using mutual TLS (TLS v1.3) authentication with client certificates for one of my pekko http server routes and encounter occasional failures when using Tls-Session-Info header.
For some client connections it returns an invalid session value - Session(1707843603849|**SSL_NULL_WITH_NULL_NULL**) instead of Session(1707843600698|TLS_AES_256_GCM_SHA384), so client certificate details can not be extracted for the use in my application.
Here is the simplified route that I am using for the test purposes
```
val route =
headerValueByType [`Tls-Session-Info`](`Tls-Session-Info`) { tlsInfo =>
path("tls") {
get {
println(s"TLS info -${tlsInfo.toString}")
complete(HttpEntity(ContentTypes.`text/html(UTF-8)`, s"Client certificate - ${tlsInfo.session.getPeerCertificates.head.toString}"))
}
}
}
```
Log entry for successful connections (200 Status code)
```
18:13:54.582 [my-system-pekko.actor.default-dispatcher-13] DEBUG org.apache.pekko.io.TcpListener -- New connection accepted
TLS info -Tls-Session-Info: Session(1707844434606|TLS_AES_256_GCM_SHA384)
```
Log entry for failed connections (500 Status code)
```
18:16:26.729 [my-system-pekko.actor.default-dispatcher-13] DEBUG org.apache.pekko.io.TcpListener -- New connection accepted
TLS info -Tls-Session-Info: Session(1707844586732|SSL_NULL_WITH_NULL_NULL)
18:16:26.868 [my-system-pekko.actor.default-dispatcher-19] ERROR org.apache.pekko.actor.ActorSystemImpl -- Error during processing of request: 'peer not authenticated'. Completing with 500 Internal Server Error response. To change default exception handling behavior, provide a custom ExceptionHandler.
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:560)
```
Pekko http client is used as client.
Versions of software used:
pekko-http - 1.0.1
pekko-actor-typed - 1.0.2
pekko-stream - 1.0.2
scala - 2.13.12
openjdk - 11.0.22
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org
Re: [I] Invalid session value in Tls-Session-Info header [incubator-pekko-http]
Posted by "randomkoder (via GitHub)" <gi...@apache.org>.
randomkoder commented on issue #485:
URL: https://github.com/apache/incubator-pekko-http/issues/485#issuecomment-1943825177
Thanks for your quick response! I've tried with TLS v1.2 (explicitly enabling it both on client and server sides) and could not reproduce the issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org
Re: [I] Invalid session value in Tls-Session-Info header [incubator-pekko-http]
Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on issue #485:
URL: https://github.com/apache/incubator-pekko-http/issues/485#issuecomment-1943798085
@randomkoder Thanks for reporting this. Is there any chance that you can could try using TLS v1.2 to see if things are more stable there? We will look at this issue but we may not be able to get a fix out for a few weeks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org
Re: [I] Invalid session value in Tls-Session-Info header [incubator-pekko-http]
Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on issue #485:
URL: https://github.com/apache/incubator-pekko-http/issues/485#issuecomment-1943777431
This looks like https://github.com/akka/akka-http/issues/3920
Unfortunately, the fix was committed to akka-http after they made their license change. We may need to do a clean room change because we can't copy akka-http changes that are made to releases that are not Apache licensed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org