Comments (10)
Ah, yes now your issue makes more sense. Thank you for providing additional context. I think the library can be improved to cover this kind of use case. The benefit will be that you don't need to care what the order of trustmaterial should be because it should resolve that for you. And next to that i would prefer it to be compatible with previous releases, so I will fix it and publish a new version of it this week.
from sslcontext-kickstart.
Hi @ivenhov
Thank you for submitting this issue. This behaviour is indeed happening since the bugfix introduced from this issue: #181
The issue you have found is fixable, however in your example you are using withUnsafeTrustMaterial
alongside with the withDefaultTrustMaterial
. At runtime all certificate will be ignored/not validated because you are using the withUnsafeTrustMaterial
, so it does not make sense to also use withDefaultTrustMaterial
as all trusted certificates from this option will be ignored. If you prefer to use the withUnsafeTrustMaterial
you can disregard the withDefaultTrustMaterial
option and it will work. But maybe I am missing some context to understand your usecase. Can you explain why you would need to use the unsafeTrustmaterial with other trust options?
from sslcontext-kickstart.
Hi Hakky54
Thanks for prompt reply.
Using just withUnsafeTrustMaterial
indeed fixes the problem since CombinableX509TrustManager
is no longer used.
As for the reasons why I used both withDefaultTrustMaterial
and withUnsafeTrustMaterial
it was simply because in my original code I had a check like below
SSLFactory.Builder builder = SSLFactory.builder().withDefaultTrustMaterial();
if (trustAll)
builder.withUnsafeTrustMaterial();
if (pathGiven)
builder.withTrustMaterial(....);
SSLFactory factory = builder.build();
SSLContext sslContext = factory.getSslContext();
SSLContext.setDefault(sslContext);
In addition I was adding withTrustMaterial
with filepath if specified
So I was simply avoiding if/else there and being lazy at the same time.
Also I was assuming since it is a builder its ok to call those with...() in any order and it's composable.
Thanks again for pointing that to me and providing workaround.
from sslcontext-kickstart.
I made a release today, the fix is available at version 7.4.5. Please let me know if this resolves your issue and if you have other issues! 😄
from sslcontext-kickstart.
Hi
I reverted my code changes and tested with 7.4.5 and it works as expected. Thanks for you quick response.
I have one question regarding the changes for this patch, link
Specifically for the TrustManagerUtils
if (trustManagers.size() == 1) {
baseTrustManager = trustManagers.get(0);
} else {
baseTrustManager = trustManagers.stream()
.map(TrustManagerUtils::unwrapIfPossible)
.flatMap(Collection::stream)
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
}
If there is only one trust manager given it seems it will assume it will have acceptedIssuers > 0 which may not always be the case. In other words filtering is not performed.
I don't know if tests are covering that case.
Apologies if not relevant at all or I'm just talking nonsense.
Cheers
from sslcontext-kickstart.
Great to hear that it is now working with your original code.
Your remarks regarding the code snippet you have shared are valid indeed. The code in the body of the if statement and even the else statement can be improved. The if branch can have maybe a single trustmanager containing no accepted issuers and if that's the case it will throw a runtime exception during the SSL handshake. So it will be better to throw a custom exception to warn the user beforehand instead of the exception during the SSL handshake which will occur at a much later stage
The else branch can have multiple trustmanagers but after filtering if there is only one trustmanager it should be assigned to the base trustmanager and should not be wrapped by the composite trustmanager. And the other case is that after filtering if there is no trustmanager at all and if that's the case we should throw an exception.
Very well discovered Daniel! Would you like to contribute by creating a pull request?
from sslcontext-kickstart.
HI
Sorry for late reply
I gave it a go but unfortunately it breaks several tests which rely on the existing behaviour.
For example it is common in the test to accept a trust manager with no accepted issuers.
implementing 'else' branch handling as you described also breaks several tests.
from sslcontext-kickstart.
I am wondering which tests will fail. Can you create a pull request, so I can also take a look at your changes.
from sslcontext-kickstart.
@ivenhov Do you need any help with it?
from sslcontext-kickstart.
Created here #204
Hopefully i've done it right. I'm not sure if there is automatic way to link pull request with Github issue?
from sslcontext-kickstart.
Related Issues (20)
- Disable "Acceptable client certificate CA names" on MTLS client connect.
- Hostname verifier doesn't work with JDK Http Client HOT 4
- No available authentication scheme HOT 8
- Add Support For `withoutProtocols` + `withoutCiphers` HOT 3
- Question about Classic Configuration Migration HOT 18
- When using pem utils v8.2.0 dependency in android, Duplicate class error in org.bouncycastle HOT 3
- Loading the keystore takes a very long time in some rare cases HOT 9
- JDK9+ jdeps error HOT 6
- Implementing Dynamic SSL Pinning Using Base64 Encoded Server Certificate? HOT 6
- PKIX path building failed (client-side) when using certificates from Let's Encyrpt HOT 9
- aarch64 macOS runner support HOT 6
- FTPs - None of the TrustManagers trust this certificate chain HOT 3
- Loading of System-Certificates takes long or forever when USB-Token Software is installed. HOT 8
- Trust Anchor not found on Android HOT 10
- Remove too verbose logs when loading system certificates HOT 7
- LoggingX509ExtendedTrustManager should log CertificateException HOT 3
- Add abiilty to load JDK cacerts file HOT 6
- Is SSLFactory thread safe? HOT 2
- Remove `bouncycastle` deps for `sslcontext-kickstart-for-pem` HOT 3
- Support PKCS12 keystore created by openssl as truststore HOT 20
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sslcontext-kickstart.