Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-587

OpenIG can not connect to TLSv1.2 (TLSv1.1) secured resources

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 3.1.0, 4.0.0
    • Fix Version/s: 3.1.1
    • Component/s: CHF
    • Labels:
    • Support Ticket IDs:

      Description

      When OpenIG tries to talk to an TLSv1.2 secured backend server it bails out with

      Server Error</pre><p></p><h3>Caused by:</h3><pre>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      	at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
      	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
      	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
      	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
      	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
      	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
      	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
      	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
      	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
      	at org.forgerock.openig.http.HttpClient.execute(HttpClient.java:432)
      	at org.forgerock.openig.http.HttpClient.execute(HttpClient.java:404)
      	at org.forgerock.openig.handler.ClientHandler.handle(ClientHandler.java:61)
      	at org.forgerock.openig.handler.DispatchHandler.handle(DispatchHandler.java:88)
      	at org.forgerock.openig.handler.router.Route.doHandle(Route.java:210)
      	at org.forgerock.openig.handler.router.Route.handle(Route.java:191)
      	at org.forgerock.openig.handler.router.RouterHandler.handle(RouterHandler.java:251)
      	at org.forgerock.openig.audit.decoration.AuditHandler.handle(AuditHandler.java:46)
      	at org.forgerock.openig.decoration.capture.CaptureHandler.handle(CaptureHandler.java:60)
      	at org.forgerock.openig.servlet.GatewayServlet.service(GatewayServlet.java:279)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:800)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
      	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
      	at org.eclipse.jetty.server.Server.handle(Server.java:497)
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:245)
      	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
      	at java.lang.Thread.run(Thread.java:745)
      

      The exception message from Apache http client is not really helpful, only network trace showed the real issue.

      The root cause is that OpenIG HttpClient hard codes the secure protocol to 'TLS'

      ...
      SSLContext context = SSLContext.getInstance("TLS");
      ...
      

      Instead of hard coding the value it should be configurable via the HttpClient http://docs.forgerock.org/en/openig/3.1.0/reference/index.html#HttpClient heaplet, e.g. property 'secure-protcol'.

      values may correspond to the ones defined in http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext (http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              markdr Mark de Reeper
              Reporter:
              bthalmayr Bernhard Thalmayr
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: