http4 and x509HostnameVerifier

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

http4 and x509HostnameVerifier

rannandale
Hi guys

I'm trying to speak to a staging environment that uses self-signed certs. This means that when I try connect I get:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As I run my camel app in a container  on openshift (more or less kubernetes) it's not trivial (I base this on feel, not facts) to add the cert to my container. I'd like to use something like the org.apache.http.conn.ssl.NoopHostnameVerifier() so that in staging I can just ignore the cert. But it doesn't look like it's actually using that method.

Implementation looks as follows:
main.bind("NoopForSelfsignedCerts", new org.apache.http.conn.ssl.NoopHostnameVerifier());

and the https bit:

.recipientList().simple("https4://" + System.getenv("someHost") + "/someURI/$simple{in.header.someId}?bridgeEndpoint=true&throwExceptionOnFailure=false&x509HostnameVerifier= NoopForSelfsignedCerts ");

It still gives the same error

Any thoughts/ suggestions?

Thanks
Riaan
Reply | Threaded
Open this post in threaded view
|

Re: http4 and x509HostnameVerifier

Zoran Regvart-2
Hi Riaan,
I would take a different approach: to provide the additional trust
anchor certificates in a Java keystore file, privided by a ConfigMap,
and on startup check if the additional keystore file exists and either
use that instead of the system keystore file or merge the two and
configure Camel with the resulting keystore.

zoran

On Wed, Aug 7, 2019 at 11:29 AM Riaan Annandale <[hidden email]> wrote:

>
> Hi guys
>
> I'm trying to speak to a staging environment that uses self-signed certs. This means that when I try connect I get:
> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> As I run my camel app in a container  on openshift (more or less kubernetes) it's not trivial (I base this on feel, not facts) to add the cert to my container. I'd like to use something like the org.apache.http.conn.ssl.NoopHostnameVerifier() so that in staging I can just ignore the cert. But it doesn't look like it's actually using that method.
>
> Implementation looks as follows:
> main.bind("NoopForSelfsignedCerts", new org.apache.http.conn.ssl.NoopHostnameVerifier());
>
> and the https bit:
>
> .recipientList().simple("https4://" + System.getenv("someHost") + "/someURI/$simple{in.header.someId}?bridgeEndpoint=true&throwExceptionOnFailure=false&x509HostnameVerifier= NoopForSelfsignedCerts ");
>
> It still gives the same error
>
> Any thoughts/ suggestions?
>
> Thanks
> Riaan



--
Zoran Regvart
Reply | Threaded
Open this post in threaded view
|

RE: http4 and x509HostnameVerifier

rannandale
Hi Zoran

Your advice was perfect. I imported the offending certificate and then started my camel instance with -Djavax.net.ssl.trustStore=src/main/resources/SSLCerts/cacerts

Problem solved 😊

Thank you!

-----Original Message-----
From: Zoran Regvart <[hidden email]>
Sent: Wednesday, 07 August 2019 13:38
To: [hidden email]
Subject: Re: http4 and x509HostnameVerifier

Hi Riaan,
I would take a different approach: to provide the additional trust anchor certificates in a Java keystore file, privided by a ConfigMap, and on startup check if the additional keystore file exists and either use that instead of the system keystore file or merge the two and configure Camel with the resulting keystore.

zoran

On Wed, Aug 7, 2019 at 11:29 AM Riaan Annandale <[hidden email]> wrote:

>
> Hi guys
>
> I'm trying to speak to a staging environment that uses self-signed certs. This means that when I try connect I get:
> PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target As I run my camel app in a container  on openshift (more or less kubernetes) it's not trivial (I base this on feel, not facts) to add the cert to my container. I'd like to use something like the org.apache.http.conn.ssl.NoopHostnameVerifier() so that in staging I can just ignore the cert. But it doesn't look like it's actually using that method.
>
> Implementation looks as follows:
> main.bind("NoopForSelfsignedCerts", new
> org.apache.http.conn.ssl.NoopHostnameVerifier());
>
> and the https bit:
>
> .recipientList().simple("https4://" + System.getenv("someHost") +
> "/someURI/$simple{in.header.someId}?bridgeEndpoint=true&throwException
> OnFailure=false&x509HostnameVerifier= NoopForSelfsignedCerts ");
>
> It still gives the same error
>
> Any thoughts/ suggestions?
>
> Thanks
> Riaan



--
Zoran Regvart