In my project using grpc and java,I am using OpenSSL to make a secure connection between Client and server.
I am able to bring the grpc server up successfully.
The documentation here mentions that the client code for a secure channel is this
ManagedChannel channel = ManagedChannelBuilder.forAddress("myservice.example.com", 443)
.build();
GreeterGrpc.GreeterStub stub = GreeterGrpc.newStub(channel);
I am using the code at client as follows but the below exception is being thrown.
mChannel = ManagedChannelBuilder.forAddress(GrpcConstants.LOCAL_GRPC_CLIENT_IP, GrpcConstants.LOCAL_GRPC_CLIENT_PORT).build();
mEmployerServicesBlockingStub = EmployerServicesGrpc.newBlockingStub(mChannel);
mInviteContactsBlockingStub = InviteContactsGrpc.newBlockingStub(mChannel);
Exception:
Network channel closed
at io.grpc.Status.asRuntimeException(Status.java:431)
at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:157)
at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:106)
I tried with the following code also:
mChannel = NettyChannelBuilder.forAddress(GrpcConstants.LOCAL_GRPC_CLIENT_IP, GrpcConstants.LOCAL_GRPC_CLIENT_PORT).sslContext(GrpcSslContexts.forClient().trustManager(file).build()).build();
mEmployerServicesBlockingStub = EmployerServicesGrpc.newBlockingStub(mChannel);
mInviteContactsBlockingStub = InviteContactsGrpc.newBlockingStub(mChannel);
This is also giving the same exception as above. I just gave a null file reference here.
Please let me know which approach should be used for a GoDaddy certificate.
If it is the first approach, what am I missing.
If it is the second approach, which file am I supposed to use for "roots.pem".
Updated.
It looks like the exception is cut off a bit at the top. There may also be a causal exception ("Caused by:") that could be helpful. In either case, this may be similar to another issue, where gRPC "misses" the original error and is now just detecting later failures.
Both approaches to Channel creation should work. If you are using a reverse proxy, I would assume the problem is either the server not supporting AES GCM or ALPN (with HTTP/2). You can use https://www.ssllabs.com/ssltest/ to check for support. For example, Google supports both. If you are contacting a gRPC server directly, I would expect an issue initializing tcnative.
It is probably worth-while to create a GitHub issue to help us in tracking down the true cause.
Related
I've set up a websocket connection using Java-WebSocket with a working two-way TLS connection. However, to make Client Authentication possible I'd like to be able to get the information attached to the Client Certificate. This will contain some information about the client connecting so it would be useful to have.
I've looked through all the data in debug mode for the connection and the data it contains, but cannot find any reference to the certificate. Most questions online seem to be about the standard javax websocket, but the one I'm using is made by TooTallNate (https://github.com/TooTallNate/Java-WebSocket)
I would like to be able to get a certificate from an established session. Is this possible?
Apparently in the new version the possibility of getting the SSLEngine from a session has been made possible. This should be present starting from version 1.4.1, which is currently a SNAPSHOT.
For anyone else stumbling across this question, this is a solution that works as of the 1.4.1-SNAPSHOT build used. This code should function in any of the server events. In my case I placed this in the onOpen event, which I'm guessing is where you'd want it to be as well. I haven't fully tested this with a non-SSL server but since there is a check in place it SHOULD be fine. Please test beforehand, however.
Certificate[] certificates = null;
if(webSocket.hasSSLSupport()) {
try {
certificates = webSocket.getSSLSession().getPeerCertificates();
} catch (SSLPeerUnverifiedException e) {
logger.error("Could not read SSL Certificates");
e.printStackTrace();
}
}
I've dowloaded and run the provided quickstat from github. It working well on a normal network but gives NPE if behind a proxy.
WARNING: An exception was thrown by com.microsoft.rest.v2.http.NettyClient$AcquisitionListener.operationComplete()
java.lang.NullPointerException
at com.microsoft.rest.v2.http.NettyClient$AcquisitionListener.emitError(NettyClient.java:426)
When I updated to v11 (11.0.1) a new error appears instead of NPE, but not working at all.
WARN NettyClient - Error emitted before channel is created. Message: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server
I've googled a lot and tried to set the default proxy in the operational context but no success.
OperationContext.setDefaultProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyIP, proxyPort)));
Could you give me an updated (corrected) quickstart which works behind a proxy? Or give me some clue how, what to set and where?
As I known, according to the Oracle document Java Networking and Proxies, the simple way to access outside the proxy is to set http[s].proxyHost and http[s].proxyPort via System.setProperty in Java to make all programs on the JVM work behind a proxy. It works in my answer using older Azure Storage SDK for the other SO thread Get Image from Azure Blob using Proxy In Java.
So I have this situation: I try to download an image from somedomain.com using HTTPS. The domain is probably misconfigured, but unfortunately I can't change that. What exactly is happening:
When I browse to https://somedomain.com/animage.jpg I get a valid certificate issued for somedomain.com, which is perfect. But when I call the same site using it's IP address, say https://123.123.123.123 - I get a (also valid) certificate for *.hostingcompany.com - the certificate of the hosting company.
Now, I try to download the contents of the file using Java's HttpsUrlConnection, nothing special:
var urlConnection = new URL(imageUrl).openConnection();
((HttpURLConnection) urlConnection).getResponseCode();
(I want to first check the response code, but it's not important here.)
This code runs inside a Spring Boot App and is run on request. It works fine for the first request since booting the app. Each subsequent request fails with java.security.cert.CertificateException: No subject alternative DNS name matching somedomain.com found. It's because on each subsequent request the SSL Handshake is sent to the IP, not hostname, and get's the hosting company's certificate.
I was trying to find different settings for the SSL classes, but to no avail. I know there is a workaround where I could supply my own HostnameVerifier which could just return true, but that won't be secure, so I don't want to do that.
Did anyone encounter such problem? Maybe I'm searching in the wrong places? Maybe it's something with DNSes? I will appreciate any help.
Turns out it is a bug in Java 11.01. It is fixed since 11.02. After switching to 11.03. the behaviour I described above is gone. Each request gets a proper certificate.
Here are the details of the bug: https://bugs.openjdk.java.net/browse/JDK-8211806
I am using Netty as backend in a Java-based Usenet client. The library is working fine, however, in some circumstances I can't connect to a remote server via SSL, because of exactly this error:
Java: Why does SSL handshake give 'Could not generate DH keypair' exception?
Unfortunately, it seems that for whatever reason this Java error still has not been fixed yet. And since the remote server is not under my control, I need a workaround here. One such "solution", according to the link above, is to avoid DH during SSL handshake at all (not very pretty, but maybe better than nothing).
However, I am no SSL expert, so I am not really sure how I can implement that within Netty; or better: within my solution that is based on Netty. By now I am creating connections as this:
// configure the Netty client
ClientBootstrap bootstrap = new ClientBootstrap(clSockChannelFactory);
// configure the pipeline factory
bootstrap.setPipelineFactory(channelPipelineFactory);
bootstrap.setOption("tcpNoDelay", true);
bootstrap.setOption("keepAlive", true);
bootstrap.setOption("child.receiveBufferSizePredictorFactory",
new AdaptiveReceiveBufferSizePredictorFactory());
// start the connection attempt
InetSocketAddress isa = new InetSocketAddress(serverAddress, port);
ChannelFuture future = bootstrap.connect(isa);
...
channel = future.getChannel();
...
Ok, that's fine, but where can I disable cipher suites before I connect the SSL socket, as desribed in the thread above?
Thanks in advance for all your help!
Kind regards, Matthias
PS: By the way, any ideas why this problem has not been addressed in Java yet?
I'm not familiar with Netty, but I would suggest following the approach in the secure chat example.
I'm not sure what default SSL/TLS keys/trust settings you have, but if you don't have a custom SSLContext, try SSLContext.getDefault().
Then, create an SSLEngine using SSLContext.createSSLEngine(). On this SSLEngine, you should be able to enable the cipher suites you want. Assuming you're using the Oracle JRE (or OpenJDK), you'll find the list of cipher suites in the Sun Provider documentation.
After this (this is the Netty-specific part), set an SslHandler using something like this (see Netty example):
pipeline.addLast("ssl", new SslHandler(engine));
I just wanted to try out the java client for pubsubhubbub from google code (https://code.google.com/p/pubsubhubbub-java/downloads/list). So I downloaded the code, signed up at SuperFeedr and tried to connect to their hub. In fact I modified the test class the is provided with the subscriber client.
sb.subscribe("http://superfeedr.com/hubbub",
"https://some.blog", hostname, null, null);
hostname is the name of the server I created by using the class Web . Server is reachable from the web.
But I all get is this exception in the GetThread class:
org.apache.http.auth.MalformedChallengeException: Authentication challenge is empty
Does anybody have a hint?
Cheers,
Andi
PS: Up to now it's quite tedious to get PuSH working, e.g. at SuperFeedr they tell you what to do (http://superfeedr.com/documentation#pubsubhubbub_implementation) but not how? I tried to implement what's necessary for push my self (HttpClient, PostMethod with parameters,etc.) but nothing works....