Sentry-java: How to trust self-signed certificate to use with on-premise?

Created on 8 Sep 2020  路  7Comments  路  Source: getsentry/sentry-java

_Platform:_

  • [x] Android -> minSdkVersion = 24, targetSdkVersion = 29, compileSdkVersion = 29, buildToolsVersion = "29.0.3"
  • [x] Java -> sourceCompatibility JavaVersion.VERSION_1_8, targetCompatibility JavaVersion.VERSION_1_8
  • [x] Kotlin -> 1.3.50, jvmTarget = "1.8"

_IDE:_

  • [x] Android Studio -> 4.0.1

_Build system:_

  • [x] Gradle -> 6.1.1

_Android Gradle Plugin:_

  • [x] Yes -> 3.5.2

_Sentry Android Gradle Plugin:_

  • [x] Yes -> 1.7.34

_Proguard/R8:_

  • [x] Enabled

_sentry-android installed with:_

  • [x] JCenter

The version of sentry-android:2.3.1

I have the following issue:

Sentry v9.2.0 deployed on on-premise. On-premises uses self-signed SSL certificate. I would like to know how to HttpsURLConnection.setDefaultSSLSocketFactory(sslContext: SSLContext) so that I can use my own SSLContext which is coded to trust the self-signed SSL certificate CA files. Is it possible to do so, or sentry-android lib modification has to be done? Also, options.isBypassSecurity = true does not work. Either true or false yield error as below:

E/Sentry: Event submission failed: b722e309b75c4ce3b83cda5a5a965b43
java.lang.IllegalStateException: Sending the event failed.
at io.sentry.core.transport.AsyncConnection$EventSender.flush(AsyncConnection.java:310)
at io.sentry.core.transport.AsyncConnection$EventSender.run(AsyncConnection.java:262)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:458)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:764)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:229)
at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)
at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:461)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)
at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:89)
at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:26)
at io.sentry.core.transport.HttpTransport.createConnection(HttpTransport.java:271)
at io.sentry.core.transport.HttpTransport.send(HttpTransport.java:162)
at io.sentry.core.transport.AsyncConnection$EventSender.flush(AsyncConnection.java:291)
at io.sentry.core.transport.AsyncConnection$EventSender.run(AsyncConnection.java:262)聽
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:458)聽
at java.util.concurrent.FutureTask.run(FutureTask.java:266)聽
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)聽
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)聽
at java.lang.Thread.run(Thread.java:764)聽
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:646)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:418)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:339)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)聽
at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)聽
at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)聽
at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)聽
at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)聽
at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)聽
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)聽
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)聽
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:461)聽
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)聽
at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:89)聽
at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:26)聽
at io.sentry.core.transport.HttpTransport.createConnection(HttpTransport.java:271)聽
at io.sentry.core.transport.HttpTransport.send(HttpTransport.java:162)聽
at io.sentry.core.transport.AsyncConnection$EventSender.flush(AsyncConnection.java:291)聽
at io.sentry.core.transport.AsyncConnection$EventSender.run(AsyncConnection.java:262)聽
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:458)聽
at java.util.concurrent.FutureTask.run(FutureTask.java:266)聽
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)聽
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)聽
at java.lang.Thread.run(Thread.java:764)聽
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Android enhancement help wanted

All 7 comments

hey @ninekaw9 thanks for raising this.

true, we'd need to add a callback so you could load your own certificate, this also has downsides (for example key rotation on the server), I'd advise you to read a bit of this:

edit: sentry-python has a ca_certs option.

https://developer.android.com/training/articles/security-ssl#CommonProblems

the options isBypassSecurity was meant for Java backend services.

Not sure what would be the priority of this, I'll check it internally, we also accept PRs, so if you feel contributing to the project, we'd love to mentor and review the PR, thanks.

@ninekaw9 just for clarification, which self-signed SSL certificate are you working with? eg Android trust letsencrypt since v2.3.6

@marandaneto they are 3 certificate files.
1.root ca
2.ca that issued by root ca
3.ca issued by ca getsentry/sentry-android#2 for domain *.uatcloud.abc like this

@marandaneto @bruno-garcia hi, I managed to modify the code to support self-signed certificate. this took long because my team had trouble setting sentry up, now they managed it. but I cannot push my branch and commit.

image

image

@ninekaw9 awesome, could you open a PR? happy to review

hi @marandaneto I just managed to open a PR https://github.com/getsentry/sentry-java/pull/943

Was this page helpful?
0 / 5 - 0 ratings