Spring-cloud-netflix: Eureka Client over SSL with NoopHostnameVerifier
Hi folks,
I'm trying to overwrite default SSL configuration for Eureka Client using NoopHostnameVerifier but for some reason still trying to verify the hostname, anyone could help me on that please?
Followed code example from https://github.com/spring-cloud/spring-cloud-netflix/issues/1711#issuecomment-282340580
@Profile("prod")
@Configuration
class SslNoopHostnameVerifierConfiguration {
@Value("${service.security.trustStorePath:/etc/ssl/truststore.jks}")
private String trustStorePath;
@Value("${service.security.trustStorePassword:changeit}")
private String trustStorePassword;
@Value("${service.security.trustStoreType:JKS}")
private String trustStoreType;
@Value("${server.port:8443}")
private Integer serverPort;
@Autowired
EurekaClientConfig config;
@Bean
public DiscoveryClient.DiscoveryClientOptionalArgs getTrustStoredEurekaClient()
throws Exception {
final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
trustStore.load(new FileSystemResource(trustStorePath).getInputStream(), trustStorePassword.toCharArray());
SSLConnectionSocketFactory systemSocketFactory = new SSLConnectionSocketFactory(
SSLContexts
.custom()
.loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
.build(),
new NoopHostnameVerifier());
SchemeRegistry sslSchemeRegistry = new SchemeRegistry();
Scheme schema = new Scheme("https", serverPort, new SSLSocketFactoryAdapter(systemSocketFactory));
sslSchemeRegistry.register(schema);
String name = "Custom-Discovery-Client";
MonitoredConnectionManager connectionManager = new MonitoredConnectionManager(name, sslSchemeRegistry);
ClientConfig clientConfig = new DefaultClientConfig();
clientConfig.getProperties().put(ApacheHttpClient4Config.PROPERTY_CONNECTION_MANAGER, connectionManager);
DiscoveryJerseyProvider discoveryJerseyProvider = new DiscoveryJerseyProvider(
CodecWrappers.getEncoder(config.getEncoderName()),
CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()));
clientConfig.getSingletons().add(discoveryJerseyProvider);
DiscoveryClient.DiscoveryClientOptionalArgs clientOptionalArgs = new DiscoveryClient.DiscoveryClientOptionalArgs();
clientOptionalArgs.setEurekaJerseyClient(new EurekaJerseyClientImpl(
config.getEurekaServerConnectTimeoutSeconds() * 1000,
config.getEurekaServerReadTimeoutSeconds() * 1000,
config.getEurekaConnectionIdleTimeoutSeconds() * 1000,
clientConfig));
return clientOptionalArgs;
}
}
Exception
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't match any of the subject alternative names: [www.spendingbetter.com, spendingbetter.com]
at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) ~[jersey-apache-client4-1.19.1.jar:1.19.1]
at com.netflix.eureka.cluster.DynamicGZIPContentEncodingFilter.handle(DynamicGZIPContentEncodingFilter.java:48) ~[eureka-core-1.9.8.jar:1.9.8]
at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27) ~[eureka-client-1.9.8.jar:1.9.8]
at com.sun.jersey.api.client.Client.handle(Client.java:652) ~[jersey-client-1.19.1.jar:1.19.1]
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) ~[jersey-client-1.19.1.jar:1.19.1]
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) ~[jersey-client-1.19.1.jar:1.19.1]
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570) ~[jersey-client-1.19.1.jar:1.19.1]
at com.netflix.eureka.transport.JerseyReplicationClient.submitBatchUpdates(JerseyReplicationClient.java:116) ~[eureka-core-1.9.8.jar:1.9.8]
at com.netflix.eureka.cluster.ReplicationTaskProcessor.process(ReplicationTaskProcessor.java:80) ~[eureka-core-1.9.8.jar:1.9.8]
at com.netflix.eureka.util.batcher.TaskExecutors$BatchWorkerRunnable.run(TaskExecutors.java:193) [eureka-core-1.9.8.jar:1.9.8]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]
Version
Spring Boot: 2.1.2.RELEASE
Spring Cloud: Greenwich.RC2
rodrigorodrigues
All 8 comments
AFAIS this isn't a service discovery issue but a peer replication/update issue.
And if I'm not mistaken there is no way to bypass SSL verification between peers during replication.
TYsewyn
on 30 Jul 2019
There's an open pr for customizing the jersey client for peer replication
spencergibb
on 30 Jul 2019
@spencergibb can you link the open pr you're referring to?
bberto
on 23 Jan 2020
spencergibb
on 23 Jan 2020
Thanks. I think was then merged with #3572. However I think it doesn't relates to this issue, regarding SSL configuration on jersey client for peer replication.
The only workaround I found is declaring a bean that extends PeerEurekaNodes overriding createPeerEurekaNode(). In this way I can create my own JerseyReplicationClient with a client obtained from EurekaJerseyClientBuilder.withCustomSSL()
bberto
on 23 Jan 2020
We could add an extension point to allow a custom Producer<JerseyReplicationClient>
spencergibb
on 9 Apr 2020
Hi @spencergibb if I can help somehow it would be great, just need to know more details.
rodrigorodrigues
on 9 Apr 2020
If this constructor https://github.com/spring-cloud/spring-cloud-netflix/blob/master/spring-cloud-netflix-eureka-server/src/main/java/org/springframework/cloud/netflix/eureka/server/EurekaServerAutoConfiguration.java#L291 had an optional JerseyReplicationClient we could use it rather than construct our own.
spencergibb
on 9 Apr 2020
Related issues
fahimfarookme
路
3Comments
raseshdesaiexp
路
4Comments
Alvise88
路
3Comments
hotblac
路
3Comments
importsource
路
4Comments
Most helpful comment
There's an open pr for customizing the jersey client for peer replication