if I create a trust-store and keystore for https inbound endpoints, my other https outbound endpoints start throwing exceptions.
An example is, if I create a HTTPS inbound enpoint connector like below,
<https:connector name="MuleHTTPS" cookieSpec="netscape"
validateConnections="true" sendBufferSize="0" receiveBufferSize="0"
receiveBacklog="0" clientSoTimeout="${APP.TIMEOUT}" serverSoTimeout="${APP.TIMEOUT}"
socketSoLinger="0" doc:name="MuleHTTPS">
<https:tls-key-store path="${HONDA.HTTPS.KEYSTORE}"
keyPassword="${HTTPS.KEYSTORE.PASSWORD}" storePassword="${HTTPS.KEYSTORE.PASSWORD}" />
<https:tls-server path="${HONDA.HTTPS.KEYSTORE}" explicitOnly="true" storePassword="${HTTPS.KEYSTORE.PASSWORD}"/>
</https:connector>
The sqs inbound starts throwing peer not authenticated error. The config is
<sqs:config name="ReceiverAmazonSQS" accessKey="${AMAZON.ACCESS.KEY}"
secretKey="${AMAZON.SECRET.KEY}" queueName="${AMAZON.QUEUE.NAME}"
doc:name="SenderAmazonSQS" queueUrl="${AMAZON.QUEUE.URL}">
</sqs:config>
<sqs:receive-messages config-ref="ReceiverAmazonSQS"
doc:name="Receive Messages"/>
What am I missing?
If there is only one HTTPS connector defined in a mule application, by default all the https endpoints, which do not have any connector defined, use the same connector. (Unless you define one more HTTPS connector and specify it in endpoint). This is the case with any transport in mule.
Related
In my Spring Boot Application I changed the default management server port in order to expose it on different port through HTTP. My main app works on HTTPS with SSL key and I don't want to expose it there.
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:local-ssl.p12
server.ssl.key-store-password=<password>
server.ssl.key-alias=local_ssl
server.port=8443
management.server.ssl.enabled=false
management.server.port=8081
management.endpoints.web.exposure.include=health,info,prometheus
However when I am trying to access the http://localhost:8081/actuator/prometheus, I am receiving the following picture from Postman. How can I access my endpoints through the new port?
When configured to use a custom port, the management server can also be configured with its own SSL using the various management.ssl.* properties. For example, this allows a management server to be available via HTTP while the main application uses HTTPS:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:store.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enabled=false
Alternatively, both the main server and the management server can use SSL but with different key stores:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:main.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enabled=true
management.ssl.key-store=classpath:management.jks
management.ssl.key-password=secret
for reference look here
https://docs.spring.io/spring-boot/docs/1.5.4.RELEASE/reference/html/production-ready-monitoring.html
Problem statement;
I wanted to establish a connection to outer internet through a proxy server. I am using Zuul as gateway which is configured with system parameters like https.proxyHost/https.proxyPort variables with appropriate values, but Zuul is creating a TLS termination connection to proxy server.
How do I configure Zuul to create a Pass through connection so the request would become opaque in proxy server no body should be able to tamper the same.
Any help would be appreciated
Cheers
Anant
I have a server that I wish to connect to via SSL, and then listen for data. I have a Camel route set up (via Spring) with a Netty4 endpoint as follows:
<camel:endpoint id="sslEndpoint" uri="netty4:tcp://{{server.host}}:{{server.port}}">
<camel:property key="clientMode" value="true" />
<camel:property key="needClientAuth" value="true" />
<camel:property key="sync" value="false" />
<camel:property key="ssl" value="true" />
<camel:property key="keyStoreResource" value="file:{{server.keystore}}" />
<camel:property key="trustStoreResource" value="file:{{server.truststore}}" />
<camel:property key="passphrase" value="{{server.passphrase}}" />
</camel:endpoint>
The route is configured in Java with this endpoint as the from part of the route:
public class MyRoute extends RouteBuilder {
#Override
public void configure() {
from("ref:sslEndpoint")
.to("log:MyLog?level=DEBUG");
}
}
By default a from endpoint will create a NettyConsumer, which acts as a server, hence specifying clientMode=true on the endpoint. This is honoured when using a plain TCP connection (it does indeed connect as a client, and receive data sent to it from the server). However, when using SSL it doesn't start off the SSL Handshake, meaning the server doesn't send out any data.
I have rooted through the Camel Netty4 code, and the key issue is in DefaultServerInitializerFactory where a new SSL Connection is configured - the SSLEngine has a hard-coded setUseClientMode(false). Sticking a breakpoint here and changing the call to true does indeed cause Netty to connect to the server, initiate the SSL handshake, and start consuming received data.
So my question is twofold:
How can I best resolve this issue and make the SSL Client initiate a handshake? Have I just missed something obvious?
Is this a bug in Camel/Netty4, as it would appear to me that the SSL connection should honour the clientMode property of the endpoint?
I would like to write a SSL MITM proxy using Jetty. I've gone through some examples and it seems that I can use org.eclipse.jetty.server.handler.ConnectHandler for HTTPS Connect tunneling.
Is there any way that I can set my own certificate and decrypt content using ConnectHandler?
On client side I have Apache HTTP client on jdk5u22. On server side I have tomcat on jdk6u27.
With this setup if I try SSL Client authentication (2 way SSL) then it cause "javax.net.ssl.SSLHandshakeException: Insecure renegotiation is not allowed" on the server and handshake fails. It succeeds if I set system properties sun.security.ssl.allowUnsafeRenegotiation=true and sun.security.ssl.allowLegacyHelloMessages=true on server.
As per the link http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html this is coz JRE6u27 has the RFC 5746 implementation and JRE5u26 below doesnt have this and so both are incompatible. Unfortunately 5u22 is the latest freely available java 5 version. So I want to know if it is possible to have SSL client authentication without ssl re-negotiation.
Regards,
Litty Preeth
As per the redhat site https://access.redhat.com/kb/docs/DOC-20491#Renegotiations_disabled_in_Apache_Tomcat :
Tomcat may ask the client to renegotiate in certain configurations using client certificate authentication, for example, configurations where:
A client certificate is not required on the initial connection, such as when:
1. The clientAuth attribute of the HTTPS connector using JSSE is set to
false. Or The SSLVerifyClient attribute of the HTTPS connector using
OpenSSL is set to none.
AND
2. A web application specifies the CLIENT-CERT authentication method in
the login-config section of the application's web.xml file.
So to avoid re-negotiation in tomcat just make the whole site secure and not just a part of it by setting clientAuth="true" for ssl .
Hope this helps someone.
Regards,
Litty