ApacheHttpClient: how to disable SSL validation - ssl-certificate

I'm using feign.httpclient.ApacheHttpClient for feign:
final Builder feignBuilder = Feign.builder();
feignBuilder.client(new ApacheHttpClient())
...
and get an Exception:
java feign.RetryableException: Certificate for ... doesn't match any
of the subject alternative names: [...] executing GET
How to disable SSL validation for the ApacheHttpClient?
I've tried VM arguments as described in the https://stackoverflow.com/a/69925472/6863550, https://stackoverflow.com/a/53534658/6863550;
-Dfeign.httpclient.disable-ssl-validation=true
-Dfeign.httpclient.disableSslValidation=true
but it doesn't work for me.

Related

urllib3.exceptions.ProxySchemeUnknown: Not supported proxy scheme None

Recently my application started getting an error related to proxies
> in __init__
> raise ProxySchemeUnknown(proxy.scheme) urllib3.exceptions.ProxySchemeUnknown: Not supported proxy scheme None
I did not make any changes to the code or performed any updates to python3.8, which is what im using.
here is the function im using to fetch proxies from an api that pulls them from the DB
def get_proxy(self):
try:
req = self.session.post(url=self.script_function_url, headers=self.script_function_header, json={"action": "proxy"}, verify=False, timeout=20).json()
self.proxy = {"https": req['ipAddress']+":"+req['port']}
except Exception as e:
print(f'Proxy error: {e}')
exit()
any help would be greatly appreciated i am completely new to python.
I don't know what exact line is causing the error in your code and if you have a proxy yourselve, but I know that you need to specify a scheme to do API calls behind a proxy.
So in windows you would do:
set http_proxy=http://xxx.xxx.xxx.xxx:xxxx
set https_proxy=http://xxx.xxx.xxx.xxx:xxxx
Key point here is to add the http:// in front.

Setting user credentials on aws instance using jclouds

I am trying to create an aws instance using jclouds 1.9.0 and then run a script on it (via ssh). I am following the example locate here but I am getting authentication failed errors when the client (java program) tries to connect at the instance. The AWS console show that instance is up and running.
The example tries to create a LoginCrendentials object
String user = System.getProperty("user.name");
String privateKey = Files.toString(new File(System.getProperty("user.home") + "/.ssh/id_rsa"), UTF_8);
return LoginCredentials.builder().user(user).privateKey(privateKey).build();
which is latter used from the ssh client
responses = compute.runScriptOnNodesMatching(
inGroup(groupName), // predicate used to select nodes
exec(command), // what you actually intend to run
overrideLoginCredentials(login) // use my local user & ssh key
.runAsRoot(false) // don't attempt to run as root (sudo)
.wrapInInitScript(false));
Some Login information are injected to the instance with following commands
Statement bootInstructions = AdminAccess.standard();
templateBuilder.options(runScript(bootInstructions));
Since I am on Windows machine the creation of LoginCrendentials 'fails' and thus I alter its code to
String user = "ec2-user";
String privateKey = "-----BEGIN RSA PRIVATE KEY-----.....-----END RSA PRIVATE KEY-----";
return LoginCredentials.builder().user(user).privateKey(privateKey).build();
I also to define the credentials while building the template as described in "EC2: In Depth" guide but with no luck.
An alternative is to build instance and inject the keypair as follows, but this implies that I need to have the ssh key stored in my AWS console, which is not currently the case and also breaks the functionality of running a script (via ssh) since I can not infer the NodeMetadata from a RunningInstance object.
RunInstancesOptions options = RunInstancesOptions.Builder.asType("t2.micro").withKeyName(keypair).withSecurityGroup(securityGroup).withUserData(script.getBytes());
Any suggestions??
Note: While I am currently testing this on aws, I want to keep the code as decoupled from the provider as possible.
Update 26/10/2015
Based on #Ignasi Barrera answer, I changed my implementation by adding .init(new MyAdminAccessConfiguration()) while creating the bootInstructions
Statement bootInstructions = AdminAccess.standard().init(new MyAdminAccessConfiguration());
templateBuilder.options(runScript(bootInstructions));
Where MyAdminAccessConfiguration is my own implementation of the AdminAccessConfiguration interface as #Ignasi Barrera described it.
I think the issue relies on the fact that the jclouds code runs on a Windows machine and jclouds makes some Unix assumptions by default.
There are two different things here: first, the AdminAccess.standard() is used to configure a user in the deployed node once it boots, and later the LoginCredentials object passed to the run script method is used to authenticate against the user that has been created with the previous statement.
The issue here is that the AdminAccess.standard() reads the "current user" information and assumes a Unix System. That user information is provided by this Default class, and in your case I'm pretty sure it will fallback to the catch block and return an auto-generated SSH key pair. That means, the AdminAccess.standard() is creating a user in the node with an auto-generated (random) SSH key, but the LoginCredentials you are building don't match those keys, thus the authentication failure.
Since the AdminAccess entity is immutable, the better and cleaner approach to fix this is to create your own implementation of the AdminAccessConfiguration interface. You can just copy the entire Default class and change the Unix specific bits to accommodate the SSH setup in your Windows machine. Once you have the implementation class, you can inject it by creating a Guice module and passing it to the list of modules provided when creating the jclouds context. Something like:
// Create the custom module to inject your implementation
Module windowsAdminAccess = new AbstractModule() {
#Override protected void configure() {
bind(AdminAccessConfiguration.class).to(YourCustomWindowsImpl.class).in(Scopes.SINGLETON);
}
};
// Provide the module in the module list when creating the context
ComputeServiceContext context = ContextBuilder.newBuilder("aws-ec2")
.credentials("api-key", "api-secret")
.modules(ImmutableSet.<Module> of(windowsAdminAccess, new SshjSshClientModule()))
.buildView(ComputeServiceContext.class);

BouncyCastle - how to generate PKCS10 csr in version 1.52

I downloaded bc*.jar files(bcprov, bcpkix, bcmail, bcpg) and put them into my project. But Eclipse cannot parse org.bouncycastle.asn1.*. The documentation apparently lists asn1 related functions.
My code:
X500Principal subject = new X500Principal("C=NO");
ContentSigner signGen = new JcaContentSignerBuilder("SHA1withRSA").build(pk);
PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(subject, pub);
PKCS10CertificationRequest csr = builder.build(signGen);
Error: The type org.bouncycastle.asn1.x500.X500Name cannot be resolved. It is indirectly referenced from required .class files
Is this a correct way to generate csr?
Appreciate!
The exception is throws because some of your classes has a dependency on org.bouncycastle.asn1.x500.X500Name, and this class is not in the classpath. In your case for example PKCS10CertificationRequestBuilder use internally org.bouncycastle.asn1.x500.X500Name so probably the problem is there.
The thing is that PKCS10CertificationRequestBuilder is on bcpkix.jar and org.bouncycastle.asn1.x500.X500Name is on bcprov.jar, so simply add bcprov.jar to your classpath.
Anyways if you want to generate a certificate signing request using java maybe it's easy using directly keytool which is a tool distributed with JVM, and it's located on $JAVA_HOME/bin/keytool. There are a lot of information on internet about how to generate a csr using keytool you can search or if you prefer to show one you can take a look here
Hope this helps,

include configs from ${HOME}/.app/someconfig.conf

I need to include some properties file into my typesafe config, like
include ${user.HOME}"/.app/db-test.conf"
however parser complains:
com.typesafe.config.ConfigException$Parse: dev/application.conf: 47: include keyword is not followed by a quoted string, but by: '${'user.HOME'}'
com.typesafe.config.ConfigException$Parse: dev/application.conf: 47: include keyword is not followed by a quoted string, but by: '${'user.HOME'}'
at com.typesafe.config.impl.Parser$ParseContext.parseError(Parser.java:329)
at com.typesafe.config.impl.Parser$ParseContext.parseError(Parser.java:325)
at com.typesafe.config.impl.Parser$ParseContext.parseInclude(Parser.java:574)
at com.typesafe.config.impl.Parser$ParseContext.parseObject(Parser.java:624)
at com.typesafe.config.impl.Parser$ParseContext.parseValue(Parser.java:408)
at com.typesafe.config.impl.Parser$ParseContext.parseObject(Parser.java:657)
at com.typesafe.config.impl.Parser$ParseContext.parse(Parser.java:832)
at com.typesafe.config.impl.Parser.parse(Parser.java:34)
How can I use system properties/environment variables in include statements?
Can you do this manually in the code that loads your config?
Config baseConfig = ConfigFactory.load();
// Probably want error checking here.
Config testConfig = ConfigFactory.parseFile(
new File(System.getenv("HOME") + "/.app/db-test.conf"));
// You may need to change your resolution order, depending on what you're doing in your
// default config.
testConfig.resolve();
Config finalConfig = baseConfig.withFallback(testConfig);
This is not currently possible out of the box (see https://github.com/typesafehub/config/issues/122 ).
However, you could write a custom ConfigIncluder if you are configuring an app with code you can modify, perhaps. See http://typesafehub.github.io/config/latest/api/com/typesafe/config/ConfigIncluder.html
You can also add a URL scheme to Java using standard Java mechanisms (see Creating custom URI scheme using URI class )
and then use include url("myscheme:whatever")

Setting SSLContext to jdbc connection

I want to create and configure SSLContext object and then make mysql.jdbc.Driver use it for establishing secure connection. Is there an approach for it better then custom jdbc.Driver?
You can create a custom com.mysql.jdbc.SocketFactory class that creates SSLSockets using an SSLSocketFactory coming from this SSLContext. Then, you can pass that class name to the MySQL JDBC connector using the socketFactory property (see table in the documentation).
This needs to have a constructor with no parameters, but its Socket connect(String host, Properties props) method should get the JDBC properties via its props parameter (if you need).
Note that you should not only check the validity of your certificate, but also check that the host name matches. If you're using Java 7, this can be done like this before returning the SSLSocket you've just created:
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslSocket.setSSLParameters(sslParams);
(The host name matching rules for HTTPS should be sufficiently sensible for most protocols, including MySQL.)