We Keep Coding

What about my Swift-NIO-SSL handshake is failing?

I am trying to figure out what about my TLS handshake is failing. I am not exactly sure what this error code means. Can someone provide more context here?
2000-00-00T00:00:00-0000 error [[GRPC-LOGG]] : error=handshakeFailed(NIOSSL.BoringSSLError.sslError([Error: 268436496 error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE at /Users/username/Library/Developer/Xcode/DerivedData/ios-dc-bocetydygnmhxsdxqxaivnvasghk/SourcePackages/checkouts/swift-nio-ssl/Sources/CNIOBoringSSL/ssl/tls_record.cc:592])) grpc.conn.addr_local=10.220.93.246 grpc.conn.addr_remote=23.98.156.101 grpc_connection_id=C1C6376D-9F74-48AF-9D7A-D903BB68D716/0 [GRPC] grpc client error
I did take a look at the tls_record.cc file; which is reporting SSL3_AL_FATAL.
The tls_record.cc can be seen below.
tls_record.cc
f (alert_level == SSL3_AL_FATAL) {
OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
ERR_add_error_dataf("SSL alert number %d", alert_descr);
*out_alert = 0; // No alert to send back to the peer.
return ssl_open_record_error;
}
I am using gRPC-Swift to make this call.
var clientConnection: ClientConnection.Builder
var tlsConfig = TLSConfiguration.makeClientConfiguration()
tlsConfig.certificateVerification = .noHostnameVerification
tlsConfig.trustRoots = .certificates([nioCert!])
let clientConfig = GRPCTLSConfiguration.makeClientConfigurationBackedByNIOSSL(configuration: tlsConfig, hostnameOverride: sniName)
clientConnection = ClientConnection.usingTLS(with: clientConfig, on: eventLoopGroup)
.withTLSCustomVerificationCallback({ ... })
clientConnection.connect(host: hostName, port: port)
When running curl -v https://hostname:port/foo command, this is what I get back from the server:
* Trying 12.43.425.642:443...
* Connected to q003.ed14.ws.samplecloud.dogi (12.43.425.642) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to q003.ed14.ws.samplecloud.dogi:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to q003.ed14.ws.samplecloud.dogi:443
I have added a ClientError Logger to the gRPC connection and this is what I am getting:
[!! GRPC-CLIENT-ERROR]: handshakeFailed(NIOSSL.BoringSSLError.sslError([Error: 268435581 error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /Users/username/Library/Developer/Xcode/DerivedData/ios-dc-bocetydygnmhxsdxqxaivnvasghk/SourcePackages/checkouts/swift-nio-ssl/Sources/CNIOBoringSSL/ssl/handshake.cc:393])) file:[<unknown>] line:[0]]
The error in the log above points back to the tls_record:
if (alert_level == SSL3_AL_FATAL) {
OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr); // << this line
ERR_add_error_dataf("SSL alert number %d", alert_descr);
*out_alert = 0; // No alert to send back to the peer.
return ssl_open_record_error;
}
I think there is an issue with how I am attaching my certificates. When I view the network traffic, I do not see any client certificate showing up in the TLS handshake:
Client Certificates: -
Server Certificates: 3
It seems as though I was attaching my certificates to swift-grpc's server part of the framework and not the client, this is how you attach them for the client-side:
tlsConfig.certificateChain = [.certificate(nioCert!)]
let privateKeyNIO = try? NIOSSLPrivateKey.init(bytes: privateKeyByteAry, format: .der)
tlsConfig.privateKey = NIOSSLPrivateKeySource.privateKey(privateKeyNIO!)
Note that I am still getting the same error as reported above.
Update:
I have confirmed that the client certificates are not showing up in the request. I am not sure why this is the case; I am clearly attaching a client cert.
tlsConfig.certificateChain = [NIOSSLCertificateSource.certificate(nioCert!)]
let privateKeyNIO = try? NIOSSLPrivateKey.init(bytes: privateKeyByteAry, format: .der)
tlsConfig.privateKey = NIOSSLPrivateKeySource.privateKey(privateKeyNIO!)

how to terminate ssl at ingress-gateway in istio?

I am trying to experiment ssl connection in istio ingress gateway.
From here istio ssl gateway without termination, i assume that istio ingress gateway by default should terminate ssl.
I have installed istio with demo profile, via istioctl.
I have also installed my service svc1.
Apart from these, below are what my resources are with routng logic:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: vs-gateway
namespace: myns
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs
namespace: myns
spec:
hosts:
- "*"
gateways:
- vs-gateway
http:
- match:
- uri:
prefix: "/svc1/"
rewrite:
uri: "/"
route:
- destination:
host: svc1
port:
number: 80
I found the Gateway url via this.
For experiment i had also enabled http on ingress gateway. That way curl http://172.17.0.2:<http_node_port> works with 200 response. Later i removed http from ingress gateway and kept only https (as https is my primary goal to be recieved by ingress gateway)
And then trying curl with https on gateway url. I get 503.
$ curl -ivk https://172.17.0.2:<https_node_port>/svc1/user
* Trying 172.17.0.2...
* TCP_NODELAY set
* Connected to 172.17.0.2 (172.17.0.2) port 30278 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; O=Abc; CN=example.com
* start date: Dec 31 08:22:32 2019 GMT
* expire date: Jan 30 08:22:32 2020 GMT
* issuer: C=US; ST=CA; O=Abc; CN=example.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55c961626580)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /svc1/user HTTP/2
> Host: 172.17.0.2:30278
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 503
HTTP/2 503
< content-length: 95
content-length: 95
< content-type: text/plain
content-type: text/plain
< date: Thu, 02 Jan 2020 08:13:49 GMT
date: Thu, 02 Jan 2020 08:13:49 GMT
< server: istio-envoy
server: istio-envoy
<
* Connection #0 to host 172.17.0.2 left intact
upstream connect error or disconnect/reset before headers. reset reason: connection termination
I also enabled sidecar istio proxy debuggin on svc pod sidecar. I got below logs
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][filter] [external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][filter] [external/envoy/source/extensions/filters/listener/tls_inspector/tls_inspector.cc:72] tls inspector: new connection accepted
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:30] Called tcp filter: Filter
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:40] Called tcp filter: initializeReadFilterCallbacks
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:204] [C88] new tcp proxy session
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:133] [C88] Called tcp filter onNewConnection: remote 10.244.0.5:34148, local 10.244.0.16:3000
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:347] [C88] Creating connection to cluster inbound|80|serviceport|svc1.myns.svc.cluster.local
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][pool] [external/envoy/source/common/tcp/conn_pool.cc:83] creating a new connection
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][pool] [external/envoy/source/common/tcp/conn_pool.cc:364] [C89] connecting
[Envoy (Epoch 0)] [2020-01-02 06:53:19.392][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:711] [C89] connecting to 127.0.0.1:3000
[Envoy (Epoch 0)] [2020-01-02 06:53:19.393][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:720] [C89] connection in progress
[Envoy (Epoch 0)] [2020-01-02 06:53:19.393][28][debug][pool] [external/envoy/source/common/tcp/conn_pool.cc:109] queueing request due to no available connections
[Envoy (Epoch 0)] [2020-01-02 06:53:19.393][28][debug][conn_handler] [external/envoy/source/server/connection_handler_impl.cc:333] [C88] new connection
[Envoy (Epoch 0)] [2020-01-02 06:53:19.393][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:559] [C89] connected
[Envoy (Epoch 0)] [2020-01-02 06:53:19.393][28][debug][pool] [external/envoy/source/common/tcp/conn_pool.cc:285] [C89] assigning connection
[Envoy (Epoch 0)] [2020-01-02 06:53:19.393][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:541] TCP:onUpstreamEvent(), requestedServerName:
[Envoy (Epoch 0)] [2020-01-02 06:53:19.393][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:143] Called tcp filter completeCheck: OK
[Envoy (Epoch 0)] [2020-01-02 06:53:19.395][28][debug][filter] [src/istio/control/client_context_base.cc:139] Report attributes: attributes {
key: "connection.event"
value {
string_value: "open"
}
}
attributes {
key: "connection.id"
value {
string_value: "38a9b348-1730-4e0b-9664-fbbaeedd9215-88"
}
[Envoy (Epoch 0)] [2020-01-02 06:53:19.395][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:100] [C88] Called tcp filter onRead bytes: 664
[Envoy (Epoch 0)] [2020-01-02 06:53:19.396][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:123] [C88] Called tcp filter onWrite bytes: 28
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:123] [C88] Called tcp filter onWrite bytes: 0
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:100] [C88] Called tcp filter onRead bytes: 34
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:527] [C88] remote close
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:193] [C88] closing socket: 0
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:174] [C88] Called tcp filter onEvent: 0 upstream 127.0.0.1:3000
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][filter] [src/istio/control/client_context_base.cc:139] Report attributes: attributes {
key: "connection.duration"
value {
duration_value {
nanos: 6151000
}
}
}
attributes {
key: "connection.event"
value {
string_value: "close"
}
}
at
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:104] [C89] closing data_to_write=34 type=0
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][conn_handler] [external/envoy/source/server/connection_handler_impl.cc:88] [C88] adding to cleanup list
[Envoy (Epoch 0)] [2020-01-02 06:53:19.398][28][debug][filter] [src/envoy/tcp/mixer/filter.cc:35] Called tcp filter : ~Filter
[Envoy (Epoch 0)] [2020-01-02 06:53:19.399][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:589] [C89] write flush complete
[Envoy (Epoch 0)] [2020-01-02 06:53:19.399][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:193] [C89] closing socket: 1
[Envoy (Epoch 0)] [2020-01-02 06:53:19.399][28][debug][pool] [external/envoy/source/common/tcp/conn_pool.cc:124] [C89] client disconnected
[Envoy (Epoch 0)] [2020-01-02 06:53:19.399][28][debug][pool] [external/envoy/source/common/tcp/conn_pool.cc:238] [C89] connection destroyed
With the logs, it seems like ingress gateway is forwarding ssl request to svc. (please correct here if i am wrong)
So in the end, can anyone please help me out getting ssl terminated at ingress gateway, and forward plain http request to svc?

Based on this github issue and this istio documentation
Named service ports: Service ports must be named. The port name key/value pairs must have the following syntax: name: [-]. See Protocol Selection for more details.
Based on mockserver service
ports:
- name: serviceport
I would recommend to change it to http/https like mentioned there and confirmed by community member who had same issue on github.
Manual protocol selection
Protocols can be specified manually by naming the Service port name: [-]. The following protocols are supported:
grpc
grpc
web
http
http2
https
mongo
mysql*
redis*
tcp
tls
udp
*These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.

syslog-ng unable to send logs via tls - handshake error

Unable to send logs to a syslog-ng docker container using TLS (6514)
Logs are being transmitted successfully not using TLS on port 601.
305ef6ab4973 syslog-ng[1]: Syslog connection accepted; fd='14', client='AF_INET(172.17.0.3:35362)', local='AF_INET(0.0.0.0:6514)'
305ef6ab4973 syslog-ng[1]: SSL error while reading stream; tls_error='SSL routines:tls_process_client_certificate:peer did not return a certificate', location='/etc/syslog-ng/syslog-ng.conf:35:9'
305ef6ab4973 syslog-ng[1]: I/O error occurred while reading; fd='14', error='Connection reset by peer (104)'
305ef6ab4973 syslog-ng[1]: Syslog connection closed; fd='14', client='AF_INET(172.17.0.3:35362)', local='AF_INET(0.0.0.0:6514)'
environment setup: Debian 9 VM, docker, latest syslog-ng.
syslog-ng version
root#305ef6ab4973:/etc/syslog-ng# syslog-ng --version
syslog-ng 3 (3.21.1)
Config version: 3.21
Installer-Version: 3.21.1
Revision: 3.21.1-1
Compile-Date: May 3 2019 09:11:19
Module-Directory: /usr/lib/syslog-ng/3.21
Module-Path: /usr/lib/syslog-ng/3.21
Include-Path: /usr/share/syslog-ng/include
Available-Modules: cryptofuncs,kvformat,tfgetent,add-contextual-data,afsql,afuser,xml,riemann,json-plugin,geoip-plugin,redis,pacctformat,afamqp,pseudofile,hook-commands,examples,stardate,geoip2-plugin,tags-parser,system-source,graphite,date,kafka,snmptrapd-parser,confgen,afprog,basicfuncs,afsmtp,http,linux-kmsg-format,map-value-pairs,appmodel,disk-buffer,affile,afsocket,afstomp,afmongodb,csvparser,mod-java,syslogformat,cef,mod-python,sdjournal,dbparser
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on
generated syslog msgs with loggen on port 601 non-tls
root#e41017b55dfa:loggen --stream 172.17.0.2 601
count=1816, rate = 915.72 msg/sec
count=2274, rate = 914.78 msg/sec
count=2732, rate = 914.93 msg/sec
logs are written in the log file for 601 conn
sudo tail -n 10 syslog-ng/logs/syslog-ng/tcp_601.log
Jul 21 10:35:11 ip-172-17-0-3 prg00000[1234]: seq: 0000004294, thread: 0000, runid: 1563705308, stamp: 2019-07-21T10:35:11 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
Jul 21 10:35:11 ip-172-17-0-3 prg00000[1234]: seq: 0000004295, thread: 0000, runid: 1563705308, stamp: 2019-07-21T10:35:11 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
Jul 21 10:35:11 ip-172-17-0-3 prg00000[1234]: seq: 0000004296, thread: 0000, runid: 1563705308, stamp: 2019-07-21T10:35:11 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
syslog messages log (601 conn)
Jul 21 10:39:14 305ef6ab4973 syslog-ng[1]: Syslog connection accepted; fd='18', client='AF_INET(****)', local='AF_INET(0.0.0.0:601)'
Jul 21 10:39:44 305ef6ab4973 syslog-ng[1]: Syslog connection closed; fd='18', client='AF_INET(****)', local='AF_INET(0.0.0.0:601)'
When I'm using TLS, I'm receiving the following error
client-side:
root#e41017b55dfa:#loggen --use-ssl 172.17.0.2 6514
error [loggen_helper.c:open_ssl_connection:247] SSL connect failed
139771316958976:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40
error [ssl_plugin.c:active_thread_func:313] can not connect to 172.17.0.2:6514 (0x5566c837e800)
Total runtime = 0.500195, count = 0
server-side:
305ef6ab4973 syslog-ng[1]: Syslog connection accepted; fd='14', client='AF_INET(172.17.0.3:35362)', local='AF_INET(0.0.0.0:6514)'
305ef6ab4973 syslog-ng[1]: SSL error while reading stream; tls_error='SSL routines:tls_process_client_certificate:peer did not return a certificate', location='/etc/syslog-ng/syslog-ng.conf:35:9'
305ef6ab4973 syslog-ng[1]: I/O error occurred while reading; fd='14', error='Connection reset by peer (104)'
305ef6ab4973 syslog-ng[1]: Syslog connection closed; fd='14', client='AF_INET(172.17.0.3:35362)', local='AF_INET(0.0.0.0:6514)'
conn test using openssl
root#e41017b55dfa:/etc/syslog-ng# openssl s_client -connect 172.17.0.2:6514
CONNECTED(00000003)
depth=1 C = IL, ST = ***, L = ***, O = ***, OU = IT, CN = *** Syslog CA, emailAddress = ***#***.com
verify return:1
depth=0 C = IL, ST = ***, L = ***, O = ***, OU = IT, CN = 172.17.0.2
verify return:1
140233519988800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40
---
Certificate chain
0 s:/C=IL/ST=***/L=***/O=***/OU=IT/CN=172.17.0.2
i:/C=IL/ST=***/L=***/O=***/OU=IT/CN=*** Syslog CA/emailAddress=***#***.com
1 s:/C=IL/ST=***/L=***/O=***/OU=IT/CN=*** Syslog CA/emailAddress=***#***.com
i:/C=IL/ST=***/L=***/O=***/OU=IT/CN=*** Syslog CA/emailAddress=***#***.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCSUwx
ETAPBgNVBAgMCFRlbCBBdml2MREwDwYDVQQHDAhUZWwgQXZpdjEOMAwGA1UECgwF
QXJtaXMxCzAJBgNVBAsMAklUMRgwFgYDVQQDDA9Bcm1pcyBTeXNsb2cgQ0ExJTAj
BgkqhkiG9w0BCQEWFm9tcmkudHNhYmFyaUBhcm1pcy5jb20wHhcNMTkwNzE4MTAx
MzQ3WhcNMjAwNzE3MTAxMzQ3WjBlMQswCQYDVQQGEwJJTDERMA8GA1UECAwIVGVs
IEF2aXYxETAPBgNVBAcMCFRlbCBBdml2MQ4wDAYDVQQKDAVBcm1pczELMAkGA1UE
CwwCSVQxEzARBgNVBAMMCjE3Mi4xNy4wLjIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDSVTVKoNlgPk1q9MgbPF1ndDIhTFsXp62XPdNNWyP79GGunPlM
o+oqJJJh+SDP/0BUivyvYdH4gFdZ40RZ138CQz1L+i9sBK4alizRIqxWT379lnYd
nieMYP25uBQPw8TothegtHA30+PFg/qEVd/3bQQVFJ/z0Q6GsOkw/Qc4kS+hhP6B
dny2ul8yyS4oNeM4rMo/1/F8NKsdOlt/4St2aVo5kuuyosOdKaaXzzqeVI7QdqaJ
kuMwC5sGATDZ2qwr9TEgBVzZs5sFixOaA0vTb7FqVOfcBq1Crrf9qnNTzQXzjjjH
3eQ4tZXbVOTopxwR7zgqO/nR/3IAvVnirsjNAgMBAAGjezB5MAkGA1UdEwQCMAAw
LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBSMTVONnqW+gof7SKD0V6uPZLoOdDAfBgNVHSMEGDAWgBTaK4jNVP3+
1V4wUSM+Gx7iYSjFKTANBgkqhkiG9w0BAQsFAAOCAQEAQqOJbvHcjG6pYbmtwexJ
C56a1qE0C9fjIlHY+EKuE1e/jTfIu1opggwTbov5BS9MHDK0As4JkwAn/36dbGKt
SS3K/JXvnM8Ag5tv09zVgSKwYNRpuVTi52shn4ELIktVCUc2H7XW1W9r1GsjkXCV
WhtJRP9lVJi77gxICTC5x39feA/p3BkRUIRwWPY2J8quJ37FTNBGMeX8lVAW4ipR
UbG3DQgj2r/HonjmZ5kWH8Bd46RZhpE7Nt4UGRutCnyi9jo3R7PDQW1D0rhRSByO
w/uTToHfaj7ZjGb9CXeV7LRuf6z5px881puqUsWYSeEh0Tm3AnTVNOzzvKE2Pp3*****
-----END CERTIFICATE-----
subject=/C=IL/ST=***/L=***/O=***/OU=IT/CN=172.17.0.2
issuer=/C=IL/ST=***/L=***/O=***/OU=IT/CN=*** Syslog CA/emailAddress=***#***.com
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2487 bytes and written 281 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 02FB22BADE731CF64439D69D1F1991F3FF3BD7C4E44AF531308DD021659B1220B8BEBE94C9934659734AB10D4AF25999
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1563704954
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
root#e41017b55dfa:/etc/syslog-ng#
syslog-ng client config
#version: 3.18
#include "scl.conf"
source s_local {
internal();
};
source s_network {
default-network-drivers( ); };
destination test2_d {
network("172.17.0.2" port(6514)
transport("tls")
tls( ca-dir("/etc/syslog-ng/ca.d")
key-file("/etc/syslog-ng/cert.d/clientkey.pem")
cert-file("/etc/syslog-ng/cert.d/clientcert.pem") )
); };
log { source(s_local); destination(test2_d); };
destination d_local {
file("/var/log/messages");
file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
};
log {
source(s_local);
source(s_network);
destination(d_local);
};
syslog-ng server config
#version: 3.18
#include "scl.conf"
source s_local {
internal();
};
source test1_s {
network(
transport("tcp")
port(601)
flags(syslog-protocol)
);
};
destination test1_d { file("/var/log/syslog-ng/tcp_601.log" dir_group(root) group(root) create_dirs(yes) dir_perm(0777) perm(0666) owner(root) dir_owner(root)); };
log { source("test1_s"); destination("test1_d"); };
source test2_s {
network(
ip(0.0.0.0) port(6514)
transport("tls")
tls( key-file("/etc/syslog-ng/cert.d/serverkey.pem")
cert-file("/etc/syslog-ng/cert.d/servercert.pem")
ca-dir("/etc/syslog-ng/ca.d"))
); };
destination test2_d { file("/var/log/syslog-ng/tls_6514.log" dir_group(root) group(root) create_dirs(yes) dir_perm(0777) perm(0666) owner(root) dir_owner(root)); };
log { source("test2_s"); destination("test2_d"); };
destination d_local {
file("/var/log/messages");
file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
};
log {
source(s_local);
destination(d_local);
};

You've tested your configuration using loggen --use-ssl and openssl s_client without specifying a client certificate (loggen does not support client certs, openssl s_client does).
The error message on the server side is about the missing client cert: peer did not return a certificate.
If you prefer not to use mutual authentication, you can make it optional by adding the peer-verify(optional-trusted) TLS option to the server config:
source test2_s {
network(
port(6514)
transport("tls")
tls( key-file("/etc/syslog-ng/cert.d/serverkey.pem")
cert-file("/etc/syslog-ng/cert.d/servercert.pem")
ca-dir("/etc/syslog-ng/ca.d")
peer-verify(optional-trusted)
)
);
};
syslog-ng Admin Guide - TLS options

Openssl Client doesn't send certificate

I try since many days to implement a TCPs communication between a Linux server and Windows/Linux client
The communication works but certificates exchanges doesn't, server is waiting for a client certificate which is never sent.
Client and server as booth running with OpenSSL 1.0.2n
Certificate is installed on Windows Store (.pfx)
Server Code :
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile, char* CAFile)
{
// set the local certificate from CertFile
if (SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0)
{ ERR_print_errors_fp(stderr);abort(); }
// set the private key from KeyFile (may be the same as CertFile)
if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)
{ ERR_print_errors_fp(stderr); abort(); }
// verify private key
if (!SSL_CTX_check_private_key(ctx))
{ printf(stderr, "Private key does not match the public certificate\n"); abort(); }
SSL_CTX_set_ecdh_auto(ctx, 1);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_set_verify_depth(ctx,4);
if (SSL_CTX_load_verify_locations(ctx, CAFile, NULL) != 1)
{ printf("SSL_CTX_load_verify_locations failed\n"); ERR_print_errors_fp(stderr); }
}
void Servlet(SSL* ssl) /* Serve the connection -- threadable */
{ char buf[1024];
char reply[1024];
int sd, bytes;
const char* HTMLecho="<html><body><pre>%s</pre></body></html>\n\n";
if ( SSL_accept(ssl) == FAIL ) /* do SSL-protocol accept */
ERR_print_errors_fp(stderr);
else
{
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get request */
if ( bytes > 0 )
{
buf[bytes] = 0;
printf("Client msg: \"%s\"\n", buf);
sprintf(reply, HTMLecho, buf); /* construct reply */
SSL_write(ssl, reply, strlen(reply)); /* send reply */
}
else
ERR_print_errors_fp(stderr);
}
sd = SSL_get_fd(ssl); /* get socket connection */
SSL_free(ssl); /* release SSL state */
close(sd); /* close connection */
}
int main(int count, char *strings[])
{ SSL_CTX *ctx;
int server;
struct sockaddr_in addr;
char CertFile[] = "/opt/doamin.cer";char KeyFile[] = "/opt/doamin.key"; char CAFile[] = "doamin-ca.crt";
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new(TLSv1_2_server_method());
SSL_CTX_set_options(ctx,SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_COMPRESSION);
LoadCertificates(ctx, CertFile, KeyFile,CAFile); /* load certs */
server = socket(PF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = INADDR_ANY;
if ( bind(server, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{ perror("can't bind port"); abort(); }
if ( listen(server, 10) != 0 )
{ perror("Can't configure listening port");abort();}
while (1)
{ struct sockaddr_in addr;
socklen_t len = sizeof(addr);
SSL *ssl;
int client = accept(server, (struct sockaddr*)&addr, &len); /* accept connection as usual */
printf("Connection: %s:%d\n",inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
ssl = SSL_new(ctx); /* get new SSL state with context */
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
Servlet(ssl); /* service connection */
}
close(server); /* close server socket */
SSL_CTX_free(ctx); /* release context */
}
Client side ( on Windows )
int main()
{
SSL_load_error_strings();
ERR_load_crypto_strings();
ERR_load_SSL_strings();
OpenSSL_add_all_algorithms();
(void)SSL_library_init();
char *hostname = "dct.sub.domain.fr"; int port = 445;
SSL_CTX *ctx = SSL_CTX_new(TLSv1_2_client_method()); /* Create new context */
if (ctx == NULL)
{ ERR_print_errors_fp(stderr);abort(); }
struct hostent *host = gethostbyname(hostname)
struct sockaddr_in addr;
char aszBuffer[256];
if (!host)
abort();
int server = socket(PF_INET, SOCK_STREAM, 0);
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = *(long*)(host->h_addr);
if (connect(server, (struct sockaddr *)&addr, sizeof(addr)) != 0)
{ closesocket(server);perror(hostname);abort();}
// Load certificate from windows Store
X509_STORE* pSt = SSL_CTX_get_cert_store(ctx);
X509_LOOKUP* m_lookup = X509_STORE_add_lookup(pSt, X509_LOOKUP_file());
{
HCERTSTORE hStore;
PCCERT_CONTEXT pContext = NULL;
X509 *x509;
hStore = CertOpenSystemStore(NULL, L"ROOT");
if (!hStore)
return 1;
LPTSTR pszString;
LPTSTR pszName;
DWORD cbSize;
CERT_BLOB blobEncodedName;
while (pContext = CertEnumCertificatesInStore(hStore, pContext))
{
if (!(cbSize = CertGetNameString(pContext,CERT_NAME_SIMPLE_DISPLAY_TYPE,0,NULL,NULL,0)))
MyHandleError(TEXT("CertGetName 1 failed."));
if (!(pszName = (LPTSTR)malloc(cbSize * sizeof(TCHAR))))
MyHandleError(TEXT("Memory allocation failed."));
if (CertGetNameString(pContext,CERT_NAME_SIMPLE_DISPLAY_TYPE,0,NULL,pszName,cbSize))
{
_tprintf(TEXT("\nSubject -> %s.\n"), pszName);
//-------------------------------------------------------
// Free the memory allocated for the string.
free(pszName);
}
x509 = NULL;
x509 = d2i_X509(NULL, (const unsigned char **)&pContext->pbCertEncoded, pContext->cbCertEncoded);
if (x509)
{
int i = X509_STORE_add_cert(pSt, x509);
if (i == 1)
printf("certificate added\n");
X509_free(x509);
}
}
CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
}
SSL_CTX_set_ecdh_auto(ctx, 1);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
SSL_CTX_set0_chain_cert_store(ctx, pSt);
SSL* pSsl = SSL_new(ctx);
X509_VERIFY_PARAM *param = SSL_get0_param(pSsl);
X509_VERIFY_PARAM_set_hostflags(param, 0);
if (!X509_VERIFY_PARAM_set1_host(param, hostname, strlen(hostname) ))
return 0;
SSL_set_mode(pSsl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(pSsl, server);
if (SSL_connect(pSsl) == -1)
abort();
long l = SSL_get_verify_result(pSsl);
if ( l == X509_V_OK)
printf("SSL_get_verify_result Ok \n");
else
printf("SSL_get_verify_result %d \n",l);
for (int j = 0; j < 5; ++j)
SSL_write(pSsl, 4, "test");
}
The client application gets to check the server but does not send its certificate ==> 1074894052:error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate:s3_srvr.c:3269:
Client result :
OpenSSL: Loaded CA cert : subject='/C=FR/O=compagny/CN=AC compagny Root'
OpenSSL: Loaded CA cert : subject='/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.domain.fr' : ( From certmgr : With Private key for this domain )
OpenSSL: Loaded CA cert : subject='/C=FR/O=compagny/CN=AC compagny'
[...]
SSL_get_verify_result OK
Same thing appends with 'openssl s_client -connect dct.sub.domain.fr:445'
CONNECTED(000001A0)
depth=2 C = FR, O = company, OU = 0002 518888888, CN = AC company Root
verify error:num=19:self signed certificate in certificate chain
14220:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure: .\ssl\s3_pkt.c:1500:SSL alert number 40
14220:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:.\ssl\s23_lib.c:177:
---
Certificate chain
0 s:/C=FR/ST=France/L=Paris/O=company/OU=TRA/CN=*.sub.domain.fr
i:/C=FR/O=company/OU=0002 999999999/CN=AC company
1 s:/C=FR/O=company/OU=0002 999999999/CN=AC company
i:/C=FR/O=company/OU=0002 518888888/CN=AC Ccompany
2 s:/C=FR/O=company/OU=0002 518888888/CN=AC company
i:/C=FR/O=company/OU=0002 518888888/CN=AC company
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=FR/ST=France/L=Paris/O=company/OU=TRA/CN=*.sub.domain.fr
issuer=/C=FR/O=company/OU=0002 999999999/CN=AC company
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5325 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 8EB904862A6D7FB954F5A2AB701429D9D066852A0C7A40832EEC9AD3A56B66AE786D485BF8AFF8D37C4D27629A41D5F3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1523868440
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
But works with : 'openssl.exe s_client -connect dct.sub.doamin.fr:445 -cert out.crt -key out.crt -CAfile out.crt'
CONNECTED(000001A0)
depth=2 C = FR, O = compagny, OU = 0002 999999999, CN = AC compagny Root
verify return:1
depth=1 C = FR, O = compagny, OU = 0002 998888888, CN = AC compagny
verify return:1
depth=0 C = FR, ST = France, L = Paris, O = compagny, OU = TRA, CN = *.sub.domain.fr
verify return:1
---
Certificate chain
0 s:/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.domain.fr
i:/C=FR/O=compagny/OU=0002 998888888/CN=AC compagny
1 s:/C=FR/O=compagny/OU=0002 998888888/CN=AC compagny
i:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
2 s:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
i:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.doamin.fr
issuer=/C=FR/O=compagny/OU=0002 88888888/CN=AC compagny
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7208 bytes and written 5569 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FBF6E85A99787BFEA2088948841E03EFABD831D1D809CEB21DCB2C7CF3710997
Session-ID-ctx:
Master-Key: 16C1400E26554260B5921C305382BBFC098915CEBE54F5F9BB58D29715AFF94F7EDC5F88432887E4A8EA8487C8D9E939
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
[...]
Start Time: 1523882730
Timeout : 300 (sec)
Verify return code: 0 (ok)
Any help is appreciate, I tried many things but now I don't know where to continue,

How to ignore "localhost" in Apache HttpClient using TLSv1.2?

I've tested several syntax constructions for Apache HttpClinet (HTTPS & TLS) in order to ignore the certificate chain for self-signed certificates typically used in "localhost" configurations. There is a custom HttpClient that works well for TLSv1.1 but watching the server traces, it does not trigger use of TLSv1.2, which is the desired security algorithm.
Below you find an attempt to configure the HttpClient using TLSv1.2.
Suggestions for other constructions are welcome. The "localhost" scenario remains a usual mechanism for the development of peer-to-peer routines. Would be nice to have a configurable routine that accepts self-signed certificates for localhost access only.
TLSv1.1 example and using custom HttpClient (Works OK for TLSv1.1 but does not work for TLSv1.2):
HttpClient client = HttpClients.custom().setSSLHostnameVerifier(new NoopHostnameVerifier()).setSslcontext(new SSLContextBuilder().loadTrustMaterial(null, (x509Certificates, s) -> true).build()).build();
Server Log:
*** Finished
verify_data: { 251, 245, 220, 174, 235, 125, 248, 119, 220, 80, 38, 1 }
***
Thread-7, WRITE: TLSv1 Handshake, length = 48
%% Cached server session: [Session-23, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA]
Thread-7, WRITE: TLSv1 Application Data, length = 108
Thread-7, WRITE: TLSv1 Application Data, length = 1
Thread-7, WRITE: TLSv1 Application Data, length = 19
Client - OK
Debug HTTP response: HttpResponseProxy{HTTP/1.1 200 OK [Date: Tue, 21 Feb 2017 21:16:02 GMT, Access-control-allow-origin: *, Content-length: 20] ResponseEntityProxy{[Content-Length: 20,Chunked: false]}}
*** end of debug ***
Service HTTP Response Code : 200
contentLength is: 20
serviceResponse : This is the response
Testing with TLSv1.2 and code
SSLContext sslContext = SSLContexts.custom().build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
HttpClient client = HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).setConnectionManager(clientConnectionManager).build();
(*) SSLContext class is deprecated
server log:
-Djavax.net.debug=ssl
or
System.setProperty("javax.net.debug", "ssl");
JsseJCE: Using MAC HmacSHA256 from provider TBD via init
MAC: Using MessageDigest HmacSHA256 from provider IBMJCE version 1.8
*** Finished
verify_data: { 69, 241, 3, 42, 44, 222, 21, 174, 250, 83, 244, 25 }
***
Thread-7, WRITE: TLSv1.2 Handshake, length = 80
%% Cached server session: [Session-21, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
Thread-7, READ: TLSv1.2 Alert, length = 64
Thread-7, RECV TLSv1.2 ALERT: warning, close_notify
Error at the client:
sh ./runit.sh
javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=My Name, OU=RED, O=RED Brazil, L=MYCITY, ST=SP, C=BR)

The following construction managed to connect with TLSv1.2 using a localhost certificate:
// solution for localhost certificates and TLSv1.2
// copied from: http://stackoverflow.com/questions/34655031/javax-net-ssl-sslpeerunverifiedexception-host-name-does-not-match-the-certifica/34657512
// thanks
final SSLConnectionSocketFactory sslsf;
try {
sslsf = new SSLConnectionSocketFactory(SSLContext.getDefault(),
NoopHostnameVerifier.INSTANCE);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
final Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", new PlainConnectionSocketFactory())
.register("https", sslsf)
.build();
// HttpClient client;
final PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(registry);
cm.setMaxTotal(100);
HttpClient client = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.setConnectionManager(cm)
.build();
// end of solution for localhost bypass