SSLLooseConfig.acceptAnyCertificate doesn't seem to do anything

[pkoryzna]

While using akka-http, I need to have an option to trust all the certificates when connecting via HTTPS. I follow the instructions on http://lightbend.github.io/ssl-config/LooseSSL.html#loose-options and https://doc.akka.io/docs/akka-http/10.0.10/scala/http/client-side/client-https-support.html#disabling-tls-security-features-at-your-own-risk, but had no success - the certificate still seems to be validated regardless of the setting. Opening a connection just keeps throwing a stack trace like one below.

Why: I'm writing a plugin for a certain application which bundles its own JDK. The certificate authorities more often than not will not be under my control, and I cannot expect users to add certificates to cacerts or supply thier own files.

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:367)
	at akka.stream.impl.io.TLSActor.doInbound(TLSActor.scala:290)
	at akka.stream.impl.io.TLSActor.$anonfun$bidirectional$1(TLSActor.scala:225)
	at akka.stream.impl.Pump.pump(Transfer.scala:199)
	at akka.stream.impl.Pump.pump$(Transfer.scala:197)
	at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:48)
	at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:90)
	at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:141)
	at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:34)
	at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
	at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:234)
	at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:34)
	at akka.stream.impl.SubReceive.apply(Transfer.scala:16)
	at akka.stream.impl.SubReceive.apply(Transfer.scala:12)
	at scala.PartialFunction.applyOrElse(PartialFunction.scala:123)
	at scala.PartialFunction.applyOrElse$(PartialFunction.scala:122)
	at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:12)
	at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:171)
	at akka.actor.Actor.aroundReceive(Actor.scala:502)
	at akka.actor.Actor.aroundReceive$(Actor.scala:500)
	at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:48)
	at akka.actor.ActorCell.receiveMessage(ActorCell.scala:526)
	at akka.actor.ActorCell.invoke(ActorCell.scala:495)
	at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257)
	at akka.dispatch.Mailbox.run(Mailbox.scala:224)
	at akka.dispatch.Mailbox.exec(Mailbox.scala:234)
	at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
	at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
	at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
	at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
	at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:402)
	at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:371)
	... 29 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1493)
	... 37 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 43 more

[juwalter]

I wonder if this actually an issue for ssl-config or the underlying akka-http dependency?

[juwalter]

@pkoryzna - can you please include a minimal example, ie pointing to some site with a self-signed certificate? I made one here: https://139.59.135.117/

[pkoryzna]

Minimal example here: https://gist.github.com/pkoryzna/f288d8471c7e1c8822b3594d043d7017

[iRevive]

Custom SSL context works for me.
Example: https://gist.github.com/iRevive/4a3c7cb96374da5da80d4538f3da17cb
And 'on demand' trustful ssl context: https://gist.github.com/iRevive/7d17144284a7a2227487635ec815860d

[drewhk]

I confirm, this setting does not work.

[Gangareddy]

java.lang.RuntimeException: Delegated task threw Exception/Error
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:385)
	at akka.stream.impl.io.TLSActor.doInbound(TLSActor.scala:295)
	at akka.stream.impl.io.TLSActor.$anonfun$bidirectional$1(TLSActor.scala:230)
	at akka.stream.impl.Pump.pump(Transfer.scala:202)
	at akka.stream.impl.Pump.pump$(Transfer.scala:200)
	at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:50)
	at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:96)
	at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:147)
	at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:38)
	at akka.stream.impl.SubReceive.apply(Transfer.scala:18)
	at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:242)
	at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:38)
	at akka.stream.impl.SubReceive.apply(Transfer.scala:18)
	at akka.stream.impl.SubReceive.apply(Transfer.scala:14)
	at scala.PartialFunction.applyOrElse(PartialFunction.scala:127)
	at scala.PartialFunction.applyOrElse$(PartialFunction.scala:126)
	at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:14)
	at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:175)
	at akka.actor.Actor.aroundReceive(Actor.scala:539)
	at akka.actor.Actor.aroundReceive$(Actor.scala:537)
	at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:50)
	at akka.actor.ActorCell.receiveMessage(ActorCell.scala:612)
	at akka.actor.ActorCell.invoke(ActorCell.scala:581)
	at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:268)
	at akka.dispatch.Mailbox.run(Mailbox.scala:229)
	at akka.dispatch.Mailbox.exec(Mailbox.scala:241)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.lang.NullPointerException
	at sun.net.util.IPAddressUtil.textToNumericFormatV4(IPAddressUtil.java:49)
	at sun.net.util.IPAddressUtil.isIPv4LiteralAddress(IPAddressUtil.java:241)
	at sun.security.util.HostnameChecker.isIpAddress(HostnameChecker.java:124)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:92)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
	at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:423)
	at akka.stream.impl.io.TLSActor.doUnwrap(TLSActor.scala:392)
	... 29 more

This is the exception I got when I tried to use loose SSL settings in Akka