Hi,
Following my previous comment about missing api in SecurityConfig, you have added the option to specify keystore/password. However, using the same file that I used for sdk 2 throws an exception.
My code:
environmentBuilder.securityConfig(
SecurityConfig.builder()
.enableTls(true)
.trustStore(Paths.get(sslKeystoreFile), sslKeystorePassword, Optional.empty()));
The exception:
[com.couchbase.io][SecureConnectionFailedEvent] Detected a TLS problem in the IO layer: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem, Cause: java.security.cert.CertificateException: No name matching serverfound {“coreId”:“0x9a2562c800000001”,“local”:"/ip:59253",“remote”:“server/10.99.81.136:18091”}
Note that there is an entry for this server in the keystore, and for sdk 2 it worked.
Am I missing something? in the exception I see that the remote address contains a concatenation of the server name and an IP (which is not coming from my config), maybe this is the problem?
Guys,
@daschl,
I really need help on this. How come my keystore works for cb sdk 2 and not for sdk 3.for the same server. what am I missing in the config?
does enabling ssl requires JDK > 8 or other dependency to be included?
@ashernave SDK 3 is JDK 8 + anyways, so that should not be a problem (nothing needed from jdk 9 or later).
One difference though is that in SDK 3, hostname validation is performed out of the box but in SDK 2 it is opt-in via the configuration. So if your certs are not properly configured with the right hostnames it will work in 2 but not 3. You can easily check if in the config you use the .trustManagerFactory(InsecureTrustManagerFactory.INSTANCE) temporarily (!) to check if it works.
Also to check if my assumption is right, in recent SDK 2 releases there is a config flag to enable hostname validation - if you enable it there and it starts failing this is very likely your issue. (sslHostnameVerificationEnabled)
@ashernave also, which SDK version are you using? If it’s 3.0.0 please upgrade to at least 3.0.1 (preferrably 3.0.3) so that you do not run into https://issues.couchbase.com/browse/JVMCBC-806
Hi @daschl
you are right. when I went back to the older SDK, when I enabled sslHostnameVerificationEnabled the service failed to start. also in SDK 3 the service runs OK with .trustManagerFactory(InsecureTrustManagerFactory.INSTANCE).
So the problem is with the certificate.
Oh, and I use 3.0.3
Thanks,
Asher
Hi @daschl
It appears that our devops certificate policy doesn’t allow the hostname verification to work. Is it possible to have this flag returned so I can disable it? Can I iverrise TrustManagerFactory to remove this check?
Asher
@ashernave yes you can use the insecure trust manager, but of course we do not recommend it, since not validating the certificate properly which an attacker can exploit. Note that in general the TrustManagerFactory is part of javax.net.ssl, so any configuration you can do in general with Java & SSL can be passed in here. (so you can also implement custom strategies that fit your use case)