[ https://issues.apache.org/jira/browse/BROOKLYN-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15943671#comment-15943671 ]
Mark McKenna commented on BROOKLYN-456: --------------------------------------- [~geomacy] I just tried the below test code pointing at https://httpbin.org/get and it worked ... Although i believe there is something up with the ssl cert as i had to trust all certs {code} public void testApacheHttpClent() throws IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException { final CloseableHttpClient httpclient = HttpClients.custom() .setSSLContext(new SSLContextBuilder().loadTrustMaterial((chain, authType) -> true).build()) .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build(); try { final HttpGet httpget = new HttpGet("https://httpbin.org/get"); System.out.println("Executing request " + httpget.getRequestLine()); // Create a custom response handler final ResponseHandler<String> responseHandler = response -> { int status = response.getStatusLine().getStatusCode(); if (status >= 200 && status < 300) { final HttpEntity entity = response.getEntity(); return entity != null ? EntityUtils.toString(entity) : null; } else { throw new ClientProtocolException("Unexpected response status: " + status); } }; String responseBody = httpclient.execute(httpget, responseHandler); System.out.println("----------------------------------------"); System.out.println(responseBody); } finally { httpclient.close(); } } {code} cc [~aled.s...@gmail.com] > "SSLException: internal_error" upon trying to connect to site requiring SNI > --------------------------------------------------------------------------- > > Key: BROOKLYN-456 > URL: https://issues.apache.org/jira/browse/BROOKLYN-456 > Project: Brooklyn > Issue Type: Bug > Reporter: Geoff Macartney > Priority: Minor > > On 17th March brooklyn-server builds began failing, such as > https://builds.apache.org/view/Brooklyn/job/brooklyn-server-master/492/. > The errors were failures in tests > {quote} > org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlRebindTest.testRebindWhenHealthy > org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlTest.testHttpCommandEffectorWithParameters > org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlRebindTest.testRebindWhenHealthy > org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlTest.testCompositeEffector > {quote} > all of which issued requests to "https://httpbin.org" for test purposes. > There seems to have been a change in configuration on httpbin.org on the 16h > of March, see > [here|https://lists.apache.org/thread.html/2d7bfb556b5459590d266d079043861bc34c0b921a2b5346ae9fd8ae@%3Cdev.brooklyn.apache.org%3E]. > However the certificate changes appear not to be the problem, as far as I can > tell, as the certificate chain from the site has root "Let's Encrypt > Authority X3" (SHA1 > Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB), > which is signed by CA "DST Root CA X3" (Certificate fingerprint > DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13), which is in the > cacerts file of Java 8 by default. > I believe the problem lies on the Java SSL client side, specifically that the > client is not including the SNI (Server Naming Indicator) extension in the > SSL handshake. httpbin requires this, compare > {code} > openssl s_client -showcerts -connect httpbin.org:443 </dev/null > CONNECTED(00000003) > 7944:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185: > {code} > with the output from > {code} > openssl s_client -servername httpbin.org -showcerts -connect httpbin.org:443 > </dev/null > {code} > The result is that the connection attempt fails with > {code} > SSLException: Received fatal alert: internal_error > {code} > Searching around the web there seem to be a number of other people who have > encountered this problem, e.g. > https://forums.aws.amazon.com/message.jspa?messageID=669911. The issue seems > to be fixed only in Java 9, but there may be workarounds on 7 and 8. I > haven't tried these out yet. > I will look at adding a test in Brooklyn to record this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)