subject:"Re\: How to add a ssl server cert for groovy\?"

Re: How to add a ssl server cert for groovy?

2024-02-15 Thread Dirk Heinrichs via users

Am Freitag, dem 16.02.2024 um 07:20 + schrieb Bob Brown:

*I* am of the opinion that "Thou Shalt Never Modify The JVM Installation" and 
this especially applies to the cacerts file. *I* always pass configuration 
options around, eg:

I would say: "It depends". Debian (and its derivatives, like Ubuntu) has a 
mechanism in place for handling this. Just install the ca-certificates and 
ca-certificates-java packages, place your root certificate(s) in (a sub 
directory of) /usr/local/share/ca-certificates and run "update-ca-certificates 
--fresh". This will also update the system Java truststore.

HTH...

Dirk

--

Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhein...@opentext.com
Website: 
www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, 
Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht 
gestattet.

RE: How to add a ssl server cert for groovy?

2024-02-15 Thread Bob Brown

As Paul says, Groovy sits on top of Java...but...over the years, I have noticed 
that people are often unaware of the flexibility in the JVM.
I have seen "how to make a certificate for Application X" documents that are 
several dozen pages long, filled with generations of accumulated "good stuff" 
but...a 3-line command sequence would actually suffice...

So: Just FYI,

These two links GREATLY help with debugging cert-related issues:
https://stackoverflow.com/questions/23659564/limiting-java-ssl-debug-logging
https://colinpaice.blog/2020/04/05/using-java-djavax-net-debug-to-examine-data-flows-including-tls/

I also find the following useful; just add it to a class that is early in your 
application's startup sequence:

// the following will help debug the HttpURLConnection, including showing all 
headers...
 static {
 ConsoleHandler handler = new ConsoleHandler();
 handler.setLevel(Level.ALL);
 java.util.logging.Logger jlog = 
java.util.logging.Logger.getLogger("sun.net.www.protocol.http.HttpURLConnection");
 jlog.addHandler(handler);
 jlog.setLevel(Level.ALL);
 }

*I* am of the opinion that "Thou Shalt Never Modify The JVM Installation" and 
this especially applies to the cacerts file. *I* always pass configuration 
options around, eg:

-Djavax.net.ssl.trustStore="..."
-Djavax.net.ssl.trustStorePassword=password
-Djavax.net.ssl.trustStoreType=PKCS12

(...many other properties exist, including keystore-related ones) Note that 
these properties are looked for 'automatically.' You should be able to specify 
them for your CI step.

One benefit of this is (especially in a closed infrastructure environment): 
YOUR stores can contain ONLY immediately relevant certificates...the cacerts 
file is a BIiiig catch-all blob. This is a nasty beast!

MUCH more at: 
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

If you worry about sensitive info being leaked on the command line, you MAY be 
able to build a 'starter' class that simply asserts these into the 
System.properties Map and then starts your app proper, something like:

System.properties.with { p ->
p['sun.security.ssl.allowUnsafeRenegotiation'] = 'true'
p['javax.net.debug'] = 'ssl:handshake'

p['com.unboundid.ldap.sdk.debug.enabled'] = 'true'
p['com.unboundid.ldap.sdk.debug.level'] = 'ALL'
p['com.unboundid.ldap.sdk.debug.type'] = 'LDAP,LDIF'

p['javax.net.ssl.trustStore']='...'
 }

I'd also point you to: https://keystore-explorer.org/ a VERY nice tool for 
those who don't worship the command-line.

HTH,

BOB

-Original Message-
From: Paul King  
Sent: Friday, February 16, 2024 12:07 PM
To: users@groovy.apache.org
Subject: Re: How to add a ssl server cert for groovy?

Hi David,

Groovy sits on top of the JDK, so if you install cacerts into the JDK you are 
using, then Groovy should use them just fine.

Possibly there could be issues depending on what client library you are using 
to make the https connection.

Cheers, Paul.

Virus-free.www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Fri, Feb 16, 2024 at 9:25 AM David Karr  wrote:
>
> I work behind a firewall, and it requires that I add a cert for our proxy to 
> the cacerts file in the Java distribution. This works fine.
>
> I have a quite old version of Groovy installed on my desktop, v2.4.21, which 
> is the version used by our Jenkins pipeline script.  I want to test some code 
> in groovyConsole before I try to run it on our CI server. For many things, 
> this works fine. However, I'm trying to iterate on some code that makes a 
> https connection, and I'm getting an error in groovyConsole that I believe is 
> the same error I get when the server cert is missing ("PKIX path building 
> failed"), which isn't surprising because I never installed the root cert in 
> the Groovy distribution.
>
> I've never really looked inside the Groovy distribution before. I don't even 
> see a cacerts file or anything that really looks like it, so it must do this 
> in a different way than the Java distribution. Is it possible that this is 
> because I'm using such an old version of Groovy?

Re: How to add a ssl server cert for groovy?

2024-02-15 Thread Paul King

Hi David,

Groovy sits on top of the JDK, so if you install cacerts into the JDK
you are using, then Groovy should use them just fine.

Possibly there could be issues depending on what client library you
are using to make the https connection.

Cheers, Paul.


Virus-free.www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Fri, Feb 16, 2024 at 9:25 AM David Karr  wrote:
>
> I work behind a firewall, and it requires that I add a cert for our proxy to 
> the cacerts file in the Java distribution. This works fine.
>
> I have a quite old version of Groovy installed on my desktop, v2.4.21, which 
> is the version used by our Jenkins pipeline script.  I want to test some code 
> in groovyConsole before I try to run it on our CI server. For many things, 
> this works fine. However, I'm trying to iterate on some code that makes a 
> https connection, and I'm getting an error in groovyConsole that I believe is 
> the same error I get when the server cert is missing ("PKIX path building 
> failed"), which isn't surprising because I never installed the root cert in 
> the Groovy distribution.
>
> I've never really looked inside the Groovy distribution before. I don't even 
> see a cacerts file or anything that really looks like it, so it must do this 
> in a different way than the Java distribution. Is it possible that this is 
> because I'm using such an old version of Groovy?

Re: How to add a ssl server cert for groovy?

RE: How to add a ssl server cert for groovy?

Re: How to add a ssl server cert for groovy?

3 matches

Site Navigation

Mail list logo

Footer information