1

So, I am trying to make an SSL request using HttpClient 4.5.3 to a PuppetDB endpoint, which is signed with it's own cert. The following cUrl query from the docs works fine:

curl -X GET https://hostname:8081/pdb/query/v4/resources \
  --tlsv1 \
  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
  --cert /etc/puppetlabs/puppet/ssl/certs/hostname.pem \
  --key /etc/puppetlabs/puppet/ssl/private_keys/hostname.pem \
  --data-urlencode query@query.txt

I tried the documentation here, but that isn't working. Most examples I find online are HttpClient < 4.3, and all of those methods are deprecated. I tried allowing all certs with the following:

SSLContextBuilder sshbuilder = new SSLContextBuilder();
sshbuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sshbuilder.build());

try(CloseableHttpClient httpclient = HttpClients.custom()
        .setSSLSocketFactory(sslsf)
        .build()) {
    HttpGet get = new HttpGet(uri);
    httpclient.execute(get, (ResponseHandler<Void>) response -> {
        StatusLine line = response.getStatusLine();
        int code = line.getStatusCode();
        logger.println("Response code: " + code);

        return null;
    });
}

which returns:

Executor #0 for master : executing test #44, WRITE: TLSv1 Handshake, length = 48
Executor #0 for master : executing test #44, received EOFException: error
Executor #0 for master : executing test #44, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
Executor #0 for master : executing test #44, SEND TLSv1 ALERT:  fatal, description = handshake_failure
Executor #0 for master : executing test #44, WRITE: TLSv1 Alert, length = 32
Executor #0 for master : executing test #44, called closeSocket()
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

Any help would be great. Thanks!

  • Did you try explicitly using TLSV1 on client side, becuase JDK 8 uses tlsv1.2 by default? – TruckDriver Aug 04 '17 at 09:25
  • I assume you have added puppet key, certificate and CA certificate to some Java keystore.jks, you can temporary replace the JVM keystore.jks located under $JAVA_HOME/jre/lib/security/cacerts and try to build SSLContext with default values, to check if this work. – Anton Krosnev Aug 04 '17 at 12:51
  • @Timothy I have tried both TLSv1 and TLS1.2, no success. –  Aug 04 '17 at 18:15
  • @AntonKrosnev I was hoping to do this programmatically with passing in the files as arguments. Is that not possible? –  Aug 04 '17 at 18:16
  • @KeithMiller I think it will be easier to convert it first to .jks, otherwise you should write some code to load certificates and keys like: https://stackoverflow.com/questions/11787571/how-to-read-pem-file-to-get-private-and-public-key – Anton Krosnev Aug 07 '17 at 11:53

0 Answers0