Ignoring SSL certificates in Scala dispatch

Question

When trying to hit an environment with improperly configured SSL certificates, I get the following error:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:776)
at dispatch.BlockingHttp$class.dispatch$BlockingHttp$$execute(Http.scala:45)
at dispatch.BlockingHttp$$anonfun$execute$1$$anonfun$apply$3.apply(Http.scala:58)
at dispatch.BlockingHttp$$anonfun$execute$1$$anonfun$apply$3.apply(Http.scala:58)
at scala.Option.getOrElse(Option.scala:108)
at dispatch.BlockingHttp$$anonfun$execute$1.apply(Http.scala:58)
at dispatch.Http.pack(Http.scala:25)
at dispatch.BlockingHttp$class.execute(Http.scala:53)
at dispatch.Http.execute(Http.scala:21)
at dispatch.HttpExecutor$class.x(executor.scala:36)
at dispatch.Http.x(Http.scala:21)
at dispatch.HttpExecutor$class.when(executor.scala:50)
at dispatch.Http.when(Http.scala:21)
at dispatch.HttpExecutor$class.apply(executor.scala:60)
at dispatch.Http.apply(Http.scala:21)
at com.secondmarket.cobra.lib.delegate.UsersBDTest.tdsGet(UsersBDTest.scala:130)
at com.secondmarket.cobra.lib.delegate.UsersBDTest.setup(UsersBDTest.scala:40)

I would like to ignore the certificates entirely.

Update: I understand the technical concerns regarding improperly configured SSL certs and the issue isn't with our boxes but a service we're using. It happens mostly on test boxes rather than prod/stg so we're investigating but needed something to test the APIs.

I would suggest to create your own test CA for your test environment and use it to issue certificates for your test clients/servers instead of trying to ignore these error messages: this will be more realistic and should prevent you from leaving these checks disabled in your final product. — Bruno, Mar 19 '12 at 19:03
I'd suspect the same `javax.net.ssl.*` system properties as in Java should work. If you're not familiar with keystores/truststores, [this](http://stackoverflow.com/a/6341566/372643) may help. — Bruno, Mar 19 '12 at 19:14

user207421 · Answer 1 · 2014-03-04T23:22:22.333

5

You can't 'ignore the certificates entirely' for the following reasons:

The problem in this case is that the client didn't even provide one.
If you don't want security why use SSL at all?
I have no doubt whatsoever that many, perhaps most, of these alleged workarounds 'for development' have 'leaked' into production. There is a significant risk of deploying an insecure system if you build an insecure system. If you don't build the insecurity in, you can't deploy it, so the risk vanishes.

edited Mar 04 '14 at 23:22

answered Mar 19 '12 at 23:13

user207421

305,947
44
307
483

1

Agreed, I can imagine a few pre-shipment checklists saying "Is it using SSL?" -> box ticked, without saying anything about whether the trust managers have been configured properly. – Bruno Mar 19 '12 at 23:18
3

Maybe he wants to check the overhead of SSL on the load of the system on a test environment first. Maybe the information he's seeing is sensitive (say he's reproducing issues found in production) and there aren't as many certificates as there are developers (maybe there is not even a DNS entry yet). Saying "don't do it" without understanding the exact use-case is likely to get security advice ignored when it actually it does matter. – Quartz Oct 06 '14 at 19:59

prafulfillment · Accepted Answer · 2012-03-26T15:11:23.350

2

The following was able to allow unsafe SSL certs.

 Http.postData(url, payload).options(HttpOptions.allowUnsafeSSL,
                                     HttpOptions.readTimeout(5000))

edited Mar 26 '12 at 15:11

answered Mar 22 '12 at 14:32

prafulfillment

911
2
11
26

2

Friends don't let friends allow untrusted ssl requests. – tjarratt Mar 05 '14 at 06:10
7

I needed it when we had a test server with homemade certs. – prafulfillment Mar 27 '14 at 18:54

score 1 · Answer 3 · answered Sep 19 '17 at 23:03

For the newest version of Dispatch (0.13.2), you can use the following to create an http client that accepts any certificate:

val myHttp = Http.withConfiguration(config => config.setAcceptAnyCertificate(true))

Then you can use it for GET requests like this:

myHttp(url("https://www.host.com/path").GET OK as.String)

(Modify accordingly for POST requests...)

I found this out here: Why does dispatch throw "java.net.ConnectException: General SSLEngine ..." and "unexpected status" exceptions for a particular URL?

And to create an Http client that does verify the certificates, I found some sample code here: https://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/.

Thanks for the link to the sample code of SSL certification verification. It's very helpful. — jjcipher, Feb 13 '18 at 05:59

Ignoring SSL certificates in Scala dispatch

3 Answers3