Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-1189

SSLPeerUnverifiedException when deploying Keycloak with JDK 8

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 1.1.0.Beta2, 1.1.0.Final, 1.2.0.Beta1
    • Fix Version/s: 1.2.0.CR1
    • Component/s: Adapter - Java
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      To reproduce the issue follow these steps:

      1. Create a cartridge with WildFly Application Server 8.2.0.Final
      2. git clone ssh://42@mycartridge.rhcloud.com/~/git/mycartridge.git
      3. Deploy the UPS integration project here: https://github.com/keycloak/keycloak/tree/master/project-integrations/aerogear-ups
      4. See the exception:

      server.log
      ERROR [io.undertow.request] (default task-8) UT005023: Exception handling request to /ag-push/index.html: java.lang.RuntimeException: Unable to resolve realm public key remotely
              at org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:134) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final]
              at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:83) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final]
              at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:71) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final]
              at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:47) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final]
              at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-1.1.0.Final.jar:1.1.0.Final]
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_31]
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_31]
              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_31]
      Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
              at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) [jsse.jar:1.8.0_31]
              at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1.jar:4.2.1]
              at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1.jar:4.2.1]
              at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1.jar:4.2.1]
      
      Show
      To reproduce the issue follow these steps: 1. Create a cartridge with WildFly Application Server 8.2.0.Final 2. git clone ssh://42@mycartridge.rhcloud.com/~/git/mycartridge.git 3. Deploy the UPS integration project here: https://github.com/keycloak/keycloak/tree/master/project-integrations/aerogear-ups 4. See the exception: server.log ERROR [io.undertow.request] ( default task-8) UT005023: Exception handling request to /ag-push/index.html: java.lang.RuntimeException: Unable to resolve realm public key remotely at org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:134) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:83) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:71) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:47) [keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_31] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_31] at java.lang. Thread .run( Thread .java:745) [rt.jar:1.8.0_31] Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) [jsse.jar:1.8.0_31] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1.jar:4.2.1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1.jar:4.2.1]

      Description

      Good morning, I might have found a bug in one of the Keycloak dependencies.

      The problem is related with HttpClient 4.2.1 and Java 8 after deploying UPS on OpenShift with WildFly 8.2.0.Final cartridge on top of JDK 8.

      To workaround:

      1. cd mycartridge && rm .openshift/markers/java8
      2. touch .openshift/markers/java7
      3. Deploy UPS and the Auth server

      This can workaround the problem, although don't fix the issue. Going further, WildFly 8.2 have HttpClient 4.2.1 as one of the dependencies from Resteasy, which does not send the TLS 1.2 ClientHello required by Java 8, causing the reported exception during the handshake (https://issues.apache.org/jira/browse/HTTPCLIENT-1346).

      The immediate fix would be upgrade HttpClient to 4.3.6 or superior, like WildFly 9 already did. But I'm not sure about the consequences for Resteasy on WildFly 8.2.0.Final, once the dependency was commented https://github.com/keycloak/keycloak/blob/master/pom.xml#L482.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  stianst Stian Thorgersen
                  Reporter:
                  abstractj Bruno Oliveira da Silva
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: