Bypass SSL certification


(Prashanth R) #1

Hi,

I am trying to build SimpleBinaryEncoding version 1.5.5 (https://github.com/real-logic/simple-binary-encoding).

It uses gradle and it fails in SSL certification.

Is there anyway to bypass SSL certification? I searched and found a couple of options (-Dcom.sun.net.ssl.checkRevocation=false -Dtrust_all_cert=true) and I am setting them, but not luck.

wget works if I use ‘no-check-certificate’ switch.

wget --no-check-certificate -e use_proxy=yes -e https_proxy=“proxyUrl” “https://services.gradle.org/distributions/gradle-3.2.1-all.zip

Thanks.

—gradle.properties file—

systemProp.https.proxyHost=
systemProp.https.proxyPort=8080
systemProp.https.proxyUser=
systemProp.https.proxyPassword=

systemProp.http.proxyHost=
systemProp.http.proxyPort=8080
systemProp.http.proxyUser=
systemProp.http.proxyPassword=

—command and output—
java -Dcom.sun.net.ssl.checkRevocation=false -Dtrust_all_cert=true -Dorg.gradle.appname=gradlew -classpath /home/user/simple-binary-encoding-1.5.5/gradle/wrapper/gradle-wrapper.jar org.gradle.wrapper.GradleWrapperMain
Downloading https://services.gradle.org/distributions/gradle-3.2.1-all.zip

Exception in thread “main” javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1472)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)


(Mark Vieira) #2

You could just modify the gradle-wrapper.properties file to use http:// instead.


(Prashanth R) #3

Thanks. That went past the point and now the plugins are an issue.

16 plugins {
17 id 'java’
18 id ‘com.github.johnrengelman.shadow’ version '1.2.4’
19 }

It fails with:

FAILURE: Build failed with an exception.

  • Where:
    Build file ‘/home/prreddy/simple-binary-encoding-1.5.5/build.gradle’ line: 18

  • What went wrong:
    Error resolving plugin [id: ‘com.github.johnrengelman.shadow’, version: ‘1.2.4’]

Could not GET ‘https://plugins.gradle.org/api/gradle/3.2.1/plugin/use/com.github.johnrengelman.shadow/1.2.4’.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I followed some discussion on:

Doesn’t look like there is a way to change it to use ‘http’ instead of ‘https’.

Thanks for your time.


(Mark Vieira) #4

There seems to be something about your local setup. You are either a) using some really old or broken JVM version or b) using an HTTPS proxy which is presenting an invalid cert.


(Alwyn Schoeman) #5

He is probably in the same position as me.

My corporate network used Cloudflare for internet proxy. Cloudflare generates mitm certificates for each external access and these are signed by a Cloudflare self-signed certificate which doesn’t have a valid certificate chain. These certificates are also short lived.

It would be great if we could disable certificate validation across the board for gradle with a property.


(lorenzo cozza) #6

If your company has a proxy you should specify it in the properties:

systemProp.https.proxyHost=
systemProp.https.proxyPort=8080
systemProp.https.proxyUser=
systemProp.https.proxyPassword=

systemProp.http.proxyHost=
systemProp.http.proxyPort=8080
systemProp.http.proxyUser=
systemProp.http.proxyPassword=


(Gay) #7

We also run corporate web filtering which inspects SSL, and have had the similar issue with Android Studio and Gradle.

Adding our Webfiltering root CA certificate to Android Studio resolved all cert errors except for Gradle, we even tried ticking the ‘accept non-trusted certificates automatically’ but still had issues with Gradle?

In an attempt to resolve it I disabled SSL inspection for https://services.gradle.org/ (location of what studio wanted to access) but this didn’t resolve the issue. After much messing around I spotted that https://services.gradle.org/ certificate is actually issued to ssl473435.cloudflaressl.com rather than itself? Not sure how this passes validation in browser but it does. Anyhow adding this as an SSL inspection exception resolved the issue for us. I don’t know if this is something gradle can change to reduce issues with cooperate entities & improved support for Android Studio’s settings.

Note to others who dont have corperate firewall, you may have a desktop firewall that does need similar exceptions adding.

I’ve logged a support call with Android Studio support as well to see if there is something they can do to provide better support for this.