Solved: HTTPTargetConnection + URL working when server cer...

Report Inappropriate Content · 02-29-2016 03:06 PM

Target server configuration with the below details() work fine and throws eof exceptions when ignoreValidationErrors is false

"sSLInfo": { "ciphers": [], "clientAuthEnabled": false, "enabled": true, "ignoreValidationErrors": true, "protocols": [] }

curl from mp to backend returns back the below response

CApath: none 
* Remote Certificate has expired
* NSS error -8181 
* Closing connection #0 
* Peer certificate cannot be authenticated with known CA certificates

whereas the below works fine

<TargetEndpoint name="default">
<HTTPTargetConnection> 
<URL>https://s1.mybackendservice.com</URL> 
</HTTPTargetConnection>
</TargetEndpoint>

which makes me think that ignoreValidationErrors = true when SSL block is not present and hence SSL block is mandatory. Is my understanding correct?

cc @arghya das

adevegowda

Dear @Maruti Chand,

If you don't have the SSLInfo block present in the TargetEndpoint, then Apigee will work similar to "curl -k" option. That is, it will not do any certificate validation.

If you want to validate the server's certificate, then you should have the SSLInfo block, and infact create a truststore and upload the server's certificate to validate it.

When SSLInfo block is present, ignoreValidationErrors is set to false by default. This will ensure the connection to abort if the certificate returned by the target cannot be validated using the certificates in the truststore or if it is expired. It's always recommended to have this flag set to false to allow us to catch errors.

This flag should be set to true only for testing/debugging purpose if you want to allow Apigee to communicate with server even if certificate validation fails.

Regards,

Amar

View solution in original post

adevegowda

Dear @Maruti Chand,

If you don't have the SSLInfo block present in the TargetEndpoint, then Apigee will work similar to "curl -k" option. That is, it will not do any certificate validation.

If you want to validate the server's certificate, then you should have the SSLInfo block, and infact create a truststore and upload the server's certificate to validate it.

When SSLInfo block is present, ignoreValidationErrors is set to false by default. This will ensure the connection to abort if the certificate returned by the target cannot be validated using the certificates in the truststore or if it is expired. It's always recommended to have this flag set to false to allow us to catch errors.

This flag should be set to true only for testing/debugging purpose if you want to allow Apigee to communicate with server even if certificate validation fails.

Regards,

Amar

Report Inappropriate Content

Yes, that's what I observed and it makes sense. Thanks @AMAR DEVEGOWDA

As per the doc,

"You only need to make sure that the <URL> element in the TargetEndpoint definition references the backend service by the HTTPS protocol and that you enable SSL".

ref: http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service#configuringoneways...

I guess it's worth mentioning what happens if you don't have SSLInfo block. cc @sgilson

kurtkanaskie

It appears that a truststore is required to validate the server connection, although all I really want to do is validate the server name matches the certificate on the server.

This behaves the same as if SSLInfo was not present (as if curl -k)

<HTTPTargetConnection>
        <Properties/>
        <URL>https://###.##.#.##</URL>
        <SSLInfo>
            <Enabled>true</Enabled>
            <IgnoreValidationErrors>false</IgnoreValidationErrors>
        </SSLInfo>
    </HTTPTargetConnection>

HTTPTargetConnection + URL working when server cert is expired, Is this expected?