(ping) Ping server should not validate certificates

(crawler) Crawler should validate certificates
(ping) Route SSLHandshakeException to ConnectionError as well
2025-10-06 07:32:38 +02:00 · 2025-06-16 00:08:30 +02:00 · 2025-06-16 00:06:57 +02:00 · 2025-06-15 20:31:33 +02:00 · 2025-06-15 18:39:54 +02:00 · 2025-06-15 18:39:33 +02:00
7 changed files with 50 additions and 41 deletions
--- a/code/processes/crawling-process/java/nu/marginalia/crawl/fetcher/HttpFetcherImpl.java
+++ b/code/processes/crawling-process/java/nu/marginalia/crawl/fetcher/HttpFetcherImpl.java
@@ -36,7 +36,6 @@ import org.apache.hc.core5.http.io.support.ClassicRequestBuilder;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.pool.PoolStats;
-import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.TimeValue;
 import org.apache.hc.core5.util.Timeout;
 import org.jsoup.Jsoup;
@@ -49,15 +48,12 @@ import org.slf4j.MarkerFactory;

 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.net.URISyntaxException;
 import java.net.UnknownHostException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.*;
@@ -99,42 +95,12 @@ public class HttpFetcherImpl implements HttpFetcher, HttpRequestRetryStrategy {
                .setValidateAfterInactivity(TimeValue.ofSeconds(5))
                .build();

-        // No-op up front validation of server certificates.
-        //
-        // We will validate certificates later, after the connection is established
-        // as we want to store the certificate chain and validation
-        // outcome to the database.
-
-        var trustMeBro = new X509TrustManager() {
-            private X509Certificate[] lastServerCertChain;
-
-            @Override
-            public void checkClientTrusted(X509Certificate[] chain, String authType) {
-            }
-
-            @Override
-            public void checkServerTrusted(X509Certificate[] chain, String authType) {
-                this.lastServerCertChain = chain.clone();
-            }
-
-            @Override
-            public X509Certificate[] getAcceptedIssuers() {
-                return new X509Certificate[0];
-            }
-
-            public X509Certificate[] getLastServerCertChain() {
-                return lastServerCertChain != null ? lastServerCertChain.clone() : null;
-            }
-        };
-
-        SSLContext sslContext = SSLContextBuilder.create().build();
-        sslContext.init(null, new TrustManager[]{trustMeBro}, null);

        connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
                .setMaxConnPerRoute(2)
                .setMaxConnTotal(5000)
                .setDefaultConnectionConfig(connectionConfig)
-                .setTlsSocketStrategy(new DefaultClientTlsStrategy(sslContext))
+                .setTlsSocketStrategy(new DefaultClientTlsStrategy(SSLContext.getDefault()))
                .build();

        connectionManager.setDefaultSocketConfig(SocketConfig.custom()
--- a/code/processes/ping-process/java/nu/marginalia/ping/fetcher/PingHttpFetcher.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/fetcher/PingHttpFetcher.java
@@ -11,6 +11,7 @@ import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.io.entity.EntityUtils;
 import org.apache.hc.core5.http.io.support.ClassicRequestBuilder;

+import javax.net.ssl.SSLHandshakeException;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.time.Duration;
@@ -83,7 +84,7 @@ public class PingHttpFetcher {
            });
        } catch (SocketTimeoutException ex) {
            return new TimeoutResponse(ex.getMessage());
-        } catch (HttpHostConnectException e) {
+        } catch (HttpHostConnectException | SSLHandshakeException e) {
            return new ConnectionError(e.getClass().getSimpleName());
        } catch (IOException e) {
            return new ProtocolError(e.getClass().getSimpleName());
--- a/code/processes/ping-process/java/nu/marginalia/ping/io/HttpClientProvider.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/io/HttpClientProvider.java
@@ -18,13 +18,18 @@ import org.apache.hc.core5.http.HttpResponse;
 import org.apache.hc.core5.http.io.SocketConfig;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.protocol.HttpContext;
+import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.TimeValue;
 import org.apache.hc.core5.util.Timeout;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
 import java.util.Iterator;
 import java.util.concurrent.TimeUnit;

@@ -37,24 +42,55 @@ public class HttpClientProvider implements Provider<HttpClient> {
    static {
        try {
            client = createClient();
-        } catch (NoSuchAlgorithmException e) {
+        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

-    private static CloseableHttpClient createClient() throws NoSuchAlgorithmException {
+    private static CloseableHttpClient createClient() throws NoSuchAlgorithmException, KeyManagementException {
        final ConnectionConfig connectionConfig = ConnectionConfig.custom()
                .setSocketTimeout(15, TimeUnit.SECONDS)
                .setConnectTimeout(15, TimeUnit.SECONDS)
                .setValidateAfterInactivity(TimeValue.ofSeconds(5))
                .build();

+        // No-op up front validation of server certificates.
+        //
+        // We will validate certificates later, after the connection is established
+        // as we want to store the certificate chain and validation
+        // outcome to the database.
+
+        var trustMeBro = new X509TrustManager() {
+            private X509Certificate[] lastServerCertChain;
+
+            @Override
+            public void checkClientTrusted(X509Certificate[] chain, String authType) {
+            }
+
+            @Override
+            public void checkServerTrusted(X509Certificate[] chain, String authType) {
+                this.lastServerCertChain = chain.clone();
+            }
+
+            @Override
+            public X509Certificate[] getAcceptedIssuers() {
+                return new X509Certificate[0];
+            }
+
+            public X509Certificate[] getLastServerCertChain() {
+                return lastServerCertChain != null ? lastServerCertChain.clone() : null;
+            }
+        };
+
+        SSLContext sslContext = SSLContextBuilder.create().build();
+        sslContext.init(null, new TrustManager[]{trustMeBro}, null);
+
        connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
                .setMaxConnPerRoute(2)
                .setMaxConnTotal(50)
                .setDefaultConnectionConfig(connectionConfig)
                .setTlsSocketStrategy(
-                        new DefaultClientTlsStrategy(SSLContext.getDefault(), NoopHostnameVerifier.INSTANCE))
+                        new DefaultClientTlsStrategy(sslContext, NoopHostnameVerifier.INSTANCE))
                .build();

        connectionManager.setDefaultSocketConfig(SocketConfig.custom()
--- a/code/processes/ping-process/java/nu/marginalia/ping/io/RetryStrategy.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/io/RetryStrategy.java
@@ -1,5 +1,6 @@
 package nu.marginalia.ping.io;

+import org.apache.hc.client5.http.HttpHostConnectException;
 import org.apache.hc.client5.http.HttpRequestRetryStrategy;
 import org.apache.hc.core5.http.HttpRequest;
 import org.apache.hc.core5.http.HttpResponse;
@@ -22,6 +23,7 @@ public class RetryStrategy implements HttpRequestRetryStrategy {
            case SocketTimeoutException ste -> false;
            case SSLException ssle -> false;
            case UnknownHostException uhe -> false;
+            case HttpHostConnectException ex -> executionCount <= 2; // Only retry once for connection errors
            default -> executionCount <= 3;
        };
    }
--- a/code/processes/ping-process/java/nu/marginalia/ping/model/DomainAvailabilityRecord.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/model/DomainAvailabilityRecord.java
@@ -1,5 +1,7 @@
 package nu.marginalia.ping.model;

+import org.apache.commons.lang3.StringUtils;
+
 import javax.annotation.Nullable;
 import java.sql.Connection;
 import java.sql.ResultSet;
@@ -279,7 +281,7 @@ implements WritableModel
        }

        public Builder httpLocation(String httpLocation) {
-            this.httpLocation = httpLocation;
+            this.httpLocation = StringUtils.abbreviate(httpLocation, "...",255);
            return this;
        }

--- a/code/processes/ping-process/java/nu/marginalia/ping/svc/DomainAvailabilityInformationFactory.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/svc/DomainAvailabilityInformationFactory.java
@@ -96,6 +96,7 @@ public class DomainAvailabilityInformationFactory {
                .serverIp(address != null ? address.getAddress() : null)
                .serverIpAsn(getAsn(address))
                .httpSchema(HttpSchema.HTTP)
+                .httpLocation(rsp.headers().getFirst("Location"))
                .httpStatus(rsp.httpStatus())
                .errorClassification(errorClassification)
                .httpResponseTime(rsp.httpResponseTime())
@@ -164,6 +165,7 @@ public class DomainAvailabilityInformationFactory {
                .serverIp(address != null ? address.getAddress() : null)
                .serverIpAsn(getAsn(address))
                .httpSchema(HttpSchema.HTTPS)
+                .httpLocation(rsp.headers().getFirst("Location"))
                .httpStatus(rsp.httpStatus())
                .errorClassification(errorClassification)
                .httpResponseTime(rsp.httpResponseTime()) // Placeholder, actual timing not implemented
--- a/code/processes/ping-process/test/nu/marginalia/ping/PingDaoTest.java
+++ b/code/processes/ping-process/test/nu/marginalia/ping/PingDaoTest.java
@@ -320,7 +320,7 @@ class PingDaoTest {
                true,
                true,
                false,
-                SchemaChange.NO_CHANGE,
+                SchemaChange.NONE,
                Duration.ofDays(30),
                false,
                false,
Author	SHA1	Message	Date
Viktor Lofgren	d556f8ae3a	(ping) Ping server should not validate certificates	2025-06-16 00:08:30 +02:00
Viktor Lofgren	e37559837b	(crawler) Crawler should validate certificates	2025-06-16 00:06:57 +02:00
Viktor Lofgren	3564c4aaee	(ping) Route SSLHandshakeException to ConnectionError as well This will mean we re-try these as an unencrypted Http connection	2025-06-15 20:31:33 +02:00
Viktor Lofgren	92c54563ab	(ping) Reduce retry count on connection errors	2025-06-15 18:39:54 +02:00
Viktor Lofgren	d7a5d90b07	(ping) Store redirect location in availability record	2025-06-15 18:39:33 +02:00
Viktor Lofgren	0a0e88fd6e	(ping) Fix schema drift between prod and flyway migrations	2025-06-15 17:20:21 +02:00