Fix OkHttp client mTLS when using the platform default trust store#8565
Fix OkHttp client mTLS when using the platform default trust store#8565Debashismitra01 wants to merge 6 commits into
Conversation
d6866b5 to
76a1e10
Compare
# Conflicts: # exporters/otlp/testing-internal/src/main/java/io/opentelemetry/exporter/otlp/testing/internal/AbstractHttpTelemetryExporterTest.java
76a1e10 to
1f4e437
Compare
Codecov Report❌ Patch coverage is ❌ Your patch check has failed because the patch coverage (59.09%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #8565 +/- ##
============================================
- Coverage 91.55% 91.52% -0.03%
- Complexity 10262 10264 +2
============================================
Files 1013 1013
Lines 27102 27121 +19
Branches 3182 3184 +2
============================================
+ Hits 24812 24822 +10
- Misses 1565 1572 +7
- Partials 725 727 +2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Hi! I ran into an issue with the patch coverage check. The remaining uncovered lines are primarily defensive exception paths introduced by the new default trust manager resolution (e.g. TlsUtil.defaultTrustManager() failure handling). These paths are difficult to exercise without introducing static mocking of JDK/Mockito internals. I considered refactoring the implementation to reduce the uncovered branches, but that would either reintroduce the original bug or require resolving the default trust manager multiple times, which I'd prefer to avoid. Before I proceed further, could you advise on the preferred direction? Should I add tests using static mocking for these exception paths? I'd appreciate your guidance on which approach best fits the project's expectations. |
Summary
This PR fixes an inconsistency between the OkHttp and JDK OTLP HTTP senders when client mTLS is configured without custom trusted certificates.
Previously, when only
setClientTls(...)(or the equivalent autoconfigure properties) was configured,TlsConfigHelpercorrectly created anSSLContextcontaining the clientKeyManager, but the OkHttp sender skipped installing the customSSLSocketFactorybecause no explicitX509TrustManagerwas provided. As a result, OkHttp fell back to the platform defaultSSLSocketFactory, causing the configured client certificate to be silently omitted during the TLS handshake.This change resolves the platform default
X509TrustManagerwhen no custom trust manager is configured and uses it when installing the customSSLSocketFactory, making the OkHttp sender behave consistently with the JDK sender.Changes
X509TrustManager.Fixes #8562