SSLHandShakeException to AWS API Gateway with ResteasyClient

Question

I'm getting SSLHandShakeException when I try a simple GET request with JBOSS RestEasyClient to my API in AWS API Gateway. That's my code:

public static void main(String[] args){
    ResteasyClient client = new ResteasyClientBuilder().build();
    ResteasyWebTarget target = client.target( "https://MYAPI_ID.execute-api.us-east-1.amazonaws.com/prod/proxy" );
    Response response = target.request().get();
    String value = response.readEntity( String. class );
    System.out.println( value );
    response.close();
}

And I get this:

Exception in thread "main" javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.get(ClientInvocationBuilder.java:159)
at com.contaazul.gov.core.TesteSimples.main(TesteSimples.java:20)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
... 3 more

This code works fine to other sites like https://google.com/ and my API's URL works with cURL, Python urllib2, and something like this in Java: System.out.println(org.apache.commons.io.IOUtils.toString(new URL("https://MYAPI_ID.execute-api.us-east-1.amazonaws.com/prod/proxy")));

I've already tried add cert to keystore (a lot of times, a lot of ways) and I think that if cert is the problem I couldn't get the response with IOUtils, right?

Thanks!

Answer 1

您收到此错误是因为 API Gateway 使用 SNI，并且所有客户端都应具有 SNI 支持才能访问它。

Answer 2

Every SSLHandShakeException I have ever seen with API Gateway has been caused by the client not supporting SNI. API Gateway uses Server Name Indication (SNI) to support many custom domain names using a small set of IP addresses to avoid having to assign a dedicated IP address to each name. Thus, the client must support SNI in order to call an API hosted by API Gateway.

Answer 3

Per this issue: https://issues.jboss.org/browse/RESTEASY-1089 , you can try the following work around for a bug in httpclient-4.2.1 that prevents SNI from working:

ResteasyClient client =
   new ResteasyClientBuilder()
      .httpEngine(new URLConnectionEngine())
      .build();

This should be fixed in httpclient-4.3.2.