Skip to content

v6: Custom TrustStore #427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jul 28, 2025
Merged

v6: Custom TrustStore #427

merged 9 commits into from
Jul 28, 2025

Conversation

bevzzz
Copy link
Collaborator

@bevzzz bevzzz commented Jul 24, 2025

Resolves #420

This PR allows users to pass their custom SSL certificates to WeaviateClient.

Technically, this can already be achieved by overriding the default TrustStore that Java uses by passing -Djavax.net.ssl.trustStore=/path/to/custom/truststore.p12, but that approach is rather crude, because it disregards default cacerts.

The "supply chain" for SSL certificates goes something like this:

truststore.file --> KeyStore --> TrustManagerFactory --> SSLContext

The simplest thing would be accepting an SSLContext from the user. But we need to send both HTTP and gRPC requests under the hood, which we do using 2 different libraries, and they both have their own "SSL context" abstraction.

So the next best thing is TrustManagerFactory. Both javax.net.ssl.SSLContext and io.netty.handler.ssl.SslContext can be configured to use a custom TrustManagerFactory. It also offers the users quite a lot of flexibility in terms of how and where do they get the certificates from.

The usage is pretty straightforward:

// Load custom certs in the TrustManagerFactory
TrustManagerFactory tmf;
try (var keys = new FileInputStream("/path/to/custom/truststore.p12")) {
    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
    trustStore.load(myKeys, "secret-password".toCharArra());

    tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(trustStore);
}

// Create WeaviateClient
var client = WeaviateClient.custom(
    conn -> conn
        .httpHost(...).httpPort(...)
        .grpcHost(...).grpcPort(...)
        .trustManagerFactory(tmf)
);

You may read the example above and think: "couldn't we just accept that file path and the password and do the rest ourselves"? I prefer not to because:

  1. We don't want to handle/require passwords to users' certificates
  2. Working on the file-path level takes away the flexibility of programmatically configuring a TrustStore

@bevzzz bevzzz requested review from Dabz and antas-marcin July 24, 2025 19:00
@bevzzz bevzzz self-assigned this Jul 24, 2025
orca-security-eu[bot]
orca-security-eu bot reviewed Jul 24, 2025
View reviewed changes
Copy link

@orca-security-eu orca-security-eu bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca

@bevzzz
Copy link
Collaborator Author

bevzzz commented Jul 24, 2025

Test pipeline is failing because Weaviate instance running in DefaultGrpcTransportITest is does not have TLS enabled. I think.

bevzzz added 7 commits July 25, 2025 13:51
@bevzzz
feat: pass custom truststore to HttpClient
597d312 
Config.WeaviateCloud and Config.Custom expose a
trustManagerFactory() which essentially lets the user
use any trust manager on their client
@bevzzz
test: add integration test for REST client
1a06ea8
@bevzzz
feat: create custom trustmanager for gRPC connection
cb33d93
@bevzzz
wip: add integration test for custom SSL via gRPCs
6b73656
@bevzzz
build: declare grpc-netty-shaded a compile-time dependency
2543af4 
Remove grpc-netty to avoid version conflicts
@bevzzz
test: remove IT for DefaultGrpcTransport
56bfda2 
Weaviate does not accepts TLS/SSL connections out of the box,
and configuring it to do so is a huge hassle, so we for now
let's just test empirically that it does
@bevzzz
test: move tests which use mockserver to src/test
e9b7c4b 
src/it directory is reserved for tests that interact with the actual
Weaviate instance. They're usually slower and more expensive to set up.
@bevzzz bevzzz force-pushed the v6-custom-truststore branch from 90a79d6 to e9b7c4b Compare July 25, 2025 11:51
bevzzz
bevzzz commented Jul 25, 2025
View reviewed changes
@bevzzz bevzzz linked an issue Jul 26, 2025 that may be closed by this pull request
v6: Accept custom TrustStore when creating a connection #420
Closed
@bevzzz
Copy link
Collaborator Author

bevzzz commented Jul 26, 2025

From our discussion with @Dabz:

  • this solution will work for users that only need to configure a custom truststore
  • for next iterations we should look into providing a higher-level abstraction like SSLSocketFactory / SSLEngine / SSLContext (for example, Kafka's DefaultSslEngineFactory)

These are powerful security mechanisms that advanced users will probably want to have.

@bevzzz bevzzz merged commit 5cec601 into v6 Jul 28, 2025
2 checks passed
@bevzzz bevzzz deleted the v6-custom-truststore branch July 28, 2025 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orca-security-eu orca-security-eu[bot] orca-security-eu[bot] left review comments

@Dabz Dabz Awaiting requested review from Dabz

@antas-marcin antas-marcin Awaiting requested review from antas-marcin

Assignees

@bevzzz bevzzz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

v6: Accept custom TrustStore when creating a connection
1 participant
@bevzzz