unable to use amazon sdk via corporate proxy with self-signed certificates

[adrian-herscu]

I need to run system tests for a service running on AWS, using a Cognito authentication token,
via a corporate proxy which on every connection generates a new self-signed SSL certificate.

Since that proxy generates a new SSL certificate on every connection
adding that certificate to the trusted certificate store is impractical.

Describe the bug

I am building:

AWSCognitoIdentityProviderClientBuilder
            .standard()
            .withCredentials(
                new AWSStaticCredentialsProvider(
                    new AnonymousAWSCredentials()))
            .withRegion(region)
            .build()

then calling initiateAuth.

Expected Behavior

Receive a InitiateAuthResult

Current Behavior

Throws:

com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1207)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1153)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.doInvoke(AWSCognitoIdentityProviderClient.java:8410)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.anonymousInvoke(AWSCognitoIdentityProviderClient.java:8387)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.executeInitiateAuth(AWSCognitoIdentityProviderClient.java:5642)
	at com.amazonaws.services.cognitoidp.AWSCognitoIdentityProviderClient.initiateAuth(AWSCognitoIdentityProviderClient.java:5611)
	at com.ge.acutecare.qa.tester.utils.rest.AwsCognitoSrpAuthenticator.authChallengeResultWithoutCaching(AwsCognitoSrpAuthenticator.java:351)
	at com.ge.acutecare.qa.tester.utils.rest.AwsCognitoSrpAuthenticator.lambda$authChallengeResult$0(AwsCognitoSrpAuthenticator.java:339)
	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4876)
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2277)
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154)
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044)
	... 31 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:191)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:390)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
	at com.amazonaws.http.conn.$Proxy51.upgrade(Unknown Source)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:428)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1331)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
	... 49 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at sun.security.validator.Validator.validate(Validator.java:271)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
	... 78 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 84 more

Steps to Reproduce

1. setup an SSL proxy with a self-signed certificate, which is not added to Java trust store.
2. connect to Cognito via that proxy

Possible Solution

Somehow allow SSLContext to be specified globally or at least per connection, such in JAX-RS:

ClientBuilder.newBuilder()
            .sslContext(TRUST_ALL_SSL_CONTEXT)
            .build();

Context

as escribed above

Your Environment

• AWS Java SDK version used: 1.12.12
• JDK version used: 1.8
• Operating System and version: Windows 10

[debora-ito]

Hi @adrian-herscu I'm sorry for the lack of response here.

This is an ask to add a new configuration to the client or the request, so I'm changing this to feature request.

If you are able to use the Java SDK 2.x, this is already supported by using one HTTP Client configuration option available in the SdkHttpConfigurationOption class : TRUST_ALL_CERTIFICATES, setting it to true will disable SSL Certificate verification. Please note that this is not a safe setting and should only be used for testing.

Since this is already supported in SDK 2.x this will have little chance to be implemented in 1.x I'm afraid.

Let me know if this helps.

[debora-ito]

@adrian-herscu

We don't have plans to support this in v1 before going into Maintenance Mode, so I'm closing this issue.

As I mentioned in the previous comment this is supported in v2, so please migrate to v2 if you haven't already and let us know of any issue or feedback by creating a new issue in the v2 repo.

Reference:

• Announcing end-of-support for AWS SDK for Java v1.x effective December 31, 2025 - blog post

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.