Question about https client and trust store interaction (FIPS)

[fs111]

Hi,

I work in security for a big organization that uses your library in a number of projects. We also operate the software in environments that require FIPS compliance and we have noticed that that will not work out of the box. In our environments it is strictly prohibited that any software is modifying trust stores. We noticed that your library tries to modify the trust stores when they are loaded from disk and to be used by OkHttp. I would like to understand why the HTTP client needs to modify the trust stores and if there is a way to disable this behaviour completely.

I have seen #3582 and #3867 yet I fail to understand the reasoning here. What information are you trying to write to the trust store and why are you doing that?

Thanks for your help!

• André

[shawkins]

In our environments it is strictly prohibited that any software is modifying trust stores

The client is not modifying an existing truststore file. It is creating an in-memory truststore instance that is based upon the system truststore contents with the addition of the kubernetes ca cert when that is found via the configuration. That merged truststore instance will then be used by whatever http client implemenation is in place.

• edited for clarity to differentiate between a truststore file and the in-memory trustore instance.

[fs111]

I see. Is there a way to disable that behaviour completely and have it use only the trust store found on the system? In our environments the trust-stores are sufficient to talk to all endpoints required by the software therefore it would be nice to simply disable that and not do the merging at all.

[shawkins]

As long as you are sure that you don't need to trust the kubernetes ca as the client is doing, then just make sure the config caCertData, caCertFile fields are null for the config that is being supplied to the KubernetesClientBuilder. More than likely you are picking up the caCertFile via auto-configuration.

[fs111]

Thanks for the answer! We will give this a try.

[dev541]

@shawkins We are picking caCertData via auto-configuration.
Are you recommending us not to use auto-configuration and pass config data(without caCertData) manually?

[shawkins]

@dev541 that was the recommendatino for @fs111 if you are on the same project or have the same scenario where you don't need to use the caCertFile from auto-configuration, then yes you would either not use auto-configuration or null out the caCertFile before passing the configuration to the client builder.