-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to do SSL with internal services? #1162
Comments
what happens if you call |
Hey @tommysitu , thanks for the quick response. I did some research and have a hunch that this may be related to this. We can make one call to a downstream that does work, but many / most of the others don't. We made the same calls through mitmproxy and it worked. I am going to try this with an older version of Hoverfly, pre-Go 1.22. Would you be able to point me to a version that uses something < Go 1.22? If not, I'll take a look through changelogs / releases. Thanks again! Edit: I should also mention that we do not have any control over what ciphers the downstream server certs are created with, unfortunately, and there's a chance that they are created with some ciphers excluded in Go 1.22+. |
interesting, you can try this version which is pre go 1.22: https://github.com/SpectoLabs/hoverfly/releases/tag/v1.8.0 |
Awesome, I'll give that a shot. |
Are you sure this has nothing to do with self-signed cert being used by the internal service? Because you can tell hoverfly to skip SSL verification with this flag:
|
Thanks again, @tommysitu . That is definitely a part of it, and we do indeed have to do that to make it work with the one domain that we've had success with thus far. It's unfortunately not an option for us to add the Hoverfly cacert to our system truststore / cacert. |
To be clear, the other internal domains we've tried do not even work with TLS verification turned off. They do, however, return what we expect when we don't have the Hoverfly forward proxy in front of them. |
Hey @tommysitu , thanks again for your help. This is definitely related to the GitHub issue I posted above. I used the binary for 1.8.0 and it worked with no issues. For us, we can probably just use an older version, but I'm not sure if you'd like to fix this going forward or not. Overall, though, Hoverfly has been super smooth and easy to use. Thanks for a great tool! Edit: I figured I should explain how I came to the conclusion that the above is indeed the issue. On my system, I have a Go 1.22 binary, and its directory is on my To start, I ran Hoverfly via Then I wrote this script:
On Go 1.22 If I uncomment the On Go 1.19 Using Hoverfly 1.8.0 and Go 1.19 I uncommented the |
thanks for the info, I can certainly take a look at fixing it forward. |
Hello! Before posting this, I checked the gitter channel, as it was suggested, but it seems that the channel is no longer active, so I thought I'd ask here.
My team manages an L7 reverse proxy. The reverse proxy forwards requests to various origins, but also to other internal services.
So one client call to the reverse proxy will:
We want to capture this traffic and, using plain http in a dev environment, this works well.
However, our services of course use https. We also have our own internal CA. I am finding that most times, using hoverfly to call these services, i.e.:
almost always results in
Got error: tls handshake failure
.I've tried many things that I've seen in the hoverfly / hoverctl documentation, but am not having any success.
I am looking for any pointers you can provide for setting this up correctly so I can successfully call our internal services on https.
Thank you!
The text was updated successfully, but these errors were encountered: