Posted on

Easily Update and Reload SSL for a Server and an HTTP Client

This tutorial walks through the process of configuring your server or HTTP client to enable hot reloading of the SSL configuration at runtime. This will result in no longer restarting your server when the certificates need to be updated, and you won't need to recreate your HTTP client when you want to use your new certificates. In this tutorial, we will cover only a Spring Boot application with Jetty as an embedded server to demonstrate the basic configuration and the different ways to trigger an update. However, every server or HTTP client which uses a SSLContext, SSLServerSocketFactory/SSLSocketFactory, TrustManager or KeyManager to configure SSL can also enable hot reloading, including Scala and Kotlin-based servers and HTTP clients. 

The hot reloading mechanism is provided by the SSLContext Kickstart library and all of the code examples shown in this tutorial can also be found on GitHub: Java Tutorials.

Posted on

Extracting Server Certificates Made Easy With Certificate Ripper

Introduction

As engineers, we sometimes need to grab a certificate for different purposes. It may occur that we need it to update the truststore of our application with a new trusted certificate, or just want to analyze the content of it, or use it for testing or just for some other purpose. There are multiple ways to accomplish this such as drag-and-drop the certificate from your browser to your desktop or by using OpenSSL. The browser is only capable of exporting binary certificates and the commands of OpenSSL might be sometimes complex or tricky to build depending on which kind of output you want. I was seeking a simple way of just printing server certificates to either a pem format or human-readable format and I also wanted to export all of it into a truststore file and in that way Certificate, Ripper came into life. 

Certificate Ripper is a CLI application available for Windows, Mac OS X, and Linux and can be found here: GitHub - Certificate Ripper

Posted on

How to Change Certificate Without Downtime

Certificates Are Always a Pain in the Production Environment!  

Security is the one the most important part of any application these days especially the fact that most of the applications are running on a public cloud provider puts the security part on a higher priority. One of the ways application are using to keep communications secure is through the certificate. The certificate is one of the concepts that it is not as easy as another part of software development. First, you should understand how a certificate plays in the security part to figure out how to incorporate it into your application security. Moreover, you need to know how to generate/issue a new certificate for your application. 

Unfortunately, certificate generation is not a one-time job and it has expiration date. So, it means a new certificate should be replaced with the current certificate before the expiration date comes. In most cases, the certificate information is used in configurations of a deployed application on production. Therefore, you need to generate a new certificate and redeploy your application on production. This creates difficulties for software teams to see how they can handle this issue and justify the downtime in production. Lack of knowledge and documentation in projects often makes this operation highly error prune. Therefore, there is a high chance that even after a new certificate something fails on production unexpectedly because of misconfiguration. In this article, we are going to see how we can solve this issue without having downtime on production and also any change on the application level.

Posted on

Secure Your gRPC Services With SSL/TLS

Introduction

This tutorial will walk you through the process of protecting your gRPC services with encryption based on SSL/TLS. The tutorial will provide examples written in Java, but can easily be converted to Scala and Kotlin.

What is gRPC?

gRPC is a high-performance, open source RPC framework initially developed by Google. It helps in eliminating boilerplate code and helps in connecting polyglot services in and across data centers.

Posted on

Unit Testing Static Methods With Mockito

Unit testing helps us to cover different scenarios and it is a way to ensure the applications behave as expected under certain circumstances. Most of the time it is easy to test your classes and methods, but sometimes you need to mock certain services or methods to isolate your target. Mockito is a good library to help you with that. It can easily create mocked or partially mocked objects for you with Mockito#mock or with Mockito#spy.

There are some cases that we also want to mock static methods of a particular utility class, so how can we accomplish that? Well by using the Mockito mockStatic method. Lets take an example by using the following AnimalUtils, Dog objects and Animal Interface:

Posted on

Compress Your Data Within Elasticsearch

Compressing is awesome, making something smaller than the original size sounds like magic but it is possible. We know it from our WinRar, 7Zip or other tools. Even Elasticsearch has a property to compress the data which will be tossed between the nodes and the clients, this could be very useful to reduce network latency when handling huge responses from Elasticsearch. Within this article we will cover the following topics:

  1. Enable HTTP/TCP compression
  2. Handling compressed responses
    • Elasticsearch 7.7 and below
    • Elasticsearch 7.8 and upwards
    • Future Elasticsearch release 7.9 and 8.0

Most of us are already familiar with Elasticsearch from Elastic when working with application logs, but a-lot of people never heard about. Below is a short summary:

Posted on

How to Easily Set Up Mutual TLS SSL

Mastering Two-Way TLS

This tutorial will walk you through the process of protecting your application with TLS/SSL authentication, only allowing access for certain users based on their certificates. This means that you can choose which users are allowed to call your application.

Table of Contents

  1. Introduction
  2. Tutorial
    • Starting the server
    • Saying hello to the server (without encryption)
    • Enabling HTTPS on the server (one-way TLS)
    • Require the client to identify itself (two-way TLS)
    • Two-way TLS based on trusting the Certificate Authority
  3. Automated scripts
  4. Tested HTTP Clients
  5. Demo and walk-through video

Introduction

This sample project demonstrates a basic setup of a server and a client. The communication between the server and client happens through HTTP, so there is no encryption at all yet. The goal is to ensure that all communication will be encrypted.

Posted on

Configuring SSL/TLS Connection Made Easy

Setting up encryption for your application, how hard can it be? I thought it should be easy, as all communication with modern web applications should be encrypted, right? Well, my expectations were wrong... While setting it up, I encountered a couple of hidden difficulties. For example, the configuration is vague, verbose, not straight-forward to set it up, hard to debug, and not unit-test friendly.

For this article, I'll assume you already have a basic understanding of certificates, keystores, encryption protocols, and ssl-handshake. If not, I would recommend going through this article: How to Easily Set Up Mutual TLS.