Https error in AWS Lambda

[PanAeon]

scalaj-http version: 2.3.0
scala version: 2.11

When I try to make vanilla https request in AWS Lambda (Java 8 Runtime) I've got the following error:

invalid key or spec in GCM mode: java.lang.RuntimeException
java.lang.RuntimeException: invalid key or spec in GCM mode
at sun.security.ssl.CipherBox.createExplicitNonce(CipherBox.java:1033)
at sun.security.ssl.OutputRecord.encrypt(OutputRecord.java:248)
at sun.security.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:869)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:857)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:727)
at sun.security.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:2079)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1953)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1899)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1420)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at scalaj.http.StringBodyConnectFunc.apply(Http.scala:500)
at scalaj.http.StringBodyConnectFunc.apply(Http.scala:497)
at scalaj.http.HttpRequest.scalaj$http$HttpRequest$$doConnection(Http.scala:355)
at scalaj.http.HttpRequest.exec(Http.scala:335)
at scalaj.http.HttpRequest.asString(Http.scala:455)
at java.util.ArrayList.forEach(ArrayList.java:1249)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
Caused by: java.security.InvalidKeyException: No installed provider supports this key: javax.crypto.spec.SecretKeySpec
at javax.crypto.Cipher.chooseProvider(Cipher.java:893)
at javax.crypto.Cipher.init(Cipher.java:1396)
at sun.security.ssl.CipherBox.createExplicitNonce(CipherBox.java:1029)
... 28 more

[dbuschman7]

This is most likely a problem with the JRE's installed crypto keys. Have you checked to see if the JRE you are running has the "strong crypto" extension jars installed?

[PanAeon]

I'm running the code in AWS Lambda, and I'm almost completely sure they don't have strong crypto extension jars installed. But since other clients, including default jvm client, work fine with https, I suggest to make "strong crypto" as an opt-out future. Lambda is a hosted environment, and it's not known when they implement jre security extensions, if at all.

[hoffrocket]

Hi, do you have a code example which reproduces outside of the Lambda environment?

…

On Wed, Oct 18, 2017 at 7:16 AM, PanAeon ***@***.***> wrote: I'm running the code in AWS Lambda, and I'm almost completely sure they don't have strong crypto extension jars installed. But since other clients, including default jvm client, work fine with https, I suggest to make "strong crypto" as an opt-out future. Lambda is a hosted environment, and it's not known when they implement jre security extensions, if at all. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#141 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABfWDtRESKdVmZ6wKmnWJMJ9wSWMKZgks5std3zgaJpZM4P76Gk> .

[PanAeon]

No, I don't have one at the moment.

[dbuschman7]

@PanAeon I think your are missing the real issue here.

I believe that it is not a problem with scalaj-http but a problem with the remote site your are trying to connect to, its crypto requirements and the JVM you are running in. If the remote HTTPS site requires a "strong protocol" like TLS 1.2, then your JVM will need to have strong crypto added to the JRE in order for any client to connect a HTTPS connection to it. No client will be able to connect to that site without the JRE "strong" cipher support to handle this.

Find out what the SSL/TLS requirements for the remote site your are trying to connect to.

[quybeans]

@PanAeon I ran into the same problem a day ago. I switched from scalaj-http to akka-http. It works perfectly. Code are here.

One problem is the jar file after sbt> assembly is kinda big (mine was 20mb) and I have to increase the Lambda function size. Im still looking for a work around with scalaj-http since I prefer no dependencies.

[hoffrocket]

I was not able to duplicate this issue. What region are you running your lambda functions in? I'm running the lambda function which calls an https endpoint from this repo in us-east-1 without issues: https://github.com/hoffrocket/scalaj-http-lambda-test