1. Home
  2. Development
  3. rss feeds not working for https

rss feeds not working for https

thumbnail
Sushil Patidar, modified 7 Years ago.
rss feeds not working for https
Expert Posts: 467 Join Date: 10/31/11 Recent Posts
Hi,

I have configured rss feeds as explained on the link on Liferay DXP. But in the rss publisher feeds of wen contents are not displayed due to the following error.

[04.04.2018 13:44:41,413 +0000] WARN  [http-bio-8443-exec-2][WebCachePoolImpl:66] java.io.IOException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
java.io.IOException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:2050)
        at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1317)
        at com.liferay.portal.kernel.util.HttpUtil.URLtoInputStream(HttpUtil.java:322)
        at com.liferay.rss.web.internal.util.RSSWebCacheItem._readURL(RSSWebCacheItem.java:90)


As i understood this because liferay feed url starts with https://
Any idea how to resolve it?

Regards
thumbnail
Olaf Kock, modified 7 Years ago.
RE: rss feeds not working for https
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Sushil Patidar:
As i understood this because liferay feed url starts with https://
Any idea how to resolve it?


What's the URL that you enter for your RSS feed?
Are you using a publically signed cert for your HTTPS server, or a self-signed? Or an intranet-version of the certificate? Reason for my question: HTTPS contains an assertion that the server is who they claim - certified by a CA that the Java Runtime (which runs Liferay) must trust for this purpose. The Java Runtime comes with a bunch of CAs that it trusts, but if yours is not among them, you'll need to manually configure it as trustworthy (that's on JVM level, nothing that Liferay could change)
Lee Jordan, modified 5 Years ago.
RE: rss feeds not working for https
Expert Posts: 449 Join Date: 5/26/15 Recent Posts
Hey Olaf,

This one has been occurring for us for 4 years already. Every attempt at resolving through LESA hasn't worked. Could you expand on what this means "you'll need to manually configure it as trustworthy (that's on JVM level, nothing that Liferay could change)". Does that mean we have to certify our own server as trustworthy?

There seems to be a ray of hope ...
https://portal.liferay.dev/docs/7-1/user/-/knowledge_base/u/the-rss-publisher-widget
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: rss feeds not working for https
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
Yes, it is quite possible that you have to EXPLICITLY trust your own server.
Certificates are managed through keystores on Java level. Often there is just one, the default keystore installed/bundled with Java. It contains the standard certificates of various vendors. But if you need to trust other certificates you MUST trust those certificates (or there root certificates) yourself.
Only you can say, which certificates you trust. On servers I own, I often even remove the standard truststore. Simply because I trust nobody by default. I only add root certificates I need.
Lee Jordan, modified 5 Years ago.
RE: rss feeds not working for https
Expert Posts: 449 Join Date: 5/26/15 Recent Posts
Is it possible to configure one portlet to bypass a proxy? Testing locally my issue looks to be proxy related, I configured the JVM to use system settings, restarted, then turned the proxy off in "Internet Options" on windows and yup sure enough the RSS feed started working. Of course then everything else stopped working.
​​​​​​​
At some level one of the issues with SSL in RSS could be proxy.
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: rss feeds not working for https
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
I don't think so. One could set or remove the proxy manually in the code for a connection, but this is done only seldom. I know, the LCS portlet does it, it actually has it's own proxy configuration, but I doubt that it is a general feature of all portlets.
To expand on Olafs answer a bit:
When you access a site in the browser through your network, you usually can click on the lock symbol (or something like that) and look at the certificate. Check that certificate. If the issuer is your company, then you have a company root certificate, that trusts the proxy installed in the OS.
Then you need to install that certificate into the Java truststore (or create a new one and configure the java settings in setenv.bat or in the service to use that one).
thumbnail
Olaf Kock, modified 5 Years ago.
RE: rss feeds not working for https
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Lee Jordan:

This one has been occurring for us for 4 years already. Every attempt at resolving through LESA hasn't worked. Could you expand on what this means "you'll need to manually configure it as trustworthy (that's on JVM level, nothing that Liferay could change)". Does that mean we have to certify our own server as trustworthy?
You seem to have solved this more or less with Christoph's help already, so I'll just add the canonical information here: In the case of https-RSS-feeds, the originating server offers an RSS feed through HTTPS. In order to build a secure connection, the client of this connection needs to trust that the server is indeed who they claim they are - otherwise encrypting a connection with an evil attacker won't add any security.
This trust is implemented through signed public keys: The server presents a public key that is signed by an entity that the client trusts for these purposes. If you connect your browser to a site that it doesn't trust, it will present a fat warning and you'll have to go through hoops to override this non-trust, if you want to see the page nevertheless. When Liferay is the client (as it is in the case of requesting an external RSS feed), there is just no way it could present any server operator with the question "is this certificate trustworthy". This means that Liferay must already trust the signing authority - if it doesn't, it won't create the connection.
In case of a proxy between an otherwise trustworthy server and the client (Liferay's RSS portlet), the proxy is prone to decrypt and re-encrypt with its own key. And typically Liferay won't trust that one. The truststore used by Liferay is typically the one used by the underlying JVM. That's the reason Liferay support can't help: This is a matter of configuring trust to arbitrary (custom) proxy certificates to sign all kinds of domains.
Unfortunately that's just how https works - everybody you trust can sign every domain there is.

This was simplified. I'm aware that the situation is more complex and contains some grey areas, not just black and white. But knowing that it's simplified should be sufficient for this short essay...
Lee Jordan, modified 5 Years ago.
RE: rss feeds not working for https
Expert Posts: 449 Join Date: 5/26/15 Recent Posts
RSS publisher on localhost, won't work for me unless I turn off my proxy, which is fine yeah it works, but then nothing else will, so it's near on impossible to develop templates for RSS publisher.
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: rss feeds not working for https
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
And you need the proxy in Liferay for other things? You can't turn it off for the Liferay server? Maybe you could start two Liferay instances, one with proxy and one without proxy? (I am just musing here)
I have two ideas:
1) Create a local proxy (it isn't that hard to do that e.g. with Apache) and "cheat" there. Forward all requests except those for localhost (and maybe some other internal servers) to the real proxy, send the rest directly to the server.
2) That rss feed you need. Create some instance (e.g. on some test system) that can be reached by the proxy and use it for development.
Lee Jordan, modified 5 Years ago.
RE: rss feeds not working for https
Expert Posts: 449 Join Date: 5/26/15 Recent Posts
I might be able to write a client side RSS reader faster. Is there any appetite for Liferay to switch from server tech on this portlet?
thumbnail
Olaf Kock, modified 5 Years ago.
RE: rss feeds not working for https
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Lee Jordan:

I might be able to write a client side RSS reader faster. Is there any appetite for Liferay to switch from server tech on this portlet?
Easiest will be to just publish it on Marketplace.
However, if you have any other requests that come out of your server (like REST-APIs accessing other systems) and they also need to go through a proxy, you'll still have to establish trust between your server and your proxy. Also, you might run into CORS issues, if the RSS feed doesn't declare to be ok with included from everywhere (we've tried this with the Radio Liferay audio player, which also consumes the RSS feed from client side - it required some extra header work on the server, which you can't assume every RSS host will do for you)