Nikhil created TOMEE-2760:
-----------------------------
Summary: javax.net.ssl.SSLException(certificate_unknown) while
deploying a enterprise ear over TOMEE8
Key: TOMEE-2760
URL: https://issues.apache.org/jira/browse/TOMEE-2760
Project: TomEE
Issue Type: Bug
Components: TomEE Core Server
Affects Versions: 8.0.0-Final
Reporter: Nikhil
Hi,
We are trying to deploy an enterprise level EAR application on the TomEE 8.0
environment with JDK 1.8.x and ActiveMQ setup war.
During the startup of the TomEE server, while deploying the EAR file.. we got
into below exceptions..
org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could
not accept connection from null :
{}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could
not accept connection from null : {}java.io.IOException:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at
org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
at
org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
at
org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
at
org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at
org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
at
org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52)
at
org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at
org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)
at
org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at
org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
at
org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Caused by: javax.net.ssl.SSLException:
Received fatal alert: certificate_unknown at
sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at
sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at
sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at
sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at
sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at
sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at
sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at
javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at
org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393)
at
org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428)
at
org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
... 14 more
Further the below stack trace --
org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE]
Connect fail to: nio+ssl+context://myhost:27145, reason:
{}org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE]
Connect fail to: nio+ssl+context://myhost:27145, reason:
{}javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No name matching myhost found at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at
sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757) at
sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at
org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
at java.io.DataOutputStream.flush(DataOutputStream.java:123) at
org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194) at
org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335)
at
org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317)
at
org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181)
at
org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
at
org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
at
org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017)
at
org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148)
at
org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133)
at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Caused by:
java.security.cert.CertificateException: No name matching myhost found at
sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at
sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 22 more
The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.
While researching, we found that the similar issue w.r.t hostname verification
was added recently as part of ActiveMQ 5.15.x change @
[https://securitytracker.com/id/1041618]
|
|The vendor advisory is available at:
http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
|
We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml
Please let us know if there is any issue w.r.t above configurations.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
