[jira] [Resolved] (TOMEE-2760) javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over TOMEE8

Thu, 09 Jan 2020 01:43:45 -0800 


     [ 
https://issues.apache.org/jira/browse/TOMEE-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Gallimore resolved TOMEE-2760.
---------------------------------------
      Assignee: Jonathan Gallimore
    Resolution: Information Provided

> javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise 
> ear over TOMEE8
> --------------------------------------------------------------------------------------------
>
>                 Key: TOMEE-2760
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2760
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.0-Final
>            Reporter: Nikhil
>            Assignee: Jonathan Gallimore
>            Priority: Major
>
> Hi,
>  
> We are trying to deploy an enterprise level EAR application on the TomEE 8.0 
> environment with JDK 1.8.x and ActiveMQ setup war.
>  
> During the startup of the TomEE server, while deploying the EAR file.. we got 
> into below exceptions..
>  
> org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could 
> not accept connection from null : 
> {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] 
> Could not accept connection from null : {}java.io.IOException: 
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
>  at 
> org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) 
> at 
> org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174) 
> at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
>  at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at 
> org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
>  at 
> org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) 
> at 
> org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) 
> at 
> org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
>  at 
> org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
>  at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)Caused by: 
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at 
> sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at 
> sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at 
> sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at 
> sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at 
> sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at 
> sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at 
> sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at 
> javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at 
> org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
>  ... 14 more
>  
> Further the below stack trace --
>  
> org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] 
> Connect fail to: nio+ssl+context://myhost:27145, reason: 
> {}org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] 
> Connect fail to: nio+ssl+context://myhost:27145, reason: 
> {}javax.net.ssl.SSLHandshakeException: 
> java.security.cert.CertificateException: No name matching myhost found at 
> sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at 
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at 
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at 
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
>  at 
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) 
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at 
> sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at 
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at 
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
>  at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757) at 
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at 
> org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
>  at java.io.DataOutputStream.flush(DataOutputStream.java:123) at 
> org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194) 
> at 
> org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335)
>  at 
> org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317)
>  at 
> org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181)
>  at 
> org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
>  at 
> org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
>  at 
> org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017)
>  at 
> org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148)
>  at 
> org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133)
>  at 
> org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48) 
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)Caused by: 
> java.security.cert.CertificateException: No name matching myhost found at 
> sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at 
> sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at 
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>  at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>  ... 22 more
>  
>  
> The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.
>  
> While researching, we found that the similar issue w.r.t hostname 
> verification was added recently as part of ActiveMQ 5.15.x change @ 
> [https://securitytracker.com/id/1041618]
> |
> |The vendor advisory is available at:
> http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
> |
>  
> We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml 
>  
> Please let us know if there is any issue w.r.t above configurations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to