[jira] [Commented] (TOMEE-2760) javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over TOMEE8

Thu, 09 Jan 2020 01:43:45 -0800 


    [ 
https://issues.apache.org/jira/browse/TOMEE-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17011619#comment-17011619
 ] 

Jonathan Gallimore commented on TOMEE-2760:
-------------------------------------------

You're welcome. Documentation-wise, PRs to the website are most welcome. 
[~ivanjunckes] made a video demonstrating how to do this: 
[https://www.youtube.com/watch?v=P6IM0LDevVU]

In terms of your product and how you're shipping it, that's really for you to 
work out, and no doubt your organization has a security policy in place for 
this sort of thing. The vulnerability fixed by this update (CVE-2018-11775) 
would potentially allow a "man in the middle" attack, where someone could 
present an endpoint between TomEE and the ActiveMQ broker and eavesdrop on 
traffic between the two. By using this setting, you are re-enabling that 
vulnerability - I think its important that I point that out - if/how you 
mitigate that is up to you.

I do understand the desire to ship everything with the product and have it 
"just work", but you're effectively relying on that hostname check being 
disabled. I don't know much about your package, but if you're shipping the 
ActiveMQ broker as well, you're potentially also shipping a default private 
key, which also presents a risk. If it were me, personally,  I'd enable to the 
customer to generate/update keys and certificates in the product, and they can 
choose if they want the insecure setting. If for no other reason, certificates 
have a habit of expiring, and that tends to break things as well. 
[https://www.theregister.co.uk/2018/12/06/ericsson_o2_telefonica_uk_outage/]

I do hope that helps. Thanks for filing this ticket - I'll mark it as resolved, 
but let us know (you can follow up here, another ticket, or on 
[email protected]) if you have further queries.

Jon

> javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise 
> ear over TOMEE8
> --------------------------------------------------------------------------------------------
>
>                 Key: TOMEE-2760
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2760
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.0-Final
>            Reporter: Nikhil
>            Priority: Major
>
> Hi,
>  
> We are trying to deploy an enterprise level EAR application on the TomEE 8.0 
> environment with JDK 1.8.x and ActiveMQ setup war.
>  
> During the startup of the TomEE server, while deploying the EAR file.. we got 
> into below exceptions..
>  
> org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could 
> not accept connection from null : 
> {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] 
> Could not accept connection from null : {}java.io.IOException: 
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
>  at 
> org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) 
> at 
> org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174) 
> at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
>  at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at 
> org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
>  at 
> org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) 
> at 
> org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) 
> at 
> org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
>  at 
> org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
>  at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)Caused by: 
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at 
> sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at 
> sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at 
> sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at 
> sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at 
> sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at 
> sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at 
> sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at 
> javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at 
> org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
>  ... 14 more
>  
> Further the below stack trace --
>  
> org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] 
> Connect fail to: nio+ssl+context://myhost:27145, reason: 
> {}org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] 
> Connect fail to: nio+ssl+context://myhost:27145, reason: 
> {}javax.net.ssl.SSLHandshakeException: 
> java.security.cert.CertificateException: No name matching myhost found at 
> sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at 
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at 
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at 
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
>  at 
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) 
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at 
> sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at 
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at 
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
>  at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757) at 
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at 
> org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
>  at java.io.DataOutputStream.flush(DataOutputStream.java:123) at 
> org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194) 
> at 
> org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335)
>  at 
> org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317)
>  at 
> org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181)
>  at 
> org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
>  at 
> org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
>  at 
> org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017)
>  at 
> org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148)
>  at 
> org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133)
>  at 
> org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48) 
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)Caused by: 
> java.security.cert.CertificateException: No name matching myhost found at 
> sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at 
> sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at 
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>  at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>  ... 22 more
>  
>  
> The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.
>  
> While researching, we found that the similar issue w.r.t hostname 
> verification was added recently as part of ActiveMQ 5.15.x change @ 
> [https://securitytracker.com/id/1041618]
> |
> |The vendor advisory is available at:
> http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
> |
>  
> We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml 
>  
> Please let us know if there is any issue w.r.t above configurations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to