[
https://issues.apache.org/jira/browse/TOMEE-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17011831#comment-17011831
]
Nikhil commented on TOMEE-2760:
-------------------------------
Thank you for your detailed explanation on the issue. That really makes a lot
of difference as security is concerned and we are looking into it on how can we
handle it in our project.
Would be happy to add this information into documentation soon by following the
video shared above.
> javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise
> ear over TOMEE8
> --------------------------------------------------------------------------------------------
>
> Key: TOMEE-2760
> URL: https://issues.apache.org/jira/browse/TOMEE-2760
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 8.0.0-Final
> Reporter: Nikhil
> Assignee: Jonathan Gallimore
> Priority: Major
>
> Hi,
>
> We are trying to deploy an enterprise level EAR application on the TomEE 8.0
> environment with JDK 1.8.x and ActiveMQ setup war.
>
> During the startup of the TomEE server, while deploying the EAR file.. we got
> into below exceptions..
>
> org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could
> not accept connection from null :
> {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE]
> Could not accept connection from null : {}java.io.IOException:
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
> at
> org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
> at
> org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
> at
> org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
> at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at
> org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
> at
> org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52)
> at
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
> at
> org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)
> at
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
> at
> org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
> at
> org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)Caused by:
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at
> sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at
> sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at
> sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at
> sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at
> sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at
> sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at
> sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at
> javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at
> org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393)
> at
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428)
> at
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
> ... 14 more
>
> Further the below stack trace --
>
> org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE]
> Connect fail to: nio+ssl+context://myhost:27145, reason:
> {}org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE]
> Connect fail to: nio+ssl+context://myhost:27145, reason:
> {}javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No name matching myhost found at
> sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757) at
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at
> org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
> at java.io.DataOutputStream.flush(DataOutputStream.java:123) at
> org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194)
> at
> org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335)
> at
> org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317)
> at
> org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181)
> at
> org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
> at
> org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
> at
> org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017)
> at
> org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148)
> at
> org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133)
> at
> org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)Caused by:
> java.security.cert.CertificateException: No name matching myhost found at
> sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at
> sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> ... 22 more
>
>
> The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.
>
> While researching, we found that the similar issue w.r.t hostname
> verification was added recently as part of ActiveMQ 5.15.x change @
> [https://securitytracker.com/id/1041618]
> |
> |The vendor advisory is available at:
> http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
> |
>
> We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml
>
> Please let us know if there is any issue w.r.t above configurations.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
