[GitHub] [rocketmq] lizhanhui commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md

Wed, 06 Jul 2022 00:46:57 -0700 


lizhanhui commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1175896033

   @zergduan  For a quick reference, with the following Java options, 
   ```bash
   -Dtls.enable=true -Dtls.test.mode.enable=false -Dtls.client.authServer=true 
-Djavax.net.debug=all 
   ```
   
   Clients manage to figure out server certificate is self-signed and reject.
   
   > javax.net.ssl|FINE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.754 
CST|CertificateMessage.java:364|Consuming server Certificate handshake message (
   "Certificates": [
     "certificate" : {
       "version"            : "v3",
       "serial number"      : "00 99 35 96 9A BD 85 03 EC",
       "signature algorithm": "SHA256withRSA",
       "issuer"             : "CN=example.com",
       "not before"         : "2021-07-06 15:36:21.000 CST",
       "not  after"         : "10000-01-01 07:59:59.000 CST",
       "subject"            : "CN=example.com",
       "subject public key" : "RSA"}
   ]
   )
   javax.net.ssl|SEVERE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 
CST|TransportContext.java:362|Fatal (CERTIFICATE_UNKNOWN): 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target (
   "throwable" : {
     sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at sun.security.validator.Validator.validate(Validator.java:271)
        at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
        at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
        at 
sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
        at 
sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
        at 
sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
        at 
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:990)
        at 
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:977)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:924)
        at 
io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542)
        at 
io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440)
        at 
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
        at 
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
        at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
        at 
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at 
io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:61)
        at 
io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:370)
        at 
io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66)
        at 
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
        at 
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at java.lang.Thread.run(Thread.java:748)
     Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
        at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 29 more}
   
   )
   javax.net.ssl|ALL|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 
CST|SSLSessionImpl.java:839|Invalidated session:  
Session(1657093391739|SSL_NULL_WITH_NULL_NULL)
   javax.net.ssl|ALL|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 
CST|SSLSessionImpl.java:839|Invalidated session:  
Session(1657093391752|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
   javax.net.ssl|WARNING|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 
CST|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound 
application data
   javax.net.ssl|FINE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.756 
CST|SSLEngineOutputRecord.java:510|WRITE: TLS12 alert, length = 2
   javax.net.ssl|FINE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.756 
CST|SSLEngineOutputRecord.java:528|Raw write (
     0000: 15 03 03 00 02 02 2E                               .......
   )
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to