[jira] [Commented] (ARTEMIS-577) Do not log a stack trace in case of expired certificate

Thu, 23 Jun 2016 05:45:13 -0700 

    [ 
https://issues.apache.org/jira/browse/ARTEMIS-577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346354#comment-15346354
 ] 

Lionel Cons commented on ARTEMIS-577:
-------------------------------------

It is easy to generate a similar stack trace by using an untrusted certificate. 
Using your {{ssl-enabled-dual-authentication}} example, simply make sure that 
the server does not trust the client.

In my test, I have replaced
{code}
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer 
-storepass secureexample -keypass secureexample -noprompt
{code}
by
{code}
keytool -import -keystore server-side-truststore.jks -file server-side-cert.cer 
-storepass secureexample -keypass secureexample -noprompt
{code}

And running the test I get:
{code}
Jun 23, 2016 2:39:10 PM 
org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector 
createConnection
ERROR: AMQ214016: Failed to create netty connection
java.nio.channels.ClosedChannelException

[ERROR] 
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at 
org.apache.activemq.artemis.maven.ArtemisClientPlugin.doExecute(ArtemisClientPlugin.java:61)
        at 
org.apache.activemq.artemis.maven.ArtemisAbstractPlugin.execute(ArtemisAbstractPlugin.java:75)
        at 
org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
        at 
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
        at 
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
        at 
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
        at 
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
        at 
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
        at 
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
        at 
org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
        at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
        at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at 
org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
        at 
org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
        at 
org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
        at 
org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: javax.jms.JMSException: Failed to create session factory
        at 
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:735)
        at 
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:238)
        at 
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:233)
        at 
org.apache.activemq.artemis.jms.example.SSLDualAuthenticationExample.main(SSLDualAuthenticationExample.java:51)
        ... 28 more
Caused by: ActiveMQNotConnectedException[errorType=NOT_CONNECTED 
message=AMQ119007: Cannot connect to server(s). Tried with all available 
servers.]
        at 
org.apache.activemq.artemis.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:800)
        at 
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:732)
        ... 31 more
{code}


> Do not log a stack trace in case of expired certificate
> -------------------------------------------------------
>
>                 Key: ARTEMIS-577
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-577
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>            Reporter: Lionel Cons
>            Assignee: Justin Bertram
>
> When trying to authenticate using an expired certificate, Artemis logs a very 
> noisy stack trace:
> {code}
> 2016-06-20 09:13:56,571 [io.netty.channel.DefaultChannelPipeline] WARNING An 
> exceptionCaught() event was fired, and it reached at the tail of the 
> pipeline. It usually means the last handler in the pipeline did not handle 
> the exception.: io.netty.handler.codec.DecoderException: 
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>       at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:380)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:244)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:308)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:294)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_92]
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>       at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) 
> [jsse.jar:1.8.0_92]
>       at 
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) 
> [jsse.jar:1.8.0_92]
>       at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) [rt.jar:1.8.0_92]
>       at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1138) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:968) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:349)
>  [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       ... 11 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) 
> [jsse.jar:1.8.0_92]
>       at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
>  [jsse.jar:1.8.0_92]
>       at 
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) 
> [jsse.jar:1.8.0_92]
>       at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) 
> [jsse.jar:1.8.0_92]
>       at java.security.AccessController.doPrivileged(Native Method) 
> [rt.jar:1.8.0_92]
>       at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) 
> [jsse.jar:1.8.0_92]
>       at 
> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1164) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1067) 
> [netty-all-4.0.32.Final.jar:4.0.32.Final]
>       ... 13 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building 
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to 
> find valid certification path to requested target
>       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) 
> [rt.jar:1.8.0_92]
>       at 
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) 
> [rt.jar:1.8.0_92]
>       at sun.security.validator.Validator.validate(Validator.java:260) 
> [rt.jar:1.8.0_92]
>       at 
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) 
> [jsse.jar:1.8.0_92]
>       at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
>  [jsse.jar:1.8.0_92]
>       at 
> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
>  [jsse.jar:1.8.0_92]
>       at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896)
>  [jsse.jar:1.8.0_92]
>       ... 21 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
> to find valid certification path to requested target
>       at 
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>  [rt.jar:1.8.0_92]
>       at 
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>  [rt.jar:1.8.0_92]
>       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) 
> [rt.jar:1.8.0_92]
>       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) 
> [rt.jar:1.8.0_92]
>       ... 27 more
> {code}
> A single line warning such as "expired certificate" or "invalid certificate" 
> (along with the culprit DN) would be enough.
> As a general comment, all failed X.509 based authentications should log the 
> culprit DN, just like failed plain authentications log the user name.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to