[ 
https://issues.apache.org/jira/browse/AMQ-7301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Baptiste Onofré updated AMQ-7301:
--------------------------------------
    Component/s: security

> Expired certificates trigger a full stack trace
> -----------------------------------------------
>
>                 Key: AMQ-7301
>                 URL: https://issues.apache.org/jira/browse/AMQ-7301
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 5.15.10
>         Environment: ActiveMQ 5.15.10 as standalone broker
>            Reporter: Lionel Cons
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 5.16.0, 5.15.11
>
>
> When using an expired certificate to authenticate via STOMP, ActiveMQ logs a 
> complete stack trace:
>   
> {code}
> 2019-09-10 10:36:07,784 [ActiveMQ BrokerService[broker.acme.com] Task-12] 
> ERROR TransportConnector - Could not accept connection from null : {}
>  java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine 
> problem
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
>  at 
> org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)
>  at 
> org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
>  at 
> org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
>  at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
>  at 
> org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)
>  at 
> org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
>  at 
> org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
>  at 
> org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
>  at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)
>  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>  at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
>  at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
>  at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
>  at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
>  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>  at 
> org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:452)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
>  ... 14 more
>  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
>  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
>  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
>  at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
>  at 
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
>  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
>  at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
>  at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:448)
>  ... 15 more
>  Caused by: sun.security.validator.ValidatorException: PKIX path validation 
> failed: java.security.cert.CertPathValidatorException: validity check failed
>  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
>  at 
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
>  at sun.security.validator.Validator.validate(Validator.java:262)
>  at 
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
>  at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970)
>  ... 22 more
>  Caused by: java.security.cert.CertPathValidatorException: validity check 
> failed
>  at 
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
>  at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
>  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
>  ... 28 more
>  Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu May 
> 23 12:21:49 CEST 2019
>  at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
>  at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
>  at 
> sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
>  at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
>  at 
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
>  ... 33 more
> {code}
> There are several problems here:
>  # this should be a {{WARN}} and not an {{ERROR}} (like an invalid password)
>  # the IP address and/or certificate DN should be logged
>  # a single line should be reported, not the full stack trace



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to