[ https://issues.apache.org/jira/browse/AMQ-7301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré reassigned AMQ-7301: ----------------------------------------- Assignee: Jean-Baptiste Onofré > Expired certificates trigger a full stack trace > ----------------------------------------------- > > Key: AMQ-7301 > URL: https://issues.apache.org/jira/browse/AMQ-7301 > Project: ActiveMQ > Issue Type: Bug > Affects Versions: 5.15.10 > Environment: ActiveMQ 5.15.10 as standalone broker > Reporter: Lionel Cons > Assignee: Jean-Baptiste Onofré > Priority: Major > > When using an expired certificate to authenticate via STOMP, ActiveMQ logs a > complete stack trace: > > {code} > 2019-09-10 10:36:07,784 [ActiveMQ BrokerService[broker.acme.com] Task-12] > ERROR TransportConnector - Could not accept connection from null : {} > java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine > problem > at > org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196) > at > org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57) > at > org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) > at > org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174) > at > org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470) > at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) > at > org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) > at > org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65) > at > org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169) > at > org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) > at > org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072) > at > org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) > at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > at > org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174) > at > org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:452) > at > org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164) > ... 14 more > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) > at > sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983) > at > sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) > at > org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:448) > ... 15 more > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: java.security.cert.CertPathValidatorException: validity check failed > at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) > at sun.security.validator.Validator.validate(Validator.java:262) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) > at > sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) > at > sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970) > ... 22 more > Caused by: java.security.cert.CertPathValidatorException: validity check > failed > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) > at > sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) > at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) > at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) > ... 28 more > Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu May > 23 12:21:49 CEST 2019 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at > sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) > at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) > ... 33 more > {code} > There are several problems here: > # this should be a {{WARN}} and not an {{ERROR}} (like an invalid password) > # the IP address and/or certificate DN should be logged > # a single line should be reported, not the full stack trace -- This message was sent by Atlassian Jira (v8.3.2#803003)