[jira] [Commented] (AMQ-7301) Expired certificates trigger a full stack trace

Lionel Cons (Jira) Mon, 02 Dec 2019 01:39:41 -0800


    [ 
https://issues.apache.org/jira/browse/AMQ-7301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985931#comment-16985931
 ]


Lionel Cons commented on AMQ-7301:
----------------------------------

One more thing (tested on 5.15.11), the new warning reports only "General 
SSLEngine problem". It would be much better to report the underneath cause, in 
this case "PKIX path validation failed: 
java.security.cert.CertPathValidatorException: validity check failed".

In other words, ActiveMQ should log 

{code}
2019-11-20 10:36:16,984 [ActiveMQ BrokerService[[email protected]] Task-204] WARN 
TransportConnector - Could not accept connection from null : 
sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: validity check failed
{code}

instead of 

{code}
2019-11-20 10:36:16,984 [ActiveMQ BrokerService[[email protected]] Task-204] WARN 
TransportConnector - Could not accept connection from null : 
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{code}

(and of course "null" should be replaced by the culprit IP address)

> Expired certificates trigger a full stack trace
> -----------------------------------------------
>
>                 Key: AMQ-7301
>                 URL: https://issues.apache.org/jira/browse/AMQ-7301
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Security/JAAS
>    Affects Versions: 5.15.10
>         Environment: ActiveMQ 5.15.10 as standalone broker
>            Reporter: Lionel Cons
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 5.16.0, 5.15.12
>
>
> When using an expired certificate to authenticate via STOMP, ActiveMQ logs a 
> complete stack trace:
>   
> {code}
> 2019-09-10 10:36:07,784 [ActiveMQ BrokerService[broker.acme.com] Task-12] 
> ERROR TransportConnector - Could not accept connection from null : {}
>  java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine 
> problem
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
>  at 
> org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)
>  at 
> org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
>  at 
> org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
>  at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
>  at 
> org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)
>  at 
> org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
>  at 
> org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
>  at 
> org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
>  at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)
>  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>  at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
>  at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
>  at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
>  at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
>  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>  at 
> org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:452)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
>  ... 14 more
>  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
>  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
>  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
>  at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
>  at 
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
>  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
>  at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
>  at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:448)
>  ... 15 more
>  Caused by: sun.security.validator.ValidatorException: PKIX path validation 
> failed: java.security.cert.CertPathValidatorException: validity check failed
>  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
>  at 
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
>  at sun.security.validator.Validator.validate(Validator.java:262)
>  at 
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
>  at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970)
>  ... 22 more
>  Caused by: java.security.cert.CertPathValidatorException: validity check 
> failed
>  at 
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
>  at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
>  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
>  ... 28 more
>  Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu May 
> 23 12:21:49 CEST 2019
>  at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
>  at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
>  at 
> sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
>  at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
>  at 
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
>  ... 33 more
> {code}
> There are several problems here:
>  # this should be a {{WARN}} and not an {{ERROR}} (like an invalid password)
>  # the IP address and/or certificate DN should be logged
>  # a single line should be reported, not the full stack trace



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (AMQ-7301) Expired certificates trigger a full stack trace

Reply via email to