[jira] [Commented] (ARTEMIS-3053) Log Subject Name of expired client certificates

Wed, 20 Jan 2021 01:20:06 -0800 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-3053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17268461#comment-17268461
 ] 

Sebastian T commented on ARTEMIS-3053:
--------------------------------------

Yes, we are using cert-based authentication. The certificate that is expired is 
a client certificate, not the servers.

We are using an acceptor config like this:

{{<acceptor 
name="amqp-listener">tcp://0.0.0.0:5671?needClientAuth=true}}{{;}}{{protocols=AMQP;}}{{}}{{}}{{enabledProtocols=TLSv1.2}}{{}}{{;sslEnabled=true}}{{;}}{{sslProvider=OPENSSL;}}{{keyStoreProvider=JKS;}}{{keyStorePassword=<removed>;}}{{keyStorePath=broker-keystore.jks}}{{;}}{{trustStorePassword=}}{{<removed>}}{{;trustStoreProvider=JKS;trustStorePath=broker-truststore.jks;}}{{amqpCredits=1000;tcpReceiveBufferSize=131072;connectionTtlMin=5000;connectionTtl=60000;}}{{connectionTtlMax=180000;}}{{}}{{amqpIdleTimeout=60000;amqpLowCredits=300;saslMechanisms=EXTERNAL;batchDelay=0;enabledCipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;}}{{directDeliver=true;tcpNoDelay=true;}}{{tcpSendBufferSize=131072</acceptor>}}

> Log Subject Name of expired client certificates
> -----------------------------------------------
>
>                 Key: ARTEMIS-3053
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3053
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: AMQP, Broker
>    Affects Versions: 2.16.0
>            Reporter: Sebastian T
>            Priority: Minor
>
> We are using client authentication with our large central cloud broker 
> instance and are seeing CertificateExpiredExceptions in the logs:
> {{AMQ222208: SSL handshake failed for client from /x.x.x.x:59484: 
> java.security.cert.CertificateExpiredException: NotAfter: Wed Sep 23 15:00:00 
> CEST 2020.}}
> It would be very helpful if the client certificate subject DN could be logged 
> too so we can figure out which client apps causing this.
> The reported IP address is not helpful as the client apps are running elastic 
> K8s/cloud foundry clusters.
>  
> Logging happens here 
> [https://github.com/apache/activemq-artemis/blob/bfca1c59de57168afec045dd5b889c759b3e58a1/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java#L1012]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to