[jira] [Resolved] (ARTEMIS-5509) SSL Exception not logged by broker in WARN/ERROR level with OPENSSL Provider

Fri, 30 May 2025 10:07:36 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-5509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Bertram resolved ARTEMIS-5509.
-------------------------------------
    Resolution: Information Provided

> SSL Exception not logged by broker in WARN/ERROR level with OPENSSL Provider
> ----------------------------------------------------------------------------
>
>                 Key: ARTEMIS-5509
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-5509
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 2.37.0
>            Reporter: Mohanavalli A
>            Priority: Major
>
> When running the broker with JDK SSL Provider in acceptor, when a client 
> connects to the broker without any certificate, the broker logs the exception 
> as:
> {noformat}AMQ222208: SSL handshake failed for client from /x.x.x.x:63060: 
> javax.net.ssl.SSLHandshakeException: Empty client certificate chain.{noformat}
> Whereas if the broker is configured with OPENSSL Provider in the acceptor, 
> there is no log at the broker (though the client connection fails with a 
> bad_certificate exception).
> On running the broker with java SSL debug enabled, below are the logs for JDK 
> and OPENSSL. In both cases there is a {{javax.net.ssl.SSLHandshakeException}} 
> thrown during the SSL authentication. In case of JDK, a WARN level log is 
> logged after the exception is thrown,  but in case of OPENSSL it is not 
> logged at WARN or ERROR level by the broker.
>  
> h3. JDK
> {noformat}
> javax.net.ssl|DEBUG|74|Thread-1 (activemq-netty-threads)|2025-05-29 
> 09:19:40.243 CEST|ServerHelloDone.java:97|Produced ServerHelloDone handshake 
> message (
> <empty>
> )
> javax.net.ssl|DEBUG|74|Thread-1 (activemq-netty-threads)|2025-05-29 
> 09:19:40.245 CEST|CertificateMessage.java:372|Consuming client Certificate 
> handshake message (
> "Certificates": <empty list>
> )
> javax.net.ssl|ERROR|74|Thread-1 (activemq-netty-threads)|2025-05-29 
> 09:19:40.245 CEST|TransportContext.java:358|Fatal (BAD_CERTIFICATE): Empty 
> client certificate chain (
> "throwable" :
> {   javax.net.ssl.SSLHandshakeException: Empty client certificate chain
>        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
>        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>        at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
>        at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
>        at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:300)
>        at 
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
>        at 
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
>        at 
> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>        at 
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
>        at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1076)
>        at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1063)
>        at java.base/java.security.AccessController.doPrivileged(Native Method)
>        at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1010)
>        at 
> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1649)
>        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1495)
>        at 
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1336)
>        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1385)
>        at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
>        at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
>        at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
>        at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
>        at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>        at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
>        at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1407)
>        at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
>        at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>        at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918)
>        at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
>        at 
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:501)
>        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:399)
>        at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994)
>        at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>        at 
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)}
> )
> javax.net.ssl|WARNING|74|Thread-1 (activemq-netty-threads)|2025-05-29 
> 09:19:40.246 CEST|SSLEngineOutputRecord.java:182|outbound has closed, ignore 
> outbound application data
> 2025-05-29 09:19:40,246 WARN  [org.apache.activemq.artemis.core.server] 
> AMQ222208: SSL handshake failed for client from /x.x.x.x:63060: 
> javax.net.ssl.SSLHandshakeException: Empty client certificate chain.{noformat}
> h3. OPENSSL
> {noformat}
> javax.net.ssl|DEBUG|60|qtp984832924-96|2025-05-29 08:45:30.144 
> CEST|ServerHelloDone.java:97|Produced ServerHelloDone handshake message (
> <empty>
> )
> javax.net.ssl|DEBUG|60|qtp984832924-96|2025-05-29 08:45:30.147 
> CEST|Alert.java:238|Received alert message (
> "Alert": {
>   "level"      : "fatal",
>   "description": "bad_certificate"
> }
> )
> javax.net.ssl|ERROR|60|qtp984832924-96|2025-05-29 08:45:30.148 
> CEST|TransportContext.java:358|Fatal (BAD_CERTIFICATE): Received fatal alert: 
> bad_certificate (
> "throwable" : {
>   javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
>       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
>       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>       at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
>       at 
> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
>       at 
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:192)
>       at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
>       at 
> java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
>       at 
> java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
>       at 
> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
>       at 
> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
>       at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
>       at org.eclipse.jetty.io.ssl.SslConnection.unwrap(SslConnection.java:398)
>       at 
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:721)
>       at 
> org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:375)
>       at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
>       at 
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
>       at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
>       at 
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
>       at 
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
>       at 
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
>       at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
>       at 
> org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
>       at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
>       at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
>       at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
>       at java.base/java.lang.Thread.run(Thread.java:829)}
> ){noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

Reply via email to