[
https://issues.apache.org/jira/browse/ARTEMIS-5163?focusedWorklogId=986727&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-986727
]
ASF GitHub Bot logged work on ARTEMIS-5163:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 10/Oct/25 13:51
Start Date: 10/Oct/25 13:51
Worklog Time Spent: 10m
Work Description: JeanLucGraphalo commented on code in PR #5956:
URL: https://github.com/apache/activemq-artemis/pull/5956#discussion_r2420330327
##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/protocol/RemotingConnection.java:
##########
@@ -219,6 +220,16 @@ default void disconnect(DisconnectReason reason, String
targetNodeID, TransportC
*/
Subject getSubject();
+ /**
+ * sets the associated certificates for this connection
+ */
+ void setCertificates(X509Certificate[] certificates);
Review Comment:
If I understand you correctly, the certificates should be cached in the
`NettyServerConnection` class. But then I would have to add an `artemis-server`
dependency to the `artemis-core-client` module in order to be able to use
`instanceof` in `CertificateUtil`.
Caching the certificates in
`org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection` would be
easier, but is probably not appropriate?
Issue Time Tracking
-------------------
Worklog Id: (was: 986727)
Time Spent: 3h (was: 2h 50m)
> Artemis fails to send mqtt will message using mutual TLS
> --------------------------------------------------------
>
> Key: ARTEMIS-5163
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5163
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: MQTT
> Affects Versions: 2.31.2, 2.33.0, 2.38.0, 2.39.0, 2.42.0
> Reporter: Olaf Gustav
> Priority: Major
> Labels: pull-request-available
> Time Spent: 3h
> Remaining Estimate: 0h
>
> As discussed in the user mailing list, the MQTT broker fails to sent the
> provided will message when using mutual TLS.
> +set-up for testing:+
> * ActiveMQ Artemis 2.33 as MQTT broker
> * Artemis runs on jdk-21
> * clients are authenticated using mutual TLS
> * certificate DN is used to map to a user and eventually to the configured
> roles
> +issue:+
> During testing we discovered, that the provided will message is not sent as
> expected. We got the following error messages:
> {code:none}
> WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem
> while authenticating: AMQ229031: Unable to validate user from /
> 127.0.0.1:51770. Username: null; SSL certificate subject DN: unavailable
> ERROR [org.apache.activemq.artemis.core.protocol.mqtt] AMQ834007:
> Authorization failure sending will message: AMQ229031: Unable to validate
> user from / 127.0.0.1:51770. Username: null; SSL certificate subject DN:
> unavailable
> {code}
> I did some research in the code base. The class
> *org.apache.activemq.artemis.core.remoting.CertificateUtil* retrieves the
> certificate subject DN based on the actual client certificate provided by an
> existing connection. When trying to send a mqtt will message, there is no
> connection to the client anymore. Consequently, the broker fails to get the
> DN. Since the subject DN serves as the key in the authentication cache
> ({*}org.apache.activemq.artemis.core.security.impl. SecurityStoreImpl{*}),
> the will message fails to be checked against access permissions.
> As a workaround, I used the RemotingConnection.clientID as authentication
> cache key instead of the DN. That works as long as the parameter
> *security-invalidation-interval* is properly defined, that means
> {{{}security-invalidation-interval >> sessionExpiryInterval{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@activemq.apache.org
For additional commands, e-mail: issues-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact
