[
https://issues.apache.org/jira/browse/CXF-4740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13551060#comment-13551060
]
Jody Fanning commented on CXF-4740:
-----------------------------------
While investigating further I found that 2.2.5 is using jetty bio connector,
and 2.7.1 is using nio. I guess the change to direct usage of the SSLEngine and
overriding the Jetty default connector has introduced the problem.
> SSL/TLS server incorrectly closes socket before reporting certificate failure
> to client
> ---------------------------------------------------------------------------------------
>
> Key: CXF-4740
> URL: https://issues.apache.org/jira/browse/CXF-4740
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.7.1
> Environment: Linux, Ubuntu 12.04
> java version "1.6.0_24"
> OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
> OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
> Reporter: Jody Fanning
>
> In an earlier version of CXF, 2.2.5, when a client certificate failures to
> validate for some reason the server replied with a fatal error
> {{bad_certificate}}. This is correct according the the TLS RFC 2246, section
> 7.2.1. Closure alerts.
> However, in CXF 2.7.0 and 2.7.1 the socket is closed prematurely, so that the
> client never gets a close or error message. This should not happen since it
> leaves open the possibility of a truncation attack.
> These are the log outputs for each version. These are based on the
> wsdl_first_https example project where it is configured so that the server
> does not have the client certificate in its trust store.
> {panel:title=CXF 2.2.5}
> *Client*
> {{Invocation failed with the following: javax.net.ssl.SSLHandshakeException:
> Received fatal alert: bad_certificate}}
> *Server*
> {{167179228@qtp-764924063-0, READ: TLSv1 Handshake, length = 109}}
> {{*** Certificate chain}}
> {{***}}
> {{167179228@qtp-764924063-0, SEND TLSv1 ALERT: fatal, description =
> bad_certificate}}
> {{167179228@qtp-764924063-0, WRITE: TLSv1 Alert, length = 2}}
> {{167179228@qtp-764924063-0, called closeSocket()}}
> {{167179228@qtp-764924063-0, handling exception:
> javax.net.ssl.SSLHandshakeException: null cert chain}}
> {{167179228@qtp-764924063-0, called close()}}
> {{167179228@qtp-764924063-0, called closeInternal(true)}}
> {panel}
> {panel:title=CXF 2.7.1}
> *Client*
> {{Caused by: java.io.EOFException: SSL peer shut down incorrectly}}
> {{at sun.security.ssl.InputRecord.read(InputRecord.java:352)}}
> {{at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)}}
> {{... 35 more}}
> {{Invocation failed with the following: javax.net.ssl.SSLHandshakeException:
> SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort:
> Remote host closed connection during handshake}}
> *Server*
> {{qtp111947068-20, READ: TLSv1 Handshake, length = 109}}
> {{*** Certificate chain}}
> {{***}}
> {{qtp111947068-20, fatal error: 42: null cert chain}}
> {{javax.net.ssl.SSLHandshakeException: null cert chain}}
> {{qtp111947068-20, SEND TLSv1 ALERT: fatal, description = bad_certificate}}
> {{qtp111947068-20, WRITE: TLSv1 Alert, length = 2}}
> {{qtp111947068-20, fatal: engine already closed. Rethrowing
> javax.net.ssl.SSLHandshakeException: null cert chain}}
> {{Jan 9, 2013 11:34:58 AM org.eclipse.jetty.io.nio.SelectChannelEndPoint
> handle}}
> {{WARNING: javax.net.ssl.SSLHandshakeException: null cert chain}}
> {panel}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
