Hi,
*I generate multiple self-signed certificates by:*
keytool -genkeypair -alias pc18379_1 -dname CN=pc18379 -validity 1096
-keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' -storepass
123456 -deststoretype PKCS12 -keystore pc18379_1.jks
keytool -genkeypair -alias pc18379_2 -dname CN=pc18379 -validity 1096
-keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' -storepass
123456 -deststoretype PKCS12 -keystore pc18379_2.jks
keytool -genkeypair -alias pc18379_3 -dname CN=pc18379 -validity 1096
-keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' -storepass
123456 -deststoretype PKCS12 -keystore pc18379_3.jks
Each generated keypair has own keystore.
*I export private keys to keystore which broker will use by:*
keytool -importkeystore -srckeystore pc18379_1.jks -srcstoretype PKCS12
-storepass '123456' -srcstorepass '123456' -alias pc18379_1 -deststoretype
PKCS12 -destkeystore keystore
keytool -importkeystore -srckeystore pc18379_2.jks -srcstoretype PKCS12
-storepass '123456' -srcstorepass '123456' -alias pc18379_2 -deststoretype
PKCS12 -destkeystore keystore
keytool -importkeystore -srckeystore pc18379_3.jks -srcstoretype PKCS12
-storepass '123456' -srcstorepass '123456' -alias pc18379_3 -deststoretype
PKCS12 -destkeystore keystore
*I export public certificates by:*
keytool -exportcert -keystore pc18379_1.jks -storepass '123456' -alias
pc18379_1 -rfc -file pc18379_1.crt
keytool -exportcert -keystore pc18379_2.jks -storepass '123456' -alias
pc18379_2 -rfc -file pc18379_2.crt
keytool -exportcert -keystore pc18379_3.jks -storepass '123456' -alias
pc18379_3 -rfc -file pc18379_3.crt
*I create truststores for clients by:*
keytool -import -alias pc18379_1 -file pc18379_1.crt -storepass '123456'
-noprompt -deststoretype PKCS12 -keystore pc18379_1.truststore
keytool -import -alias pc18379_2 -file pc18379_2.crt -storepass '123456'
-noprompt -deststoretype PKCS12 -keystore pc18379_2.truststore
keytool -import -alias pc18379_3 -file pc18379_3.crt -storepass '123456'
-noprompt -deststoretype PKCS12 -keystore pc18379_3.truststore
*List of certificates in "keystore" (keystore broker will use)*
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: pc18379_1
Creation date: Mar 15, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=pc18379
Issuer: CN=pc18379
Serial number: 54f1c168
Valid from: Thu Mar 15 14:05:07 CET 2018 until: Mon Mar 15 14:05:07 CET 2021
Certificate fingerprints:
MD5: 60:6C:94:B6:5D:18:C3:AC:89:56:3F:A9:A2:70:83:37
SHA1: 0D:D4:14:24:E6:92:35:B7:5B:A3:71:A7:BF:45:B3:6C:37:65:7F:4E
SHA256:
79:F0:77:65:27:93:5C:D0:55:73:42:B6:2D:4E:75:94:9A:64:6A:35:7C:12:4F:B0:CD:82:D7:89:96:8F:88:59
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 A5 26 94 CC 30 E8 63 66 61 87 1A 83 29 E7 63 ..&..0.cfa...).c
0010: EE 16 2D B6 ..-.
]
]
*******************************************
*******************************************
Alias name: pc18379_2
Creation date: Mar 15, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=pc18379
Issuer: CN=pc18379
Serial number: 23e58c32
Valid from: Thu Mar 15 14:06:38 CET 2018 until: Mon Mar 15 14:06:38 CET 2021
Certificate fingerprints:
MD5: 15:71:70:31:43:11:D9:15:3B:5B:E7:F0:DD:AB:96:DB
SHA1: D6:37:E3:4B:75:C7:9E:4B:D2:92:5C:50:92:DB:71:17:BE:58:FC:2F
SHA256:
52:88:88:AA:AE:C3:68:88:02:4D:CA:4E:32:76:DF:98:09:B9:03:9A:AB:3E:C1:CF:69:6C:B2:B2:97:D8:87:ED
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
0010: 28 63 A8 D8 (c..
]
]
*******************************************
*******************************************
Alias name: pc18379_3
Creation date: Mar 15, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=pc18379
Issuer: CN=pc18379
Serial number: 4c6d4854
Valid from: Thu Mar 15 14:06:44 CET 2018 until: Mon Mar 15 14:06:44 CET 2021
Certificate fingerprints:
MD5: CC:FD:D2:DA:38:A1:0F:3E:B1:6D:A3:62:65:D0:E3:82
SHA1: EE:37:84:C3:8E:B1:42:06:32:07:A4:CF:F0:EA:39:E7:3D:9F:3B:4F
SHA256:
18:D4:41:2D:40:F1:19:35:68:6A:90:A3:2D:8A:64:4D:AC:1E:30:DF:48:C9:13:F1:92:EF:A2:02:8B:B9:D3:B7
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CE 2A EE 5D B0 4A DE AA 47 97 A1 B2 70 14 9A 0A .*.].J..G...p...
0010: BE 4F 84 87 .O..
]
]
*******************************************
*******************************************
*I have keystore configured like (alias set to pc18379_1) in config.json*
"keystores" : [ {
"id" : "7eaa413b-0759-4552-b962-8393f492bed5",
"name" : "keyStore",
"type" : "FileKeyStore",
"certificateAlias" : "pc18379_1",
"keyStoreType" : "pkcs12",
"password" : "123456",
"storeUrl" : "path_to/keystore",
"lastUpdatedBy" : "admin",
"lastUpdatedTime" : 1521120324562,
"createdBy" : null,
"createdTime" : 1520409258289
}
But when I try to connect it seems server always offers certificate with
alias pc18379_2 (according to certificate serial number).
*Part of client output with ssl debug below *
***
adding as trusted cert:
Subject: CN=pc18379
Issuer: CN=pc18379
Algorithm: RSA; Serial number: 0x54f1c168
Valid from Thu Mar 15 14:05:07 CET 2018 until Mon Mar 15 14:05:07 CET 2021
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1504343366 bytes = { 242, 16, 210, 94, 238, 136, 192,
81, 81, 214, 102, 58, 118, 26, 105, 92, 227, 208, 129, 50, 61, 64, 149, 184,
63, 8, 156, 167 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1,
sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA,
SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
***
epollEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 213
epollEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1181
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1504343366 bytes = { 34, 240, 18, 201, 166, 150, 106,
20, 7, 238, 118, 230, 164, 241, 16, 205, 144, 166, 225, 15, 198, 46, 255,
202, 105, 76, 188, 245 }
Session ID: {90, 170, 117, 70, 148, 189, 188, 50, 181, 3, 51, 89, 233, 185,
36, 131, 116, 25, 85, 242, 62, 233, 49, 26, 251, 189, 219, 18, 78, 95, 78,
192}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=pc18379
Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
Key: Sun RSA public key, 2048 bits
modulus:
16543869811077710257493518006664617823018971455140571100091650223172922149916898892909543609214362975689342363032611007461112960678877071629010023369479887213213031334623727026807460072796743324227146296597651110653276219140378996680093421470312834423938733525520627777690150599828501298940830233009910190322371558133967004809425481846771536758904565445576662139136376438512926625484032677329237671196787951271540883516890567774875629923047753674674100709219189622073423352032206553669561113853486448106812858039858256103470907022938839365261521267023008273922841169892012530686025512314049629135660948872714396612667
public exponent: 65537
Validity: [From: Thu Mar 15 14:06:38 CET 2018,
To: Mon Mar 15 14:06:38 CET 2021]
Issuer: CN=pc18379
SerialNumber: [ 23e58c32]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
0010: 28 63 A8 D8 (c..
]
]
]
Algorithm: [SHA512withRSA]
Signature:
0000: 5B E5 5C 5E FE B7 1E 7C 32 B5 F8 22 A2 4A 37 5A [.\^....2..".J7Z
0010: 82 19 72 71 DE 65 00 05 56 6F 85 DD A3 EF BA 3C ..rq.e..Vo.....<
0020: 7F 1E 90 A3 26 6B 18 4D F7 79 59 92 A0 6D 53 06 ....&k.M.yY..mS.
0030: 38 C4 47 A1 CC D1 D1 D3 64 8E D2 13 F1 4D C1 EB 8.G.....d....M..
0040: C2 F4 57 2A 9C 90 F9 3B 5B F8 72 C5 37 9E 09 57 ..W*...;[.r.7..W
0050: FB 33 2C 00 70 22 82 94 27 E1 F4 9D 0E A5 76 77 .3,.p"..'.....vw
0060: 7C C1 02 E7 B3 7A 13 C4 CE F4 62 9E 3E 1F FA F6 .....z....b.>...
0070: 6C BD 2C AE 53 2C 6D 9E BC 21 50 46 44 85 B5 62 l.,.S,m..!PFD..b
0080: 0F 11 23 60 9D 48 F2 41 7D BD 30 23 0E 21 D5 A7 ..#`.H.A..0#.!..
0090: 30 E7 E4 33 0C 7D 0B 8A EA 2D 30 6C 25 ED D3 2A 0..3.....-0l%..*
00A0: 79 E7 9E 6C 1C C5 D0 D7 25 AF B7 A6 BD D1 C4 21 y..l....%......!
00B0: 11 91 6E 8A BA 9F E9 47 B4 09 65 10 28 49 A5 1E ..n....G..e.(I..
00C0: 77 6A 5B 62 8C 01 FA E2 F1 22 46 E2 0C D8 5F DF wj[b....."F..._.
00D0: 71 E5 51 52 73 DD FB 70 3C 42 61 08 F7 30 84 7E q.QRs..p<Ba..0..
00E0: 68 3B A1 FC 8F F4 72 DD 91 38 C5 4D 8F ED D5 69 h;....r..8.M...i
00F0: 25 A7 3C 4F 51 20 48 22 1C F7 18 63 A4 18 73 A0 %.<OQ H"...c..s.
]
***
epollEventLoopGroup-2-1, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
epollEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description =
certificate_unknown
epollEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
epollEventLoopGroup-2-1, called closeOutbound()
epollEventLoopGroup-2-1, closeOutboundInternal()
epollEventLoopGroup-2-1, called closeInbound()
epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
epollEventLoopGroup-2-1, called closeOutbound()
epollEventLoopGroup-2-1, closeOutboundInternal()
epollEventLoopGroup-2-1, called closeInbound()
epollEventLoopGroup-2-1, closeInboundInternal()
Even when certificate alias in java broker keystore configuration is set to
pc18379_1 (serial number - 54f1c168), java broker always offers certificate
with alias pc18379_2 (serial number - 23e58c32).
Am I doing anything wrong?
Java Broker version 7.0.1
Qpid JMS client version 0.27.0
Regards,
Tomas
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
