Hi Tomas, there is/was a bug in the broker whereby it would always pick the first certificate rather than the one with the correct alias. I fixed the bug as part of QPID-7567[1] last year, however I think that is only on master (and scheduled for 7.1) and hasn't been backported to 7.0.x.
-- Rob [1] https://issues.apache.org/jira/browse/QPID-7567 On 15 March 2018 at 15:03, Vavricka <[email protected]> wrote: > Hi, > > *I generate multiple self-signed certificates by:* > > keytool -genkeypair -alias pc18379_1 -dname CN=pc18379 -validity 1096 > -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' > -storepass > 123456 -deststoretype PKCS12 -keystore pc18379_1.jks > keytool -genkeypair -alias pc18379_2 -dname CN=pc18379 -validity 1096 > -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' > -storepass > 123456 -deststoretype PKCS12 -keystore pc18379_2.jks > keytool -genkeypair -alias pc18379_3 -dname CN=pc18379 -validity 1096 > -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' > -storepass > 123456 -deststoretype PKCS12 -keystore pc18379_3.jks > > Each generated keypair has own keystore. > > *I export private keys to keystore which broker will use by:* > > keytool -importkeystore -srckeystore pc18379_1.jks -srcstoretype PKCS12 > -storepass '123456' -srcstorepass '123456' -alias pc18379_1 -deststoretype > PKCS12 -destkeystore keystore > keytool -importkeystore -srckeystore pc18379_2.jks -srcstoretype PKCS12 > -storepass '123456' -srcstorepass '123456' -alias pc18379_2 -deststoretype > PKCS12 -destkeystore keystore > keytool -importkeystore -srckeystore pc18379_3.jks -srcstoretype PKCS12 > -storepass '123456' -srcstorepass '123456' -alias pc18379_3 -deststoretype > PKCS12 -destkeystore keystore > > *I export public certificates by:* > > keytool -exportcert -keystore pc18379_1.jks -storepass '123456' -alias > pc18379_1 -rfc -file pc18379_1.crt > keytool -exportcert -keystore pc18379_2.jks -storepass '123456' -alias > pc18379_2 -rfc -file pc18379_2.crt > keytool -exportcert -keystore pc18379_3.jks -storepass '123456' -alias > pc18379_3 -rfc -file pc18379_3.crt > > *I create truststores for clients by:* > > keytool -import -alias pc18379_1 -file pc18379_1.crt -storepass '123456' > -noprompt -deststoretype PKCS12 -keystore pc18379_1.truststore > keytool -import -alias pc18379_2 -file pc18379_2.crt -storepass '123456' > -noprompt -deststoretype PKCS12 -keystore pc18379_2.truststore > keytool -import -alias pc18379_3 -file pc18379_3.crt -storepass '123456' > -noprompt -deststoretype PKCS12 -keystore pc18379_3.truststore > > *List of certificates in "keystore" (keystore broker will use)* > > Enter keystore password: > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 3 entries > > Alias name: pc18379_1 > Creation date: Mar 15, 2018 > Entry type: PrivateKeyEntry > Certificate chain length: 1 > Certificate[1]: > Owner: CN=pc18379 > Issuer: CN=pc18379 > Serial number: 54f1c168 > Valid from: Thu Mar 15 14:05:07 CET 2018 until: Mon Mar 15 14:05:07 CET > 2021 > Certificate fingerprints: > MD5: 60:6C:94:B6:5D:18:C3:AC:89:56:3F:A9:A2:70:83:37 > SHA1: 0D:D4:14:24:E6:92:35:B7:5B:A3:71:A7:BF:45:B3:6C:37:65:7F:4E > SHA256: > 79:F0:77:65:27:93:5C:D0:55:73:42:B6:2D:4E:75:94:9A:64:6A:35: > 7C:12:4F:B0:CD:82:D7:89:96:8F:88:59 > Signature algorithm name: SHA512withRSA > Subject Public Key Algorithm: 2048-bit RSA key > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 87 A5 26 94 CC 30 E8 63 66 61 87 1A 83 29 E7 63 ..&..0.cfa...).c > 0010: EE 16 2D B6 ..-. > ] > ] > > > > ******************************************* > ******************************************* > > > Alias name: pc18379_2 > Creation date: Mar 15, 2018 > Entry type: PrivateKeyEntry > Certificate chain length: 1 > Certificate[1]: > Owner: CN=pc18379 > Issuer: CN=pc18379 > Serial number: 23e58c32 > Valid from: Thu Mar 15 14:06:38 CET 2018 until: Mon Mar 15 14:06:38 CET > 2021 > Certificate fingerprints: > MD5: 15:71:70:31:43:11:D9:15:3B:5B:E7:F0:DD:AB:96:DB > SHA1: D6:37:E3:4B:75:C7:9E:4B:D2:92:5C:50:92:DB:71:17:BE:58:FC:2F > SHA256: > 52:88:88:AA:AE:C3:68:88:02:4D:CA:4E:32:76:DF:98:09:B9:03:9A: > AB:3E:C1:CF:69:6C:B2:B2:97:D8:87:ED > Signature algorithm name: SHA512withRSA > Subject Public Key Algorithm: 2048-bit RSA key > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F... > 0010: 28 63 A8 D8 (c.. > ] > ] > > > > ******************************************* > ******************************************* > > > Alias name: pc18379_3 > Creation date: Mar 15, 2018 > Entry type: PrivateKeyEntry > Certificate chain length: 1 > Certificate[1]: > Owner: CN=pc18379 > Issuer: CN=pc18379 > Serial number: 4c6d4854 > Valid from: Thu Mar 15 14:06:44 CET 2018 until: Mon Mar 15 14:06:44 CET > 2021 > Certificate fingerprints: > MD5: CC:FD:D2:DA:38:A1:0F:3E:B1:6D:A3:62:65:D0:E3:82 > SHA1: EE:37:84:C3:8E:B1:42:06:32:07:A4:CF:F0:EA:39:E7:3D:9F:3B:4F > SHA256: > 18:D4:41:2D:40:F1:19:35:68:6A:90:A3:2D:8A:64:4D:AC:1E:30:DF: > 48:C9:13:F1:92:EF:A2:02:8B:B9:D3:B7 > Signature algorithm name: SHA512withRSA > Subject Public Key Algorithm: 2048-bit RSA key > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: CE 2A EE 5D B0 4A DE AA 47 97 A1 B2 70 14 9A 0A .*.].J..G...p... > 0010: BE 4F 84 87 .O.. > ] > ] > > > > ******************************************* > ******************************************* > > > *I have keystore configured like (alias set to pc18379_1) in config.json* > > "keystores" : [ { > "id" : "7eaa413b-0759-4552-b962-8393f492bed5", > "name" : "keyStore", > "type" : "FileKeyStore", > "certificateAlias" : "pc18379_1", > "keyStoreType" : "pkcs12", > "password" : "123456", > "storeUrl" : "path_to/keystore", > "lastUpdatedBy" : "admin", > "lastUpdatedTime" : 1521120324562, > "createdBy" : null, > "createdTime" : 1520409258289 > } > > But when I try to connect it seems server always offers certificate with > alias pc18379_2 (according to certificate serial number). > > *Part of client output with ssl debug below * > > *** > adding as trusted cert: > Subject: CN=pc18379 > Issuer: CN=pc18379 > Algorithm: RSA; Serial number: 0x54f1c168 > Valid from Thu Mar 15 14:05:07 CET 2018 until Mon Mar 15 14:05:07 CET > 2021 > > trigger seeding of SecureRandom > done seeding SecureRandom > Using SSLEngineImpl. > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > %% No cached client session > *** ClientHello, TLSv1.2 > RandomCookie: GMT: 1504343366 bytes = { 242, 16, 210, 94, 238, 136, 192, > 81, 81, 214, 102, 58, 118, 26, 105, 92, 227, 208, 129, 50, 61, 64, 149, > 184, > 63, 8, 156, 167 } > Session ID: {} > Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_ > GCM_SHA256, > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_ > CBC_SHA, > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, > TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > Compression Methods: { 0 } > Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, > sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, > secp256k1} > Extension ec_point_formats, formats: [uncompressed] > Extension signature_algorithms, signature_algorithms: SHA512withECDSA, > SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, > SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, > SHA224withDSA, > SHA1withECDSA, SHA1withRSA, SHA1withDSA > Extension extended_master_secret > *** > epollEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 213 > epollEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1181 > *** ServerHello, TLSv1.2 > RandomCookie: GMT: 1504343366 bytes = { 34, 240, 18, 201, 166, 150, 106, > 20, 7, 238, 118, 230, 164, 241, 16, 205, 144, 166, 225, 15, 198, 46, 255, > 202, 105, 76, 188, 245 } > Session ID: {90, 170, 117, 70, 148, 189, 188, 50, 181, 3, 51, 89, 233, > 185, > 36, 131, 116, 25, 85, 242, 62, 233, 49, 26, 251, 189, 219, 18, 78, 95, 78, > 192} > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > Compression Method: 0 > Extension renegotiation_info, renegotiated_connection: <empty> > Extension extended_master_secret > *** > %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] > ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > *** Certificate chain > chain [0] = [ > [ > Version: V3 > Subject: CN=pc18379 > Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13 > > Key: Sun RSA public key, 2048 bits > modulus: > 165438698110777102574935180066646178230189714551405711000916 > 502231729221499168988929095436092143629756893423630326110074 > 611129606788770716290100233694798872132130313346237270268074 > 600727967433242271462965976511106532762191403789966800934214 > 703128344239387335255206277776901505998285012989408302330099 > 101903223715581339670048094254818467715367589045654455766621 > 391363764385129266254840326773292376711967879512715408835168 > 905677748756299230477536746741007092191896220734233520322065 > 536695611138534864481068128580398582561034709070229388393652 > 615212670230082739228411698920125306860255123140496291356609 > 48872714396612667 > public exponent: 65537 > Validity: [From: Thu Mar 15 14:06:38 CET 2018, > To: Mon Mar 15 14:06:38 CET 2021] > Issuer: CN=pc18379 > SerialNumber: [ 23e58c32] > > Certificate Extensions: 1 > [1]: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F... > 0010: 28 63 A8 D8 (c.. > ] > ] > > ] > Algorithm: [SHA512withRSA] > Signature: > 0000: 5B E5 5C 5E FE B7 1E 7C 32 B5 F8 22 A2 4A 37 5A [.\^....2..".J7Z > 0010: 82 19 72 71 DE 65 00 05 56 6F 85 DD A3 EF BA 3C ..rq.e..Vo.....< > 0020: 7F 1E 90 A3 26 6B 18 4D F7 79 59 92 A0 6D 53 06 ....&k.M.yY..mS. > 0030: 38 C4 47 A1 CC D1 D1 D3 64 8E D2 13 F1 4D C1 EB 8.G.....d....M.. > 0040: C2 F4 57 2A 9C 90 F9 3B 5B F8 72 C5 37 9E 09 57 ..W*...;[.r.7..W > 0050: FB 33 2C 00 70 22 82 94 27 E1 F4 9D 0E A5 76 77 .3,.p"..'.....vw > 0060: 7C C1 02 E7 B3 7A 13 C4 CE F4 62 9E 3E 1F FA F6 .....z....b.>... > 0070: 6C BD 2C AE 53 2C 6D 9E BC 21 50 46 44 85 B5 62 l.,.S,m..!PFD..b > 0080: 0F 11 23 60 9D 48 F2 41 7D BD 30 23 0E 21 D5 A7 ..#`.H.A..0#.!.. > 0090: 30 E7 E4 33 0C 7D 0B 8A EA 2D 30 6C 25 ED D3 2A 0..3.....-0l%..* > 00A0: 79 E7 9E 6C 1C C5 D0 D7 25 AF B7 A6 BD D1 C4 21 y..l....%......! > 00B0: 11 91 6E 8A BA 9F E9 47 B4 09 65 10 28 49 A5 1E ..n....G..e.(I.. > 00C0: 77 6A 5B 62 8C 01 FA E2 F1 22 46 E2 0C D8 5F DF wj[b....."F..._. > 00D0: 71 E5 51 52 73 DD FB 70 3C 42 61 08 F7 30 84 7E q.QRs..p<Ba..0.. > 00E0: 68 3B A1 FC 8F F4 72 DD 91 38 C5 4D 8F ED D5 69 h;....r..8.M...i > 00F0: 25 A7 3C 4F 51 20 48 22 1C F7 18 63 A4 18 73 A0 %.<OQ H"...c..s. > > ] > *** > epollEventLoopGroup-2-1, fatal error: 46: General SSLEngine problem > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: signature check failed > %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] > epollEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description = > certificate_unknown > epollEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2 > epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: General SSLEngine problem > epollEventLoopGroup-2-1, called closeOutbound() > epollEventLoopGroup-2-1, closeOutboundInternal() > epollEventLoopGroup-2-1, called closeInbound() > epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > epollEventLoopGroup-2-1, called closeOutbound() > epollEventLoopGroup-2-1, closeOutboundInternal() > epollEventLoopGroup-2-1, called closeInbound() > epollEventLoopGroup-2-1, closeInboundInternal() > > Even when certificate alias in java broker keystore configuration is set to > pc18379_1 (serial number - 54f1c168), java broker always offers certificate > with alias pc18379_2 (serial number - 23e58c32). > > Am I doing anything wrong? > > Java Broker version 7.0.1 > Qpid JMS client version 0.27.0 > > Regards, > Tomas > > > > -- > Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users- > f2158936.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
