Hi Tomas, It should not be too hard to separate out a defect fix from the work of QPID-7567. I will look to include this in a 7.0.3 which should not be too far away.
Kind regards, Keith. On 15 March 2018 at 17:06, Rob Godfrey <[email protected]> wrote: > Hi Tomas, > > there is/was a bug in the broker whereby it would always pick the first > certificate rather than the one with the correct alias. I fixed the bug as > part of QPID-7567[1] last year, however I think that is only on master (and > scheduled for 7.1) and hasn't been backported to 7.0.x. > > -- Rob > > [1] https://issues.apache.org/jira/browse/QPID-7567 > > On 15 March 2018 at 15:03, Vavricka <[email protected]> wrote: > >> Hi, >> >> *I generate multiple self-signed certificates by:* >> >> keytool -genkeypair -alias pc18379_1 -dname CN=pc18379 -validity 1096 >> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' >> -storepass >> 123456 -deststoretype PKCS12 -keystore pc18379_1.jks >> keytool -genkeypair -alias pc18379_2 -dname CN=pc18379 -validity 1096 >> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' >> -storepass >> 123456 -deststoretype PKCS12 -keystore pc18379_2.jks >> keytool -genkeypair -alias pc18379_3 -dname CN=pc18379 -validity 1096 >> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' >> -storepass >> 123456 -deststoretype PKCS12 -keystore pc18379_3.jks >> >> Each generated keypair has own keystore. >> >> *I export private keys to keystore which broker will use by:* >> >> keytool -importkeystore -srckeystore pc18379_1.jks -srcstoretype PKCS12 >> -storepass '123456' -srcstorepass '123456' -alias pc18379_1 -deststoretype >> PKCS12 -destkeystore keystore >> keytool -importkeystore -srckeystore pc18379_2.jks -srcstoretype PKCS12 >> -storepass '123456' -srcstorepass '123456' -alias pc18379_2 -deststoretype >> PKCS12 -destkeystore keystore >> keytool -importkeystore -srckeystore pc18379_3.jks -srcstoretype PKCS12 >> -storepass '123456' -srcstorepass '123456' -alias pc18379_3 -deststoretype >> PKCS12 -destkeystore keystore >> >> *I export public certificates by:* >> >> keytool -exportcert -keystore pc18379_1.jks -storepass '123456' -alias >> pc18379_1 -rfc -file pc18379_1.crt >> keytool -exportcert -keystore pc18379_2.jks -storepass '123456' -alias >> pc18379_2 -rfc -file pc18379_2.crt >> keytool -exportcert -keystore pc18379_3.jks -storepass '123456' -alias >> pc18379_3 -rfc -file pc18379_3.crt >> >> *I create truststores for clients by:* >> >> keytool -import -alias pc18379_1 -file pc18379_1.crt -storepass '123456' >> -noprompt -deststoretype PKCS12 -keystore pc18379_1.truststore >> keytool -import -alias pc18379_2 -file pc18379_2.crt -storepass '123456' >> -noprompt -deststoretype PKCS12 -keystore pc18379_2.truststore >> keytool -import -alias pc18379_3 -file pc18379_3.crt -storepass '123456' >> -noprompt -deststoretype PKCS12 -keystore pc18379_3.truststore >> >> *List of certificates in "keystore" (keystore broker will use)* >> >> Enter keystore password: >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 3 entries >> >> Alias name: pc18379_1 >> Creation date: Mar 15, 2018 >> Entry type: PrivateKeyEntry >> Certificate chain length: 1 >> Certificate[1]: >> Owner: CN=pc18379 >> Issuer: CN=pc18379 >> Serial number: 54f1c168 >> Valid from: Thu Mar 15 14:05:07 CET 2018 until: Mon Mar 15 14:05:07 CET >> 2021 >> Certificate fingerprints: >> MD5: 60:6C:94:B6:5D:18:C3:AC:89:56:3F:A9:A2:70:83:37 >> SHA1: 0D:D4:14:24:E6:92:35:B7:5B:A3:71:A7:BF:45:B3:6C:37:65:7F:4E >> SHA256: >> 79:F0:77:65:27:93:5C:D0:55:73:42:B6:2D:4E:75:94:9A:64:6A:35: >> 7C:12:4F:B0:CD:82:D7:89:96:8F:88:59 >> Signature algorithm name: SHA512withRSA >> Subject Public Key Algorithm: 2048-bit RSA key >> Version: 3 >> >> Extensions: >> >> #1: ObjectId: 2.5.29.14 Criticality=false >> SubjectKeyIdentifier [ >> KeyIdentifier [ >> 0000: 87 A5 26 94 CC 30 E8 63 66 61 87 1A 83 29 E7 63 ..&..0.cfa...).c >> 0010: EE 16 2D B6 ..-. >> ] >> ] >> >> >> >> ******************************************* >> ******************************************* >> >> >> Alias name: pc18379_2 >> Creation date: Mar 15, 2018 >> Entry type: PrivateKeyEntry >> Certificate chain length: 1 >> Certificate[1]: >> Owner: CN=pc18379 >> Issuer: CN=pc18379 >> Serial number: 23e58c32 >> Valid from: Thu Mar 15 14:06:38 CET 2018 until: Mon Mar 15 14:06:38 CET >> 2021 >> Certificate fingerprints: >> MD5: 15:71:70:31:43:11:D9:15:3B:5B:E7:F0:DD:AB:96:DB >> SHA1: D6:37:E3:4B:75:C7:9E:4B:D2:92:5C:50:92:DB:71:17:BE:58:FC:2F >> SHA256: >> 52:88:88:AA:AE:C3:68:88:02:4D:CA:4E:32:76:DF:98:09:B9:03:9A: >> AB:3E:C1:CF:69:6C:B2:B2:97:D8:87:ED >> Signature algorithm name: SHA512withRSA >> Subject Public Key Algorithm: 2048-bit RSA key >> Version: 3 >> >> Extensions: >> >> #1: ObjectId: 2.5.29.14 Criticality=false >> SubjectKeyIdentifier [ >> KeyIdentifier [ >> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F... >> 0010: 28 63 A8 D8 (c.. >> ] >> ] >> >> >> >> ******************************************* >> ******************************************* >> >> >> Alias name: pc18379_3 >> Creation date: Mar 15, 2018 >> Entry type: PrivateKeyEntry >> Certificate chain length: 1 >> Certificate[1]: >> Owner: CN=pc18379 >> Issuer: CN=pc18379 >> Serial number: 4c6d4854 >> Valid from: Thu Mar 15 14:06:44 CET 2018 until: Mon Mar 15 14:06:44 CET >> 2021 >> Certificate fingerprints: >> MD5: CC:FD:D2:DA:38:A1:0F:3E:B1:6D:A3:62:65:D0:E3:82 >> SHA1: EE:37:84:C3:8E:B1:42:06:32:07:A4:CF:F0:EA:39:E7:3D:9F:3B:4F >> SHA256: >> 18:D4:41:2D:40:F1:19:35:68:6A:90:A3:2D:8A:64:4D:AC:1E:30:DF: >> 48:C9:13:F1:92:EF:A2:02:8B:B9:D3:B7 >> Signature algorithm name: SHA512withRSA >> Subject Public Key Algorithm: 2048-bit RSA key >> Version: 3 >> >> Extensions: >> >> #1: ObjectId: 2.5.29.14 Criticality=false >> SubjectKeyIdentifier [ >> KeyIdentifier [ >> 0000: CE 2A EE 5D B0 4A DE AA 47 97 A1 B2 70 14 9A 0A .*.].J..G...p... >> 0010: BE 4F 84 87 .O.. >> ] >> ] >> >> >> >> ******************************************* >> ******************************************* >> >> >> *I have keystore configured like (alias set to pc18379_1) in config.json* >> >> "keystores" : [ { >> "id" : "7eaa413b-0759-4552-b962-8393f492bed5", >> "name" : "keyStore", >> "type" : "FileKeyStore", >> "certificateAlias" : "pc18379_1", >> "keyStoreType" : "pkcs12", >> "password" : "123456", >> "storeUrl" : "path_to/keystore", >> "lastUpdatedBy" : "admin", >> "lastUpdatedTime" : 1521120324562, >> "createdBy" : null, >> "createdTime" : 1520409258289 >> } >> >> But when I try to connect it seems server always offers certificate with >> alias pc18379_2 (according to certificate serial number). >> >> *Part of client output with ssl debug below * >> >> *** >> adding as trusted cert: >> Subject: CN=pc18379 >> Issuer: CN=pc18379 >> Algorithm: RSA; Serial number: 0x54f1c168 >> Valid from Thu Mar 15 14:05:07 CET 2018 until Mon Mar 15 14:05:07 CET >> 2021 >> >> trigger seeding of SecureRandom >> done seeding SecureRandom >> Using SSLEngineImpl. >> Allow unsafe renegotiation: false >> Allow legacy hello messages: true >> Is initial handshake: true >> Is secure renegotiation: false >> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1 >> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> for >> TLSv1 >> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for >> TLSv1 >> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1 >> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 >> for >> TLSv1 >> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for >> TLSv1 >> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for >> TLSv1 >> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1.1 >> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> for >> TLSv1.1 >> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for >> TLSv1.1 >> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1.1 >> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 >> for >> TLSv1.1 >> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for >> TLSv1.1 >> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for >> TLSv1.1 >> %% No cached client session >> *** ClientHello, TLSv1.2 >> RandomCookie: GMT: 1504343366 bytes = { 242, 16, 210, 94, 238, 136, 192, >> 81, 81, 214, 102, 58, 118, 26, 105, 92, 227, 208, 129, 50, 61, 64, 149, >> 184, >> 63, 8, 156, 167 } >> Session ID: {} >> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, >> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, >> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, >> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, >> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, >> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, >> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_ >> GCM_SHA256, >> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, >> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, >> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_ >> CBC_SHA, >> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, >> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, >> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV] >> Compression Methods: { 0 } >> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, >> sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, >> secp256k1} >> Extension ec_point_formats, formats: [uncompressed] >> Extension signature_algorithms, signature_algorithms: SHA512withECDSA, >> SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, >> SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, >> SHA224withDSA, >> SHA1withECDSA, SHA1withRSA, SHA1withDSA >> Extension extended_master_secret >> *** >> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 213 >> epollEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1181 >> *** ServerHello, TLSv1.2 >> RandomCookie: GMT: 1504343366 bytes = { 34, 240, 18, 201, 166, 150, 106, >> 20, 7, 238, 118, 230, 164, 241, 16, 205, 144, 166, 225, 15, 198, 46, 255, >> 202, 105, 76, 188, 245 } >> Session ID: {90, 170, 117, 70, 148, 189, 188, 50, 181, 3, 51, 89, 233, >> 185, >> 36, 131, 116, 25, 85, 242, 62, 233, 49, 26, 251, 189, 219, 18, 78, 95, 78, >> 192} >> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> Compression Method: 0 >> Extension renegotiation_info, renegotiated_connection: <empty> >> Extension extended_master_secret >> *** >> %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] >> ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> *** Certificate chain >> chain [0] = [ >> [ >> Version: V3 >> Subject: CN=pc18379 >> Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13 >> >> Key: Sun RSA public key, 2048 bits >> modulus: >> 165438698110777102574935180066646178230189714551405711000916 >> 502231729221499168988929095436092143629756893423630326110074 >> 611129606788770716290100233694798872132130313346237270268074 >> 600727967433242271462965976511106532762191403789966800934214 >> 703128344239387335255206277776901505998285012989408302330099 >> 101903223715581339670048094254818467715367589045654455766621 >> 391363764385129266254840326773292376711967879512715408835168 >> 905677748756299230477536746741007092191896220734233520322065 >> 536695611138534864481068128580398582561034709070229388393652 >> 615212670230082739228411698920125306860255123140496291356609 >> 48872714396612667 >> public exponent: 65537 >> Validity: [From: Thu Mar 15 14:06:38 CET 2018, >> To: Mon Mar 15 14:06:38 CET 2021] >> Issuer: CN=pc18379 >> SerialNumber: [ 23e58c32] >> >> Certificate Extensions: 1 >> [1]: ObjectId: 2.5.29.14 Criticality=false >> SubjectKeyIdentifier [ >> KeyIdentifier [ >> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F... >> 0010: 28 63 A8 D8 (c.. >> ] >> ] >> >> ] >> Algorithm: [SHA512withRSA] >> Signature: >> 0000: 5B E5 5C 5E FE B7 1E 7C 32 B5 F8 22 A2 4A 37 5A [.\^....2..".J7Z >> 0010: 82 19 72 71 DE 65 00 05 56 6F 85 DD A3 EF BA 3C ..rq.e..Vo.....< >> 0020: 7F 1E 90 A3 26 6B 18 4D F7 79 59 92 A0 6D 53 06 ....&k.M.yY..mS. >> 0030: 38 C4 47 A1 CC D1 D1 D3 64 8E D2 13 F1 4D C1 EB 8.G.....d....M.. >> 0040: C2 F4 57 2A 9C 90 F9 3B 5B F8 72 C5 37 9E 09 57 ..W*...;[.r.7..W >> 0050: FB 33 2C 00 70 22 82 94 27 E1 F4 9D 0E A5 76 77 .3,.p"..'.....vw >> 0060: 7C C1 02 E7 B3 7A 13 C4 CE F4 62 9E 3E 1F FA F6 .....z....b.>... >> 0070: 6C BD 2C AE 53 2C 6D 9E BC 21 50 46 44 85 B5 62 l.,.S,m..!PFD..b >> 0080: 0F 11 23 60 9D 48 F2 41 7D BD 30 23 0E 21 D5 A7 ..#`.H.A..0#.!.. >> 0090: 30 E7 E4 33 0C 7D 0B 8A EA 2D 30 6C 25 ED D3 2A 0..3.....-0l%..* >> 00A0: 79 E7 9E 6C 1C C5 D0 D7 25 AF B7 A6 BD D1 C4 21 y..l....%......! >> 00B0: 11 91 6E 8A BA 9F E9 47 B4 09 65 10 28 49 A5 1E ..n....G..e.(I.. >> 00C0: 77 6A 5B 62 8C 01 FA E2 F1 22 46 E2 0C D8 5F DF wj[b....."F..._. >> 00D0: 71 E5 51 52 73 DD FB 70 3C 42 61 08 F7 30 84 7E q.QRs..p<Ba..0.. >> 00E0: 68 3B A1 FC 8F F4 72 DD 91 38 C5 4D 8F ED D5 69 h;....r..8.M...i >> 00F0: 25 A7 3C 4F 51 20 48 22 1C F7 18 63 A4 18 73 A0 %.<OQ H"...c..s. >> >> ] >> *** >> epollEventLoopGroup-2-1, fatal error: 46: General SSLEngine problem >> sun.security.validator.ValidatorException: PKIX path validation failed: >> java.security.cert.CertPathValidatorException: signature check failed >> %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] >> epollEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description = >> certificate_unknown >> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2 >> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing >> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >> epollEventLoopGroup-2-1, called closeOutbound() >> epollEventLoopGroup-2-1, closeOutboundInternal() >> epollEventLoopGroup-2-1, called closeInbound() >> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> epollEventLoopGroup-2-1, called closeOutbound() >> epollEventLoopGroup-2-1, closeOutboundInternal() >> epollEventLoopGroup-2-1, called closeInbound() >> epollEventLoopGroup-2-1, closeInboundInternal() >> >> Even when certificate alias in java broker keystore configuration is set to >> pc18379_1 (serial number - 54f1c168), java broker always offers certificate >> with alias pc18379_2 (serial number - 23e58c32). >> >> Am I doing anything wrong? >> >> Java Broker version 7.0.1 >> Qpid JMS client version 0.27.0 >> >> Regards, >> Tomas >> >> >> >> -- >> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users- >> f2158936.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
