You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jody Fanning (JIRA)" <ji...@apache.org> on 2013/01/11 12:54:13 UTC
[jira] [Commented] (CXF-4740) SSL/TLS server incorrectly closes
socket before reporting certificate failure to client
[ https://issues.apache.org/jira/browse/CXF-4740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13551060#comment-13551060 ]
Jody Fanning commented on CXF-4740:
-----------------------------------
While investigating further I found that 2.2.5 is using jetty bio connector, and 2.7.1 is using nio. I guess the change to direct usage of the SSLEngine and overriding the Jetty default connector has introduced the problem.
> SSL/TLS server incorrectly closes socket before reporting certificate failure to client
> ---------------------------------------------------------------------------------------
>
> Key: CXF-4740
> URL: https://issues.apache.org/jira/browse/CXF-4740
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.7.1
> Environment: Linux, Ubuntu 12.04
> java version "1.6.0_24"
> OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
> OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
> Reporter: Jody Fanning
>
> In an earlier version of CXF, 2.2.5, when a client certificate failures to validate for some reason the server replied with a fatal error {{bad_certificate}}. This is correct according the the TLS RFC 2246, section 7.2.1. Closure alerts.
> However, in CXF 2.7.0 and 2.7.1 the socket is closed prematurely, so that the client never gets a close or error message. This should not happen since it leaves open the possibility of a truncation attack.
> These are the log outputs for each version. These are based on the wsdl_first_https example project where it is configured so that the server does not have the client certificate in its trust store.
> {panel:title=CXF 2.2.5}
> *Client*
> {{Invocation failed with the following: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate}}
> *Server*
> {{167179228@qtp-764924063-0, READ: TLSv1 Handshake, length = 109}}
> {{*** Certificate chain}}
> {{***}}
> {{167179228@qtp-764924063-0, SEND TLSv1 ALERT: fatal, description = bad_certificate}}
> {{167179228@qtp-764924063-0, WRITE: TLSv1 Alert, length = 2}}
> {{167179228@qtp-764924063-0, called closeSocket()}}
> {{167179228@qtp-764924063-0, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain}}
> {{167179228@qtp-764924063-0, called close()}}
> {{167179228@qtp-764924063-0, called closeInternal(true)}}
> {panel}
> {panel:title=CXF 2.7.1}
> *Client*
> {{Caused by: java.io.EOFException: SSL peer shut down incorrectly}}
> {{at sun.security.ssl.InputRecord.read(InputRecord.java:352)}}
> {{at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)}}
> {{... 35 more}}
> {{Invocation failed with the following: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: Remote host closed connection during handshake}}
> *Server*
> {{qtp111947068-20, READ: TLSv1 Handshake, length = 109}}
> {{*** Certificate chain}}
> {{***}}
> {{qtp111947068-20, fatal error: 42: null cert chain}}
> {{javax.net.ssl.SSLHandshakeException: null cert chain}}
> {{qtp111947068-20, SEND TLSv1 ALERT: fatal, description = bad_certificate}}
> {{qtp111947068-20, WRITE: TLSv1 Alert, length = 2}}
> {{qtp111947068-20, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain}}
> {{Jan 9, 2013 11:34:58 AM org.eclipse.jetty.io.nio.SelectChannelEndPoint handle}}
> {{WARNING: javax.net.ssl.SSLHandshakeException: null cert chain}}
> {panel}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira