You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by "Hiram Chirino (Resolved) (JIRA)" <ji...@apache.org> on 2012/04/04 20:59:19 UTC

[jira] [Resolved] (APLO-178) Using key_alias= causes all SSL connects to fail

     [ https://issues.apache.org/jira/browse/APLO-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hiram Chirino resolved APLO-178.
--------------------------------

    Resolution: Fixed

Hi Guy,

Thanks for testing this out.  I finally got around to adding a test and fixed the problem.  You see the fix in the next SNAPSHOT build.
                
> Using key_alias= causes all SSL connects to fail
> ------------------------------------------------
>
>                 Key: APLO-178
>                 URL: https://issues.apache.org/jira/browse/APLO-178
>             Project: ActiveMQ Apollo
>          Issue Type: Bug
>          Components: apollo-broker
>         Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
>            Reporter: Guy Allard
>            Assignee: Hiram Chirino
>             Fix For: 1.2
>
>         Attachments: log_no_key_alias.txt, log_with_key_alias.txt
>
>
> After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using SSL fail.
> The only thing I see in connection.log is a connect/disconnect sequence.  Log files apollo.log and security.log show nothing.  I see no real errors in Apollo logs.
> The client gets only:
> Connection reset by peer
> I am running with:
> - the Ruby stomp gem 1.2.2 client
> - <authentication enabled="false"/>
> - default login.config
> - client_auth= not specified (defaulted)
> The alias name is correct I believe:
> apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
>   <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> and:
> apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 2 entries
> clienttjca, Mar 31, 2012, PrivateKeyEntry, 
> Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
> servertj, Mar 31, 2012, PrivateKeyEntry, 
> Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
> So, the store has two entries:
> 1) A server cert
> 2) A Client CA cert (signs all client certs)
> Simply removing key_alias= allows at least some SSL functionality to work.
> Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not functional in general.
> Regards, Guy

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira