SSL error as of artemis 2.18.0

["Dondorp, Erwin" <er...@cgi.com>]

Hello!

Since Artemis 2.18.0, the broker-broker connections (for clustering) refuse to connect due to "Caused by: java.security.cert.CertificateException: No name matching [hostname] found". I did not try any client connections yet, so these might just have the same problem.
My setup is the simplest possible SSL with self-signed certificates since it is a development system.
While looking through the release notes (and zooming in on some of the Jira issues), I did not quickly spot a change that would cause this.
I did not have this problem when using the snapshot versions of 2.18.0, but the last version I actually checked was apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz.
So the question is: what was actually changed? (or is broken? can't believe that).

thx,
Erwin

Re: SSL error as of artemis 2.18.0

[Robbie Gemmell <ro...@gmail.com>]

The first bit is slightly more nuanced meaning there is another
possibility (which is what actually occurred in ARTEMIS-3421), so I
would state it a little differently:

Change the hostname value that is being connected to in the broker
config, so it can match against the existing certificate offered, or
change the certificate (e.g adding appropriate subject alternative
names) so that it can match whatever hostname value is being connected
to. If not those then you would need to consider verifyHost=false
(<obligatory warning here>) to permit the mismatch.

On Mon, 23 Aug 2021 at 02:51, Justin Bertram <jb...@apache.org> wrote:
>
> The change in question is from ARTEMIS-3367 [1]. Since the hostname defined
> in the SSL cert on your broker can't be verified then you should either get
> a new cert for your broker for which the hostname *can* be verified or set
> verifyHost=false on the connector for the cluster-connection.
>
> I'll make this more clear in the relevant documentation [1].
>
>
> Justin
>
> [1] https://issues.apache.org/jira/browse/ARTEMIS-3367
> [2]
> https://activemq.apache.org/components/artemis/documentation/latest/versions.html
>
> On Sun, Aug 22, 2021 at 8:09 PM Dondorp, Erwin <er...@cgi.com>
> wrote:
>
> > Hello!
> >
> > Since Artemis 2.18.0, the broker-broker connections (for clustering)
> > refuse to connect due to "Caused by:
> > java.security.cert.CertificateException: No name matching [hostname]
> > found". I did not try any client connections yet, so these might just have
> > the same problem.
> > My setup is the simplest possible SSL with self-signed certificates since
> > it is a development system.
> > While looking through the release notes (and zooming in on some of the
> > Jira issues), I did not quickly spot a change that would cause this.
> > I did not have this problem when using the snapshot versions of 2.18.0,
> > but the last version I actually checked was
> > apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz.
> > So the question is: what was actually changed? (or is broken? can't
> > believe that).
> >
> > thx,
> > Erwin
> >

Re: SSL error as of artemis 2.18.0

[Justin Bertram <jb...@apache.org>]

Just to follow up...

I updated the upgrade instructions for 2.18.0 [1] to make this more clear.


Justin

[1]
https://activemq.apache.org/components/artemis/documentation/latest/versions.html#2180

On Sun, Aug 22, 2021 at 8:51 PM Justin Bertram <jb...@apache.org> wrote:

> The change in question is from ARTEMIS-3367 [1]. Since the hostname
> defined in the SSL cert on your broker can't be verified then you should
> either get a new cert for your broker for which the hostname *can* be
> verified or set verifyHost=false on the connector for the
> cluster-connection.
>
> I'll make this more clear in the relevant documentation [1].
>
>
> Justin
>
> [1] https://issues.apache.org/jira/browse/ARTEMIS-3367
> [2]
> https://activemq.apache.org/components/artemis/documentation/latest/versions.html
>
> On Sun, Aug 22, 2021 at 8:09 PM Dondorp, Erwin <er...@cgi.com>
> wrote:
>
>> Hello!
>>
>> Since Artemis 2.18.0, the broker-broker connections (for clustering)
>> refuse to connect due to "Caused by:
>> java.security.cert.CertificateException: No name matching [hostname]
>> found". I did not try any client connections yet, so these might just have
>> the same problem.
>> My setup is the simplest possible SSL with self-signed certificates since
>> it is a development system.
>> While looking through the release notes (and zooming in on some of the
>> Jira issues), I did not quickly spot a change that would cause this.
>> I did not have this problem when using the snapshot versions of 2.18.0,
>> but the last version I actually checked was
>> apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz.
>> So the question is: what was actually changed? (or is broken? can't
>> believe that).
>>
>> thx,
>> Erwin
>>
>

Re: SSL error as of artemis 2.18.0

[Robbie Gemmell <ro...@gmail.com>]

Well, I didnt create it so much as update the description to repurpose
it rather than simply close it hehe.

On Mon, 23 Aug 2021 at 09:34, Robbie Gemmell <ro...@gmail.com> wrote:
>
> Technically I updated it in both, I created ARTEMIS-3421 and made the
> change against it so its in the next release notes, and also mentioned
> ARTEMIS-3367 so it can also be seen by anyone happening across the
> original change via there.
>
> I tweaked the default doc and clarified what the setting does a bit. I
> think perhaps Justin was thinking something more explicit about what a
> failure on mismatch means and what can be done.
>
> Robbie
>
> On Mon, 23 Aug 2021 at 08:01, Dondorp, Erwin <er...@cgi.com> wrote:
> >
> > Justin,
> >
> > You just saved me a lot of time, thx!
> >
> > FYI, I see that Robbie updated the documentation on 18-aug, but in ARTEMIS-3421.
> >
> > e.
> >
> > -----Oorspronkelijk bericht-----
> > Van: Justin Bertram <jb...@apache.org>
> > Verzonden: maandag 23 augustus 2021 03:51
> > Aan: users@activemq.apache.org
> > Onderwerp: Re: SSL error as of artemis 2.18.0
> >
> >
> > EXTERNAL SENDER:   Do not click any links or open any attachments unless you trust the sender and know the content is safe.
> > EXPÉDITEUR EXTERNE:    Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre.
> >
> > The change in question is from ARTEMIS-3367 [1]. Since the hostname defined in the SSL cert on your broker can't be verified then you should either get a new cert for your broker for which the hostname *can* be verified or set verifyHost=false on the connector for the cluster-connection.
> >
> > I'll make this more clear in the relevant documentation [1].
> >
> >
> > Justin
> >
> > [1] https://urldefense.com/v3/__https://issues.apache.org/jira/browse/ARTEMIS-3367__;!!AaIhyw!9jkvRaZw1t4ba7OJzuo06w1EHZjmVsuMXrIaZq_LM9dWoqg252BBlmBkKP1fenty$
> > [2]
> > https://urldefense.com/v3/__https://activemq.apache.org/components/artemis/documentation/latest/versions.html__;!!AaIhyw!9jkvRaZw1t4ba7OJzuo06w1EHZjmVsuMXrIaZq_LM9dWoqg252BBlmBkKCNafbTO$
> >
> > On Sun, Aug 22, 2021 at 8:09 PM Dondorp, Erwin <er...@cgi.com>
> > wrote:
> >
> > > Hello!
> > >
> > > Since Artemis 2.18.0, the broker-broker connections (for clustering)
> > > refuse to connect due to "Caused by:
> > > java.security.cert.CertificateException: No name matching [hostname]
> > > found". I did not try any client connections yet, so these might just
> > > have the same problem.
> > > My setup is the simplest possible SSL with self-signed certificates
> > > since it is a development system.
> > > While looking through the release notes (and zooming in on some of the
> > > Jira issues), I did not quickly spot a change that would cause this.
> > > I did not have this problem when using the snapshot versions of
> > > 2.18.0, but the last version I actually checked was
> > > apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz.
> > > So the question is: what was actually changed? (or is broken? can't
> > > believe that).
> > >
> > > thx,
> > > Erwin
> > >

Re: SSL error as of artemis 2.18.0

[Robbie Gemmell <ro...@gmail.com>]

Technically I updated it in both, I created ARTEMIS-3421 and made the
change against it so its in the next release notes, and also mentioned
ARTEMIS-3367 so it can also be seen by anyone happening across the
original change via there.

I tweaked the default doc and clarified what the setting does a bit. I
think perhaps Justin was thinking something more explicit about what a
failure on mismatch means and what can be done.

Robbie

On Mon, 23 Aug 2021 at 08:01, Dondorp, Erwin <er...@cgi.com> wrote:
>
> Justin,
>
> You just saved me a lot of time, thx!
>
> FYI, I see that Robbie updated the documentation on 18-aug, but in ARTEMIS-3421.
>
> e.
>
> -----Oorspronkelijk bericht-----
> Van: Justin Bertram <jb...@apache.org>
> Verzonden: maandag 23 augustus 2021 03:51
> Aan: users@activemq.apache.org
> Onderwerp: Re: SSL error as of artemis 2.18.0
>
>
> EXTERNAL SENDER:   Do not click any links or open any attachments unless you trust the sender and know the content is safe.
> EXPÉDITEUR EXTERNE:    Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre.
>
> The change in question is from ARTEMIS-3367 [1]. Since the hostname defined in the SSL cert on your broker can't be verified then you should either get a new cert for your broker for which the hostname *can* be verified or set verifyHost=false on the connector for the cluster-connection.
>
> I'll make this more clear in the relevant documentation [1].
>
>
> Justin
>
> [1] https://urldefense.com/v3/__https://issues.apache.org/jira/browse/ARTEMIS-3367__;!!AaIhyw!9jkvRaZw1t4ba7OJzuo06w1EHZjmVsuMXrIaZq_LM9dWoqg252BBlmBkKP1fenty$
> [2]
> https://urldefense.com/v3/__https://activemq.apache.org/components/artemis/documentation/latest/versions.html__;!!AaIhyw!9jkvRaZw1t4ba7OJzuo06w1EHZjmVsuMXrIaZq_LM9dWoqg252BBlmBkKCNafbTO$
>
> On Sun, Aug 22, 2021 at 8:09 PM Dondorp, Erwin <er...@cgi.com>
> wrote:
>
> > Hello!
> >
> > Since Artemis 2.18.0, the broker-broker connections (for clustering)
> > refuse to connect due to "Caused by:
> > java.security.cert.CertificateException: No name matching [hostname]
> > found". I did not try any client connections yet, so these might just
> > have the same problem.
> > My setup is the simplest possible SSL with self-signed certificates
> > since it is a development system.
> > While looking through the release notes (and zooming in on some of the
> > Jira issues), I did not quickly spot a change that would cause this.
> > I did not have this problem when using the snapshot versions of
> > 2.18.0, but the last version I actually checked was
> > apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz.
> > So the question is: what was actually changed? (or is broken? can't
> > believe that).
> >
> > thx,
> > Erwin
> >

RE: SSL error as of artemis 2.18.0

["Dondorp, Erwin" <er...@cgi.com>]

Justin,

You just saved me a lot of time, thx!

FYI, I see that Robbie updated the documentation on 18-aug, but in ARTEMIS-3421.

e.

-----Oorspronkelijk bericht-----
Van: Justin Bertram <jb...@apache.org> 
Verzonden: maandag 23 augustus 2021 03:51
Aan: users@activemq.apache.org
Onderwerp: Re: SSL error as of artemis 2.18.0


EXTERNAL SENDER:   Do not click any links or open any attachments unless you trust the sender and know the content is safe.
EXPÉDITEUR EXTERNE:    Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre.

The change in question is from ARTEMIS-3367 [1]. Since the hostname defined in the SSL cert on your broker can't be verified then you should either get a new cert for your broker for which the hostname *can* be verified or set verifyHost=false on the connector for the cluster-connection.

I'll make this more clear in the relevant documentation [1].


Justin

[1] https://urldefense.com/v3/__https://issues.apache.org/jira/browse/ARTEMIS-3367__;!!AaIhyw!9jkvRaZw1t4ba7OJzuo06w1EHZjmVsuMXrIaZq_LM9dWoqg252BBlmBkKP1fenty$
[2]
https://urldefense.com/v3/__https://activemq.apache.org/components/artemis/documentation/latest/versions.html__;!!AaIhyw!9jkvRaZw1t4ba7OJzuo06w1EHZjmVsuMXrIaZq_LM9dWoqg252BBlmBkKCNafbTO$ 

On Sun, Aug 22, 2021 at 8:09 PM Dondorp, Erwin <er...@cgi.com>
wrote:

> Hello!
>
> Since Artemis 2.18.0, the broker-broker connections (for clustering) 
> refuse to connect due to "Caused by:
> java.security.cert.CertificateException: No name matching [hostname] 
> found". I did not try any client connections yet, so these might just 
> have the same problem.
> My setup is the simplest possible SSL with self-signed certificates 
> since it is a development system.
> While looking through the release notes (and zooming in on some of the 
> Jira issues), I did not quickly spot a change that would cause this.
> I did not have this problem when using the snapshot versions of 
> 2.18.0, but the last version I actually checked was 
> apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz.
> So the question is: what was actually changed? (or is broken? can't 
> believe that).
>
> thx,
> Erwin
>

Re: SSL error as of artemis 2.18.0

[Justin Bertram <jb...@apache.org>]

The change in question is from ARTEMIS-3367 [1]. Since the hostname defined
in the SSL cert on your broker can't be verified then you should either get
a new cert for your broker for which the hostname *can* be verified or set
verifyHost=false on the connector for the cluster-connection.

I'll make this more clear in the relevant documentation [1].


Justin

[1] https://issues.apache.org/jira/browse/ARTEMIS-3367
[2]
https://activemq.apache.org/components/artemis/documentation/latest/versions.html

On Sun, Aug 22, 2021 at 8:09 PM Dondorp, Erwin <er...@cgi.com>
wrote:

> Hello!
>
> Since Artemis 2.18.0, the broker-broker connections (for clustering)
> refuse to connect due to "Caused by:
> java.security.cert.CertificateException: No name matching [hostname]
> found". I did not try any client connections yet, so these might just have
> the same problem.
> My setup is the simplest possible SSL with self-signed certificates since
> it is a development system.
> While looking through the release notes (and zooming in on some of the
> Jira issues), I did not quickly spot a change that would cause this.
> I did not have this problem when using the snapshot versions of 2.18.0,
> but the last version I actually checked was
> apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz.
> So the question is: what was actually changed? (or is broken? can't
> believe that).
>
> thx,
> Erwin
>