You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by "Guy Allard (Created) (JIRA)" <ji...@apache.org> on 2012/04/01 00:42:24 UTC
[jira] [Created] (APLO-178) Using key_alias= causes all SSL
connects to fail
Using key_alias= causes all SSL connects to fail
------------------------------------------------
Key: APLO-178
URL: https://issues.apache.org/jira/browse/APLO-178
Project: ActiveMQ Apollo
Issue Type: Bug
Components: apollo-broker
Affects Versions: wish-list
Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
Reporter: Guy Allard
Fix For: 1.2
After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using SSL fail.
The only thing I see in connection.log is a connect/disconnect sequence. Log files apollo.log and security.log show nothing. I see no real errors in Apollo logs.
The client gets only:
Connection reset by peer
I am running with:
- the Ruby stomp gem 1.2.2 client
- <authentication enabled="false"/>
- default login.config
- client_auth= not specified (defaulted)
The alias name is correct I believe:
apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
<key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
and:
apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
clienttjca, Mar 31, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
servertj, Mar 31, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
So, the store has two entries:
1) A server cert
2) A Client CA cert (signs all client certs)
Simply removing key_alias= allows at least some SSL functionality to work.
Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not functional in general.
Regards, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (APLO-178) Using key_alias= causes all SSL
connects to fail
Posted by "Hiram Chirino (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hiram Chirino resolved APLO-178.
--------------------------------
Resolution: Fixed
Hi Guy,
Thanks for testing this out. I finally got around to adding a test and fixed the problem. You see the fix in the next SNAPSHOT build.
> Using key_alias= causes all SSL connects to fail
> ------------------------------------------------
>
> Key: APLO-178
> URL: https://issues.apache.org/jira/browse/APLO-178
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
> Reporter: Guy Allard
> Assignee: Hiram Chirino
> Fix For: 1.2
>
> Attachments: log_no_key_alias.txt, log_with_key_alias.txt
>
>
> After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using SSL fail.
> The only thing I see in connection.log is a connect/disconnect sequence. Log files apollo.log and security.log show nothing. I see no real errors in Apollo logs.
> The client gets only:
> Connection reset by peer
> I am running with:
> - the Ruby stomp gem 1.2.2 client
> - <authentication enabled="false"/>
> - default login.config
> - client_auth= not specified (defaulted)
> The alias name is correct I believe:
> apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> and:
> apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 2 entries
> clienttjca, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
> servertj, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
> So, the store has two entries:
> 1) A server cert
> 2) A Client CA cert (signs all client certs)
> Simply removing key_alias= allows at least some SSL functionality to work.
> Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not functional in general.
> Regards, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (APLO-178) Using key_alias= causes all SSL
connects to fail
Posted by "Hiram Chirino (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hiram Chirino updated APLO-178:
-------------------------------
Affects Version/s: (was: wish-list)
Assignee: Hiram Chirino
> Using key_alias= causes all SSL connects to fail
> ------------------------------------------------
>
> Key: APLO-178
> URL: https://issues.apache.org/jira/browse/APLO-178
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
> Reporter: Guy Allard
> Assignee: Hiram Chirino
> Fix For: 1.2
>
> Attachments: log_no_key_alias.txt, log_with_key_alias.txt
>
>
> After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using SSL fail.
> The only thing I see in connection.log is a connect/disconnect sequence. Log files apollo.log and security.log show nothing. I see no real errors in Apollo logs.
> The client gets only:
> Connection reset by peer
> I am running with:
> - the Ruby stomp gem 1.2.2 client
> - <authentication enabled="false"/>
> - default login.config
> - client_auth= not specified (defaulted)
> The alias name is correct I believe:
> apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> and:
> apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 2 entries
> clienttjca, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
> servertj, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
> So, the store has two entries:
> 1) A server cert
> 2) A Client CA cert (signs all client certs)
> Simply removing key_alias= allows at least some SSL functionality to work.
> Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not functional in general.
> Regards, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (APLO-178) Using key_alias= causes all SSL
connects to fail
Posted by "Guy Allard (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13243741#comment-13243741 ]
Guy Allard commented on APLO-178:
---------------------------------
Here is a clue I think. In the log with key_alias= being used I see this message several times:
X509KeyManager passed to SSLContext.init(): need an X509ExtendedKeyManager for SSLEngine use
I do not see that in the log with no key_alias=.
> Using key_alias= causes all SSL connects to fail
> ------------------------------------------------
>
> Key: APLO-178
> URL: https://issues.apache.org/jira/browse/APLO-178
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Affects Versions: wish-list
> Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
> Reporter: Guy Allard
> Fix For: 1.2
>
> Attachments: log_no_key_alias.txt, log_with_key_alias.txt
>
>
> After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using SSL fail.
> The only thing I see in connection.log is a connect/disconnect sequence. Log files apollo.log and security.log show nothing. I see no real errors in Apollo logs.
> The client gets only:
> Connection reset by peer
> I am running with:
> - the Ruby stomp gem 1.2.2 client
> - <authentication enabled="false"/>
> - default login.config
> - client_auth= not specified (defaulted)
> The alias name is correct I believe:
> apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> and:
> apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 2 entries
> clienttjca, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
> servertj, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
> So, the store has two entries:
> 1) A server cert
> 2) A Client CA cert (signs all client certs)
> Simply removing key_alias= allows at least some SSL functionality to work.
> Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not functional in general.
> Regards, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (APLO-178) Using key_alias= causes all SSL
connects to fail
Posted by "Guy Allard (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guy Allard updated APLO-178:
----------------------------
Attachment: log_with_key_alias.txt
log_no_key_alias.txt
key_alias problem logs ......
> Using key_alias= causes all SSL connects to fail
> ------------------------------------------------
>
> Key: APLO-178
> URL: https://issues.apache.org/jira/browse/APLO-178
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Affects Versions: wish-list
> Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
> Reporter: Guy Allard
> Fix For: 1.2
>
> Attachments: log_no_key_alias.txt, log_with_key_alias.txt
>
>
> After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using SSL fail.
> The only thing I see in connection.log is a connect/disconnect sequence. Log files apollo.log and security.log show nothing. I see no real errors in Apollo logs.
> The client gets only:
> Connection reset by peer
> I am running with:
> - the Ruby stomp gem 1.2.2 client
> - <authentication enabled="false"/>
> - default login.config
> - client_auth= not specified (defaulted)
> The alias name is correct I believe:
> apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> and:
> apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 2 entries
> clienttjca, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
> servertj, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
> So, the store has two entries:
> 1) A server cert
> 2) A Client CA cert (signs all client certs)
> Simply removing key_alias= allows at least some SSL functionality to work.
> Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not functional in general.
> Regards, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (APLO-178) Using key_alias= causes all SSL
connects to fail
Posted by "Guy Allard (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13243738#comment-13243738 ]
Guy Allard commented on APLO-178:
---------------------------------
I know more about this, see below. I do not know what, if anything I can do on the client side to alleviate the problem.
I added "-Djavax.net.debug=ssl" to JVM options.
Summary: When key_alias= is coded, this eventually leads to the following:
...
Apollo Task, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Apollo Task, SEND TLSv1 ALERT: fatal, description = handshake_failure
Apollo Task, WRITE: TLSv1 Alert, length = 2
hawtdispatch-DEFAULT-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
...
I see the above 3 times during renegotiation attempts.
What is odd is that the cipher suite lists on each side are the same, whether key_alias= is used or not.
I am attaching log files for both cases.
> Using key_alias= causes all SSL connects to fail
> ------------------------------------------------
>
> Key: APLO-178
> URL: https://issues.apache.org/jira/browse/APLO-178
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Affects Versions: wish-list
> Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
> Reporter: Guy Allard
> Fix For: 1.2
>
> Attachments: log_no_key_alias.txt, log_with_key_alias.txt
>
>
> After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using SSL fail.
> The only thing I see in connection.log is a connect/disconnect sequence. Log files apollo.log and security.log show nothing. I see no real errors in Apollo logs.
> The client gets only:
> Connection reset by peer
> I am running with:
> - the Ruby stomp gem 1.2.2 client
> - <authentication enabled="false"/>
> - default login.config
> - client_auth= not specified (defaulted)
> The alias name is correct I believe:
> apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> and:
> apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 2 entries
> clienttjca, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
> servertj, Mar 31, 2012, PrivateKeyEntry,
> Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
> So, the store has two entries:
> 1) A server cert
> 2) A Client CA cert (signs all client certs)
> Simply removing key_alias= allows at least some SSL functionality to work.
> Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not functional in general.
> Regards, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira