You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Lionel Cons (Jira)" <ji...@apache.org> on 2019/09/30 12:15:00 UTC
[jira] [Commented] (AMQ-7301) Expired certificates trigger a full
stack trace
[ https://issues.apache.org/jira/browse/AMQ-7301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16940918#comment-16940918 ]
Lionel Cons commented on AMQ-7301:
----------------------------------
FWIW, null certificates trigger a similar stack trace:
{code}
2019-09-30 14:08:05,810 [ActiveMQ BrokerService[broker.acme.com] Task-685] ERROR TransportConnector - Could not accept connection from null : {}
java.io.IOException: javax.net.ssl.SSLHandshakeException: null cert chain
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)
at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:452)
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
... 14 more
Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1939)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:448)
... 15 more
{code}
> Expired certificates trigger a full stack trace
> -----------------------------------------------
>
> Key: AMQ-7301
> URL: https://issues.apache.org/jira/browse/AMQ-7301
> Project: ActiveMQ
> Issue Type: Bug
> Components: security
> Affects Versions: 5.15.10
> Environment: ActiveMQ 5.15.10 as standalone broker
> Reporter: Lionel Cons
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 5.16.0, 5.15.11
>
>
> When using an expired certificate to authenticate via STOMP, ActiveMQ logs a complete stack trace:
>
> {code}
> 2019-09-10 10:36:07,784 [ActiveMQ BrokerService[broker.acme.com] Task-12] ERROR TransportConnector - Could not accept connection from null : {}
> java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
> at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)
> at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
> at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
> at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
> at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
> at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
> at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)
> at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
> at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
> at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
> at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
> at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> at org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
> at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:452)
> at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
> ... 14 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
> at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:448)
> ... 15 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
> at sun.security.validator.Validator.validate(Validator.java:262)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970)
> ... 22 more
> Caused by: java.security.cert.CertPathValidatorException: validity check failed
> at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
> at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
> at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
> at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
> at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
> ... 28 more
> Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu May 23 12:21:49 CEST 2019
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
> at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
> at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
> ... 33 more
> {code}
> There are several problems here:
> # this should be a {{WARN}} and not an {{ERROR}} (like an invalid password)
> # the IP address and/or certificate DN should be logged
> # a single line should be reported, not the full stack trace
--
This message was sent by Atlassian Jira
(v8.3.4#803005)