You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/04/30 23:21:00 UTC

[jira] [Work logged] (ARTEMIS-3258) downstream federation with ssl does not use the given truststore

     [ https://issues.apache.org/jira/browse/ARTEMIS-3258?focusedWorklogId=591761&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-591761 ]

ASF GitHub Bot logged work on ARTEMIS-3258:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 30/Apr/21 23:20
            Start Date: 30/Apr/21 23:20
    Worklog Time Spent: 10m 
      Work Description: erwindon opened a new pull request #3561:
URL: https://github.com/apache/activemq-artemis/pull/3561


   When setting up a downstream-federation, several ssl-related parameters are silently stripped from the provided URL.
   This PR causes a warning to be shown for each parameter that was removed.
   
   This helps to solve connection problems in this area; and it encourages a cleaner configuration file.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 591761)
    Remaining Estimate: 0h
            Time Spent: 10m

> downstream federation with ssl does not use the given truststore
> ----------------------------------------------------------------
>
>                 Key: ARTEMIS-3258
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3258
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker, Federation
>    Affects Versions: 2.17.0
>            Reporter: Erwin Dondorp
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When using a downsteam federation, 2 connections are made:
> * The first one uses the <static-connectors>/<connector-ref>. This one succeeds. The value is {{tcp://B:61617?sslEnabled=true;trustStorePath=filename-on-A;trustStorePassword=xyz}}.
> * The second one must be made by the remote broker and uses the <upstream-connector-ref>. This one fails when using SSL. The url value is {{tcp://A:61617?sslEnabled=true;trustStorePath=filename-on-B;trustStorePassword=xyz}}. This one fails, as can be seen in the logs of B. it shows error "AMQ214016: Failed to create netty connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".
> we cannot use the default trust-stores, so we provide references to our own. these truststores and the other ssl configuration items properly work for cluster-connections, client-connections and upstream-federation-connections. we use self-signed certificates for development and test environments.
> my theory is that the {{trustStorePath}} parameter is somehow ignored and the default truststore is then used (or none). this then causes validation of the certificate to fail as shown by the error message.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)