You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2018/03/16 09:52:00 UTC

[jira] [Updated] (QPID-8064) [Broker-J] FileKeyStore should validate java keystore content to make sure that private key is present

     [ https://issues.apache.org/jira/browse/QPID-8064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Keith Wall updated QPID-8064:
-----------------------------
    Fix Version/s:     (was: Future)
                   qpid-java-broker-7.0.3
                   qpid-java-broker-7.1.0

> [Broker-J] FileKeyStore should validate java keystore content to make sure that private key is present
> ------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8064
>                 URL: https://issues.apache.org/jira/browse/QPID-8064
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-6.0.8, qpid-java-broker-7.0.0, qpid-java-6.1.5
>            Reporter: Alex Rudyy
>            Priority: Minor
>             Fix For: qpid-java-broker-7.1.0, qpid-java-broker-7.0.3
>
>
> Currently Broker-J does not issue any error or warning when private key is missed in java keystore (i.e., truststore is provided instead of keystore). We should add a validation for the private key and deny keystore creation (or recovery) if private key is not present. 
> When keystore without private key is configured, an attempt to make TLS fails, but the root cause of the failure is difficult to debug. Even when java debug logging is enabled (-Djavax.net.debug=all) the logs for the handshake failure are confusing: "fatal error: 40: no cipher suites in common", for example
> {noformat}
> HttpManagement-HTTP-392, READ: TLSv1 Handshake, length = 224
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -1512757423 bytes = { 141, 10, 192, 6, 218, 230, 103, 203, 46, 231, 80, 160, 40, 21, 47, 125, 0, 149, 138, 74, 65, 251, 5, 165, 194, 45, 196, 236 }
> Session ID:  {}
> Cipher Suites: [Unknown 0xaa:0xaa, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
> Compression Methods:  { 0 }
> Unsupported extension type_10794, data:
> Extension renegotiation_info, renegotiated_connection: <empty>
> Extension server_name, server_name: [type=host_name (0), value=abcd24p9390.abc.ef.g1234567.net]
> Unsupported extension type_23, data:
> Unsupported extension type_35, data:
> Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA
> Unsupported extension status_request, data: 01:00:00:00:00
> Unsupported extension type_18, data:
> Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
> Unsupported extension type_30032, data:
> Extension ec_point_formats, formats: [uncompressed]
> Extension elliptic_curves, curve names: {unknown curve 56026, unknown curve 29, secp256r1, secp384r1}
> Unsupported extension type_23130, data: 00
> ***
> [read] MD5 and SHA1 hashes:  len = 224
> 0000: 01 00 00 DC 03 03 A6 D5   27 51 8D 0A C0 06 DA E6  ........'Q......
> 0010: 67 CB 2E E7 50 A0 28 15   2F 7D 00 95 8A 4A 41 FB  g...P.(./....JA.
> 0020: 05 A5 C2 2D C4 EC 00 00   26 AA AA C0 2B C0 2F 00  ...-....&...+./.
> 0030: 9E C0 2C C0 30 CC A9 CC   A8 CC 14 CC 13 C0 13 00  ..,.0...........
> 0040: 33 C0 14 00 39 00 9C 00   9D 00 2F 00 35 00 0A 01  3...9...../.5...
> 0050: 00 00 8D 2A 2A 00 00 FF   01 00 01 00 00 00 00 24  ...**..........$
> 0060: 00 22 00 00 1F 76 73 69   6E 32 34 70 39 33 39 30  ."...abcd24p9390
> 0070: 2E 73 76 72 2E 75 73 2E   6A 70 6D 63 68 61 73 65  .abc.ef.g1234567
> 0080: 2E 6E 65 74 00 17 00 00   00 23 00 00 00 0D 00 14  .net.....#......
> 0090: 00 12 04 03 08 04 04 01   05 03 08 05 05 01 08 06  ................
> 00A0: 06 01 02 01 00 05 00 05   01 00 00 00 00 00 12 00  ................
> 00B0: 00 00 10 00 0E 00 0C 02   68 32 08 68 74 74 70 2F  ........h2.http/
> 00C0: 31 2E 31 75 50 00 00 00   0B 00 02 01 00 00 0A 00  1.1uP...........
> 00D0: 0A 00 08 DA DA 00 1D 00   17 00 18 5A 5A 00 01 00  ...........ZZ...
> %% Initialized:  [Session-37, SSL_NULL_WITH_NULL_NULL]
> HttpManagement-HTTP-392, fatal error: 40: no cipher suites in common
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> %% Invalidated:  [Session-37, SSL_NULL_WITH_NULL_NULL]
> HttpManagement-HTTP-392, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
> HttpManagement-HTTP-392, WRITE: TLSv1.2 Alert, length = 2
> HttpManagement-HTTP-392, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
> {noformat}
> The broker should not allow keystore creation without private key or at least one certificate.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org