You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Vavricka <va...@gmail.com> on 2018/03/15 14:03:42 UTC
[Java Broker] Select certificate from broker keystore
Hi,
*I generate multiple self-signed certificates by:*
keytool -genkeypair -alias pc18379_1 -dname CN=pc18379 -validity 1096
-keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' -storepass
123456 -deststoretype PKCS12 -keystore pc18379_1.jks
keytool -genkeypair -alias pc18379_2 -dname CN=pc18379 -validity 1096
-keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' -storepass
123456 -deststoretype PKCS12 -keystore pc18379_2.jks
keytool -genkeypair -alias pc18379_3 -dname CN=pc18379 -validity 1096
-keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456' -storepass
123456 -deststoretype PKCS12 -keystore pc18379_3.jks
Each generated keypair has own keystore.
*I export private keys to keystore which broker will use by:*
keytool -importkeystore -srckeystore pc18379_1.jks -srcstoretype PKCS12
-storepass '123456' -srcstorepass '123456' -alias pc18379_1 -deststoretype
PKCS12 -destkeystore keystore
keytool -importkeystore -srckeystore pc18379_2.jks -srcstoretype PKCS12
-storepass '123456' -srcstorepass '123456' -alias pc18379_2 -deststoretype
PKCS12 -destkeystore keystore
keytool -importkeystore -srckeystore pc18379_3.jks -srcstoretype PKCS12
-storepass '123456' -srcstorepass '123456' -alias pc18379_3 -deststoretype
PKCS12 -destkeystore keystore
*I export public certificates by:*
keytool -exportcert -keystore pc18379_1.jks -storepass '123456' -alias
pc18379_1 -rfc -file pc18379_1.crt
keytool -exportcert -keystore pc18379_2.jks -storepass '123456' -alias
pc18379_2 -rfc -file pc18379_2.crt
keytool -exportcert -keystore pc18379_3.jks -storepass '123456' -alias
pc18379_3 -rfc -file pc18379_3.crt
*I create truststores for clients by:*
keytool -import -alias pc18379_1 -file pc18379_1.crt -storepass '123456'
-noprompt -deststoretype PKCS12 -keystore pc18379_1.truststore
keytool -import -alias pc18379_2 -file pc18379_2.crt -storepass '123456'
-noprompt -deststoretype PKCS12 -keystore pc18379_2.truststore
keytool -import -alias pc18379_3 -file pc18379_3.crt -storepass '123456'
-noprompt -deststoretype PKCS12 -keystore pc18379_3.truststore
*List of certificates in "keystore" (keystore broker will use)*
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: pc18379_1
Creation date: Mar 15, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=pc18379
Issuer: CN=pc18379
Serial number: 54f1c168
Valid from: Thu Mar 15 14:05:07 CET 2018 until: Mon Mar 15 14:05:07 CET 2021
Certificate fingerprints:
MD5: 60:6C:94:B6:5D:18:C3:AC:89:56:3F:A9:A2:70:83:37
SHA1: 0D:D4:14:24:E6:92:35:B7:5B:A3:71:A7:BF:45:B3:6C:37:65:7F:4E
SHA256:
79:F0:77:65:27:93:5C:D0:55:73:42:B6:2D:4E:75:94:9A:64:6A:35:7C:12:4F:B0:CD:82:D7:89:96:8F:88:59
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 A5 26 94 CC 30 E8 63 66 61 87 1A 83 29 E7 63 ..&..0.cfa...).c
0010: EE 16 2D B6 ..-.
]
]
*******************************************
*******************************************
Alias name: pc18379_2
Creation date: Mar 15, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=pc18379
Issuer: CN=pc18379
Serial number: 23e58c32
Valid from: Thu Mar 15 14:06:38 CET 2018 until: Mon Mar 15 14:06:38 CET 2021
Certificate fingerprints:
MD5: 15:71:70:31:43:11:D9:15:3B:5B:E7:F0:DD:AB:96:DB
SHA1: D6:37:E3:4B:75:C7:9E:4B:D2:92:5C:50:92:DB:71:17:BE:58:FC:2F
SHA256:
52:88:88:AA:AE:C3:68:88:02:4D:CA:4E:32:76:DF:98:09:B9:03:9A:AB:3E:C1:CF:69:6C:B2:B2:97:D8:87:ED
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
0010: 28 63 A8 D8 (c..
]
]
*******************************************
*******************************************
Alias name: pc18379_3
Creation date: Mar 15, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=pc18379
Issuer: CN=pc18379
Serial number: 4c6d4854
Valid from: Thu Mar 15 14:06:44 CET 2018 until: Mon Mar 15 14:06:44 CET 2021
Certificate fingerprints:
MD5: CC:FD:D2:DA:38:A1:0F:3E:B1:6D:A3:62:65:D0:E3:82
SHA1: EE:37:84:C3:8E:B1:42:06:32:07:A4:CF:F0:EA:39:E7:3D:9F:3B:4F
SHA256:
18:D4:41:2D:40:F1:19:35:68:6A:90:A3:2D:8A:64:4D:AC:1E:30:DF:48:C9:13:F1:92:EF:A2:02:8B:B9:D3:B7
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CE 2A EE 5D B0 4A DE AA 47 97 A1 B2 70 14 9A 0A .*.].J..G...p...
0010: BE 4F 84 87 .O..
]
]
*******************************************
*******************************************
*I have keystore configured like (alias set to pc18379_1) in config.json*
"keystores" : [ {
"id" : "7eaa413b-0759-4552-b962-8393f492bed5",
"name" : "keyStore",
"type" : "FileKeyStore",
"certificateAlias" : "pc18379_1",
"keyStoreType" : "pkcs12",
"password" : "123456",
"storeUrl" : "path_to/keystore",
"lastUpdatedBy" : "admin",
"lastUpdatedTime" : 1521120324562,
"createdBy" : null,
"createdTime" : 1520409258289
}
But when I try to connect it seems server always offers certificate with
alias pc18379_2 (according to certificate serial number).
*Part of client output with ssl debug below *
***
adding as trusted cert:
Subject: CN=pc18379
Issuer: CN=pc18379
Algorithm: RSA; Serial number: 0x54f1c168
Valid from Thu Mar 15 14:05:07 CET 2018 until Mon Mar 15 14:05:07 CET 2021
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1504343366 bytes = { 242, 16, 210, 94, 238, 136, 192,
81, 81, 214, 102, 58, 118, 26, 105, 92, 227, 208, 129, 50, 61, 64, 149, 184,
63, 8, 156, 167 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1,
sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA,
SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
***
epollEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 213
epollEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1181
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1504343366 bytes = { 34, 240, 18, 201, 166, 150, 106,
20, 7, 238, 118, 230, 164, 241, 16, 205, 144, 166, 225, 15, 198, 46, 255,
202, 105, 76, 188, 245 }
Session ID: {90, 170, 117, 70, 148, 189, 188, 50, 181, 3, 51, 89, 233, 185,
36, 131, 116, 25, 85, 242, 62, 233, 49, 26, 251, 189, 219, 18, 78, 95, 78,
192}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=pc18379
Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
Key: Sun RSA public key, 2048 bits
modulus:
16543869811077710257493518006664617823018971455140571100091650223172922149916898892909543609214362975689342363032611007461112960678877071629010023369479887213213031334623727026807460072796743324227146296597651110653276219140378996680093421470312834423938733525520627777690150599828501298940830233009910190322371558133967004809425481846771536758904565445576662139136376438512926625484032677329237671196787951271540883516890567774875629923047753674674100709219189622073423352032206553669561113853486448106812858039858256103470907022938839365261521267023008273922841169892012530686025512314049629135660948872714396612667
public exponent: 65537
Validity: [From: Thu Mar 15 14:06:38 CET 2018,
To: Mon Mar 15 14:06:38 CET 2021]
Issuer: CN=pc18379
SerialNumber: [ 23e58c32]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
0010: 28 63 A8 D8 (c..
]
]
]
Algorithm: [SHA512withRSA]
Signature:
0000: 5B E5 5C 5E FE B7 1E 7C 32 B5 F8 22 A2 4A 37 5A [.\^....2..".J7Z
0010: 82 19 72 71 DE 65 00 05 56 6F 85 DD A3 EF BA 3C ..rq.e..Vo.....<
0020: 7F 1E 90 A3 26 6B 18 4D F7 79 59 92 A0 6D 53 06 ....&k.M.yY..mS.
0030: 38 C4 47 A1 CC D1 D1 D3 64 8E D2 13 F1 4D C1 EB 8.G.....d....M..
0040: C2 F4 57 2A 9C 90 F9 3B 5B F8 72 C5 37 9E 09 57 ..W*...;[.r.7..W
0050: FB 33 2C 00 70 22 82 94 27 E1 F4 9D 0E A5 76 77 .3,.p"..'.....vw
0060: 7C C1 02 E7 B3 7A 13 C4 CE F4 62 9E 3E 1F FA F6 .....z....b.>...
0070: 6C BD 2C AE 53 2C 6D 9E BC 21 50 46 44 85 B5 62 l.,.S,m..!PFD..b
0080: 0F 11 23 60 9D 48 F2 41 7D BD 30 23 0E 21 D5 A7 ..#`.H.A..0#.!..
0090: 30 E7 E4 33 0C 7D 0B 8A EA 2D 30 6C 25 ED D3 2A 0..3.....-0l%..*
00A0: 79 E7 9E 6C 1C C5 D0 D7 25 AF B7 A6 BD D1 C4 21 y..l....%......!
00B0: 11 91 6E 8A BA 9F E9 47 B4 09 65 10 28 49 A5 1E ..n....G..e.(I..
00C0: 77 6A 5B 62 8C 01 FA E2 F1 22 46 E2 0C D8 5F DF wj[b....."F..._.
00D0: 71 E5 51 52 73 DD FB 70 3C 42 61 08 F7 30 84 7E q.QRs..p<Ba..0..
00E0: 68 3B A1 FC 8F F4 72 DD 91 38 C5 4D 8F ED D5 69 h;....r..8.M...i
00F0: 25 A7 3C 4F 51 20 48 22 1C F7 18 63 A4 18 73 A0 %.<OQ H"...c..s.
]
***
epollEventLoopGroup-2-1, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
epollEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description =
certificate_unknown
epollEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
epollEventLoopGroup-2-1, called closeOutbound()
epollEventLoopGroup-2-1, closeOutboundInternal()
epollEventLoopGroup-2-1, called closeInbound()
epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
epollEventLoopGroup-2-1, called closeOutbound()
epollEventLoopGroup-2-1, closeOutboundInternal()
epollEventLoopGroup-2-1, called closeInbound()
epollEventLoopGroup-2-1, closeInboundInternal()
Even when certificate alias in java broker keystore configuration is set to
pc18379_1 (serial number - 54f1c168), java broker always offers certificate
with alias pc18379_2 (serial number - 23e58c32).
Am I doing anything wrong?
Java Broker version 7.0.1
Qpid JMS client version 0.27.0
Regards,
Tomas
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: [Java Broker] Select certificate from broker keystore
Posted by Vavricka <va...@gmail.com>.
Hi,
thanks for quick reply. We are eager for Java Broker 7.0.3.
Regards,
Tomas
Keith Wall wrote
> Hi Tomas,
>
> It should not be too hard to separate out a defect fix from the work
> of QPID-7567. I will look to include this in a 7.0.3 which should
> not be too far away.
>
> Kind regards, Keith.
>
> On 15 March 2018 at 17:06, Rob Godfrey <
> rob.j.godfrey@
> > wrote:
>> Hi Tomas,
>>
>> there is/was a bug in the broker whereby it would always pick the first
>> certificate rather than the one with the correct alias. I fixed the bug
>> as
>> part of QPID-7567[1] last year, however I think that is only on master
>> (and
>> scheduled for 7.1) and hasn't been backported to 7.0.x.
>>
>> -- Rob
>>
>> [1] https://issues.apache.org/jira/browse/QPID-7567
>>
>> On 15 March 2018 at 15:03, Vavricka <
> vavricka.tomas@
> > wrote:
>>
>>> Hi,
>>>
>>> *I generate multiple self-signed certificates by:*
>>>
>>> keytool -genkeypair -alias pc18379_1 -dname CN=pc18379 -validity 1096
>>> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
>>> -storepass
>>> 123456 -deststoretype PKCS12 -keystore pc18379_1.jks
>>> keytool -genkeypair -alias pc18379_2 -dname CN=pc18379 -validity 1096
>>> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
>>> -storepass
>>> 123456 -deststoretype PKCS12 -keystore pc18379_2.jks
>>> keytool -genkeypair -alias pc18379_3 -dname CN=pc18379 -validity 1096
>>> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
>>> -storepass
>>> 123456 -deststoretype PKCS12 -keystore pc18379_3.jks
>>>
>>> Each generated keypair has own keystore.
>>>
>>> *I export private keys to keystore which broker will use by:*
>>>
>>> keytool -importkeystore -srckeystore pc18379_1.jks -srcstoretype PKCS12
>>> -storepass '123456' -srcstorepass '123456' -alias pc18379_1
>>> -deststoretype
>>> PKCS12 -destkeystore keystore
>>> keytool -importkeystore -srckeystore pc18379_2.jks -srcstoretype PKCS12
>>> -storepass '123456' -srcstorepass '123456' -alias pc18379_2
>>> -deststoretype
>>> PKCS12 -destkeystore keystore
>>> keytool -importkeystore -srckeystore pc18379_3.jks -srcstoretype PKCS12
>>> -storepass '123456' -srcstorepass '123456' -alias pc18379_3
>>> -deststoretype
>>> PKCS12 -destkeystore keystore
>>>
>>> *I export public certificates by:*
>>>
>>> keytool -exportcert -keystore pc18379_1.jks -storepass '123456' -alias
>>> pc18379_1 -rfc -file pc18379_1.crt
>>> keytool -exportcert -keystore pc18379_2.jks -storepass '123456' -alias
>>> pc18379_2 -rfc -file pc18379_2.crt
>>> keytool -exportcert -keystore pc18379_3.jks -storepass '123456' -alias
>>> pc18379_3 -rfc -file pc18379_3.crt
>>>
>>> *I create truststores for clients by:*
>>>
>>> keytool -import -alias pc18379_1 -file pc18379_1.crt -storepass '123456'
>>> -noprompt -deststoretype PKCS12 -keystore pc18379_1.truststore
>>> keytool -import -alias pc18379_2 -file pc18379_2.crt -storepass '123456'
>>> -noprompt -deststoretype PKCS12 -keystore pc18379_2.truststore
>>> keytool -import -alias pc18379_3 -file pc18379_3.crt -storepass '123456'
>>> -noprompt -deststoretype PKCS12 -keystore pc18379_3.truststore
>>>
>>> *List of certificates in "keystore" (keystore broker will use)*
>>>
>>> Enter keystore password:
>>> Keystore type: JKS
>>> Keystore provider: SUN
>>>
>>> Your keystore contains 3 entries
>>>
>>> Alias name: pc18379_1
>>> Creation date: Mar 15, 2018
>>> Entry type: PrivateKeyEntry
>>> Certificate chain length: 1
>>> Certificate[1]:
>>> Owner: CN=pc18379
>>> Issuer: CN=pc18379
>>> Serial number: 54f1c168
>>> Valid from: Thu Mar 15 14:05:07 CET 2018 until: Mon Mar 15 14:05:07 CET
>>> 2021
>>> Certificate fingerprints:
>>> MD5: 60:6C:94:B6:5D:18:C3:AC:89:56:3F:A9:A2:70:83:37
>>> SHA1:
>>> 0D:D4:14:24:E6:92:35:B7:5B:A3:71:A7:BF:45:B3:6C:37:65:7F:4E
>>> SHA256:
>>> 79:F0:77:65:27:93:5C:D0:55:73:42:B6:2D:4E:75:94:9A:64:6A:35:
>>> 7C:12:4F:B0:CD:82:D7:89:96:8F:88:59
>>> Signature algorithm name: SHA512withRSA
>>> Subject Public Key Algorithm: 2048-bit RSA key
>>> Version: 3
>>>
>>> Extensions:
>>>
>>> #1: ObjectId: 2.5.29.14 Criticality=false
>>> SubjectKeyIdentifier [
>>> KeyIdentifier [
>>> 0000: 87 A5 26 94 CC 30 E8 63 66 61 87 1A 83 29 E7 63
>>> ..&..0.cfa...).c
>>> 0010: EE 16 2D B6 ..-.
>>> ]
>>> ]
>>>
>>>
>>>
>>> *******************************************
>>> *******************************************
>>>
>>>
>>> Alias name: pc18379_2
>>> Creation date: Mar 15, 2018
>>> Entry type: PrivateKeyEntry
>>> Certificate chain length: 1
>>> Certificate[1]:
>>> Owner: CN=pc18379
>>> Issuer: CN=pc18379
>>> Serial number: 23e58c32
>>> Valid from: Thu Mar 15 14:06:38 CET 2018 until: Mon Mar 15 14:06:38 CET
>>> 2021
>>> Certificate fingerprints:
>>> MD5: 15:71:70:31:43:11:D9:15:3B:5B:E7:F0:DD:AB:96:DB
>>> SHA1:
>>> D6:37:E3:4B:75:C7:9E:4B:D2:92:5C:50:92:DB:71:17:BE:58:FC:2F
>>> SHA256:
>>> 52:88:88:AA:AE:C3:68:88:02:4D:CA:4E:32:76:DF:98:09:B9:03:9A:
>>> AB:3E:C1:CF:69:6C:B2:B2:97:D8:87:ED
>>> Signature algorithm name: SHA512withRSA
>>> Subject Public Key Algorithm: 2048-bit RSA key
>>> Version: 3
>>>
>>> Extensions:
>>>
>>> #1: ObjectId: 2.5.29.14 Criticality=false
>>> SubjectKeyIdentifier [
>>> KeyIdentifier [
>>> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02
>>> ..q$...Rr.0.F...
>>> 0010: 28 63 A8 D8 (c..
>>> ]
>>> ]
>>>
>>>
>>>
>>> *******************************************
>>> *******************************************
>>>
>>>
>>> Alias name: pc18379_3
>>> Creation date: Mar 15, 2018
>>> Entry type: PrivateKeyEntry
>>> Certificate chain length: 1
>>> Certificate[1]:
>>> Owner: CN=pc18379
>>> Issuer: CN=pc18379
>>> Serial number: 4c6d4854
>>> Valid from: Thu Mar 15 14:06:44 CET 2018 until: Mon Mar 15 14:06:44 CET
>>> 2021
>>> Certificate fingerprints:
>>> MD5: CC:FD:D2:DA:38:A1:0F:3E:B1:6D:A3:62:65:D0:E3:82
>>> SHA1:
>>> EE:37:84:C3:8E:B1:42:06:32:07:A4:CF:F0:EA:39:E7:3D:9F:3B:4F
>>> SHA256:
>>> 18:D4:41:2D:40:F1:19:35:68:6A:90:A3:2D:8A:64:4D:AC:1E:30:DF:
>>> 48:C9:13:F1:92:EF:A2:02:8B:B9:D3:B7
>>> Signature algorithm name: SHA512withRSA
>>> Subject Public Key Algorithm: 2048-bit RSA key
>>> Version: 3
>>>
>>> Extensions:
>>>
>>> #1: ObjectId: 2.5.29.14 Criticality=false
>>> SubjectKeyIdentifier [
>>> KeyIdentifier [
>>> 0000: CE 2A EE 5D B0 4A DE AA 47 97 A1 B2 70 14 9A 0A
>>> .*.].J..G...p...
>>> 0010: BE 4F 84 87 .O..
>>> ]
>>> ]
>>>
>>>
>>>
>>> *******************************************
>>> *******************************************
>>>
>>>
>>> *I have keystore configured like (alias set to pc18379_1) in
>>> config.json*
>>>
>>> "keystores" : [ {
>>> "id" : "7eaa413b-0759-4552-b962-8393f492bed5",
>>> "name" : "keyStore",
>>> "type" : "FileKeyStore",
>>> "certificateAlias" : "pc18379_1",
>>> "keyStoreType" : "pkcs12",
>>> "password" : "123456",
>>> "storeUrl" : "path_to/keystore",
>>> "lastUpdatedBy" : "admin",
>>> "lastUpdatedTime" : 1521120324562,
>>> "createdBy" : null,
>>> "createdTime" : 1520409258289
>>> }
>>>
>>> But when I try to connect it seems server always offers certificate with
>>> alias pc18379_2 (according to certificate serial number).
>>>
>>> *Part of client output with ssl debug below *
>>>
>>> ***
>>> adding as trusted cert:
>>> Subject: CN=pc18379
>>> Issuer: CN=pc18379
>>> Algorithm: RSA; Serial number: 0x54f1c168
>>> Valid from Thu Mar 15 14:05:07 CET 2018 until Mon Mar 15 14:05:07 CET
>>> 2021
>>>
>>> trigger seeding of SecureRandom
>>> done seeding SecureRandom
>>> Using SSLEngineImpl.
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for
>>> TLSv1
>>> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
>>> TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for
>>> TLSv1
>>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for
>>> TLSv1
>>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for
>>> TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for
>>> TLSv1.1
>>> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
>>> TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for
>>> TLSv1.1
>>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for
>>> TLSv1.1
>>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for
>>> TLSv1.1
>>> %% No cached client session
>>> *** ClientHello, TLSv1.2
>>> RandomCookie: GMT: 1504343366 bytes = { 242, 16, 210, 94, 238, 136,
>>> 192,
>>> 81, 81, 214, 102, 58, 118, 26, 105, 92, 227, 208, 129, 50, 61, 64, 149,
>>> 184,
>>> 63, 8, 156, 167 }
>>> Session ID: {}
>>> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256,
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
>>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
>>> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_
>>> GCM_SHA256,
>>> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
>>> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_
>>> CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>>> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
>>> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
>>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
>>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
>>> Compression Methods: { 0 }
>>> Extension elliptic_curves, curve names: {secp256r1, secp384r1,
>>> secp521r1,
>>> sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1,
>>> secp256k1}
>>> Extension ec_point_formats, formats: [uncompressed]
>>> Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
>>> SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
>>> SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA,
>>> SHA224withDSA,
>>> SHA1withECDSA, SHA1withRSA, SHA1withDSA
>>> Extension extended_master_secret
>>> ***
>>> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 213
>>> epollEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1181
>>> *** ServerHello, TLSv1.2
>>> RandomCookie: GMT: 1504343366 bytes = { 34, 240, 18, 201, 166, 150,
>>> 106,
>>> 20, 7, 238, 118, 230, 164, 241, 16, 205, 144, 166, 225, 15, 198, 46,
>>> 255,
>>> 202, 105, 76, 188, 245 }
>>> Session ID: {90, 170, 117, 70, 148, 189, 188, 50, 181, 3, 51, 89, 233,
>>> 185,
>>> 36, 131, 116, 25, 85, 242, 62, 233, 49, 26, 251, 189, 219, 18, 78, 95,
>>> 78,
>>> 192}
>>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> Compression Method: 0
>>> Extension renegotiation_info, renegotiated_connection:
> <empty>
>>> Extension extended_master_secret
>>> ***
>>> %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
>>> ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> *** Certificate chain
>>> chain [0] = [
>>> [
>>> Version: V3
>>> Subject: CN=pc18379
>>> Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
>>>
>>> Key: Sun RSA public key, 2048 bits
>>> modulus:
>>> 165438698110777102574935180066646178230189714551405711000916
>>> 502231729221499168988929095436092143629756893423630326110074
>>> 611129606788770716290100233694798872132130313346237270268074
>>> 600727967433242271462965976511106532762191403789966800934214
>>> 703128344239387335255206277776901505998285012989408302330099
>>> 101903223715581339670048094254818467715367589045654455766621
>>> 391363764385129266254840326773292376711967879512715408835168
>>> 905677748756299230477536746741007092191896220734233520322065
>>> 536695611138534864481068128580398582561034709070229388393652
>>> 615212670230082739228411698920125306860255123140496291356609
>>> 48872714396612667
>>> public exponent: 65537
>>> Validity: [From: Thu Mar 15 14:06:38 CET 2018,
>>> To: Mon Mar 15 14:06:38 CET 2021]
>>> Issuer: CN=pc18379
>>> SerialNumber: [ 23e58c32]
>>>
>>> Certificate Extensions: 1
>>> [1]: ObjectId: 2.5.29.14 Criticality=false
>>> SubjectKeyIdentifier [
>>> KeyIdentifier [
>>> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02
>>> ..q$...Rr.0.F...
>>> 0010: 28 63 A8 D8 (c..
>>> ]
>>> ]
>>>
>>> ]
>>> Algorithm: [SHA512withRSA]
>>> Signature:
>>> 0000: 5B E5 5C 5E FE B7 1E 7C 32 B5 F8 22 A2 4A 37 5A
>>> [.\^....2..".J7Z
>>> 0010: 82 19 72 71 DE 65 00 05 56 6F 85 DD A3 EF BA 3C
>>> ..rq.e..Vo.....<
>>> 0020: 7F 1E 90 A3 26 6B 18 4D F7 79 59 92 A0 6D 53 06
>>> ....&k.M.yY..mS.
>>> 0030: 38 C4 47 A1 CC D1 D1 D3 64 8E D2 13 F1 4D C1 EB
>>> 8.G.....d....M..
>>> 0040: C2 F4 57 2A 9C 90 F9 3B 5B F8 72 C5 37 9E 09 57
>>> ..W*...;[.r.7..W
>>> 0050: FB 33 2C 00 70 22 82 94 27 E1 F4 9D 0E A5 76 77
>>> .3,.p"..'.....vw
>>> 0060: 7C C1 02 E7 B3 7A 13 C4 CE F4 62 9E 3E 1F FA F6
>>> .....z....b.>...
>>> 0070: 6C BD 2C AE 53 2C 6D 9E BC 21 50 46 44 85 B5 62
>>> l.,.S,m..!PFD..b
>>> 0080: 0F 11 23 60 9D 48 F2 41 7D BD 30 23 0E 21 D5 A7
>>> ..#`.H.A..0#.!..
>>> 0090: 30 E7 E4 33 0C 7D 0B 8A EA 2D 30 6C 25 ED D3 2A
>>> 0..3.....-0l%..*
>>> 00A0: 79 E7 9E 6C 1C C5 D0 D7 25 AF B7 A6 BD D1 C4 21
>>> y..l....%......!
>>> 00B0: 11 91 6E 8A BA 9F E9 47 B4 09 65 10 28 49 A5 1E
>>> ..n....G..e.(I..
>>> 00C0: 77 6A 5B 62 8C 01 FA E2 F1 22 46 E2 0C D8 5F DF
>>> wj[b....."F..._.
>>> 00D0: 71 E5 51 52 73 DD FB 70 3C 42 61 08 F7 30 84 7E q.QRs..p
> <Ba..0..
>>
>> 00E0: 68 3B A1 FC 8F F4 72 DD 91 38 C5 4D 8F ED D5 69 h;....r..8.M...i
>>> 00F0: 25 A7 3C 4F 51 20 48 22 1C F7 18 63 A4 18 73 A0 %.
> <OQ H"...c..s.
>>
>>
>>> ]
>>> ***
>>> epollEventLoopGroup-2-1, fatal error: 46: General SSLEngine problem
>>> sun.security.validator.ValidatorException: PKIX path validation failed:
>>> java.security.cert.CertPathValidatorException: signature check failed
>>> %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
>>> epollEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description =
>>> certificate_unknown
>>> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
>>> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>>> epollEventLoopGroup-2-1, called closeOutbound()
>>> epollEventLoopGroup-2-1, closeOutboundInternal()
>>> epollEventLoopGroup-2-1, called closeInbound()
>>> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
>>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>>> close_notify: possible truncation attack?
>>> epollEventLoopGroup-2-1, called closeOutbound()
>>> epollEventLoopGroup-2-1, closeOutboundInternal()
>>> epollEventLoopGroup-2-1, called closeInbound()
>>> epollEventLoopGroup-2-1, closeInboundInternal()
>>>
>>> Even when certificate alias in java broker keystore configuration is set
>>> to
>>> pc18379_1 (serial number - 54f1c168), java broker always offers
>>> certificate
>>> with alias pc18379_2 (serial number - 23e58c32).
>>>
>>> Am I doing anything wrong?
>>>
>>> Java Broker version 7.0.1
>>> Qpid JMS client version 0.27.0
>>>
>>> Regards,
>>> Tomas
>>>
>>>
>>>
>>> --
>>> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-
>>> f2158936.html
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
> users-unsubscribe@.apache
>>> For additional commands, e-mail:
> users-help@.apache
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> users-unsubscribe@.apache
> For additional commands, e-mail:
> users-help@.apache
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: [Java Broker] Select certificate from broker keystore
Posted by Keith W <ke...@gmail.com>.
Hi Tomas,
It should not be too hard to separate out a defect fix from the work
of QPID-7567. I will look to include this in a 7.0.3 which should
not be too far away.
Kind regards, Keith.
On 15 March 2018 at 17:06, Rob Godfrey <ro...@gmail.com> wrote:
> Hi Tomas,
>
> there is/was a bug in the broker whereby it would always pick the first
> certificate rather than the one with the correct alias. I fixed the bug as
> part of QPID-7567[1] last year, however I think that is only on master (and
> scheduled for 7.1) and hasn't been backported to 7.0.x.
>
> -- Rob
>
> [1] https://issues.apache.org/jira/browse/QPID-7567
>
> On 15 March 2018 at 15:03, Vavricka <va...@gmail.com> wrote:
>
>> Hi,
>>
>> *I generate multiple self-signed certificates by:*
>>
>> keytool -genkeypair -alias pc18379_1 -dname CN=pc18379 -validity 1096
>> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
>> -storepass
>> 123456 -deststoretype PKCS12 -keystore pc18379_1.jks
>> keytool -genkeypair -alias pc18379_2 -dname CN=pc18379 -validity 1096
>> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
>> -storepass
>> 123456 -deststoretype PKCS12 -keystore pc18379_2.jks
>> keytool -genkeypair -alias pc18379_3 -dname CN=pc18379 -validity 1096
>> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
>> -storepass
>> 123456 -deststoretype PKCS12 -keystore pc18379_3.jks
>>
>> Each generated keypair has own keystore.
>>
>> *I export private keys to keystore which broker will use by:*
>>
>> keytool -importkeystore -srckeystore pc18379_1.jks -srcstoretype PKCS12
>> -storepass '123456' -srcstorepass '123456' -alias pc18379_1 -deststoretype
>> PKCS12 -destkeystore keystore
>> keytool -importkeystore -srckeystore pc18379_2.jks -srcstoretype PKCS12
>> -storepass '123456' -srcstorepass '123456' -alias pc18379_2 -deststoretype
>> PKCS12 -destkeystore keystore
>> keytool -importkeystore -srckeystore pc18379_3.jks -srcstoretype PKCS12
>> -storepass '123456' -srcstorepass '123456' -alias pc18379_3 -deststoretype
>> PKCS12 -destkeystore keystore
>>
>> *I export public certificates by:*
>>
>> keytool -exportcert -keystore pc18379_1.jks -storepass '123456' -alias
>> pc18379_1 -rfc -file pc18379_1.crt
>> keytool -exportcert -keystore pc18379_2.jks -storepass '123456' -alias
>> pc18379_2 -rfc -file pc18379_2.crt
>> keytool -exportcert -keystore pc18379_3.jks -storepass '123456' -alias
>> pc18379_3 -rfc -file pc18379_3.crt
>>
>> *I create truststores for clients by:*
>>
>> keytool -import -alias pc18379_1 -file pc18379_1.crt -storepass '123456'
>> -noprompt -deststoretype PKCS12 -keystore pc18379_1.truststore
>> keytool -import -alias pc18379_2 -file pc18379_2.crt -storepass '123456'
>> -noprompt -deststoretype PKCS12 -keystore pc18379_2.truststore
>> keytool -import -alias pc18379_3 -file pc18379_3.crt -storepass '123456'
>> -noprompt -deststoretype PKCS12 -keystore pc18379_3.truststore
>>
>> *List of certificates in "keystore" (keystore broker will use)*
>>
>> Enter keystore password:
>> Keystore type: JKS
>> Keystore provider: SUN
>>
>> Your keystore contains 3 entries
>>
>> Alias name: pc18379_1
>> Creation date: Mar 15, 2018
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 1
>> Certificate[1]:
>> Owner: CN=pc18379
>> Issuer: CN=pc18379
>> Serial number: 54f1c168
>> Valid from: Thu Mar 15 14:05:07 CET 2018 until: Mon Mar 15 14:05:07 CET
>> 2021
>> Certificate fingerprints:
>> MD5: 60:6C:94:B6:5D:18:C3:AC:89:56:3F:A9:A2:70:83:37
>> SHA1: 0D:D4:14:24:E6:92:35:B7:5B:A3:71:A7:BF:45:B3:6C:37:65:7F:4E
>> SHA256:
>> 79:F0:77:65:27:93:5C:D0:55:73:42:B6:2D:4E:75:94:9A:64:6A:35:
>> 7C:12:4F:B0:CD:82:D7:89:96:8F:88:59
>> Signature algorithm name: SHA512withRSA
>> Subject Public Key Algorithm: 2048-bit RSA key
>> Version: 3
>>
>> Extensions:
>>
>> #1: ObjectId: 2.5.29.14 Criticality=false
>> SubjectKeyIdentifier [
>> KeyIdentifier [
>> 0000: 87 A5 26 94 CC 30 E8 63 66 61 87 1A 83 29 E7 63 ..&..0.cfa...).c
>> 0010: EE 16 2D B6 ..-.
>> ]
>> ]
>>
>>
>>
>> *******************************************
>> *******************************************
>>
>>
>> Alias name: pc18379_2
>> Creation date: Mar 15, 2018
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 1
>> Certificate[1]:
>> Owner: CN=pc18379
>> Issuer: CN=pc18379
>> Serial number: 23e58c32
>> Valid from: Thu Mar 15 14:06:38 CET 2018 until: Mon Mar 15 14:06:38 CET
>> 2021
>> Certificate fingerprints:
>> MD5: 15:71:70:31:43:11:D9:15:3B:5B:E7:F0:DD:AB:96:DB
>> SHA1: D6:37:E3:4B:75:C7:9E:4B:D2:92:5C:50:92:DB:71:17:BE:58:FC:2F
>> SHA256:
>> 52:88:88:AA:AE:C3:68:88:02:4D:CA:4E:32:76:DF:98:09:B9:03:9A:
>> AB:3E:C1:CF:69:6C:B2:B2:97:D8:87:ED
>> Signature algorithm name: SHA512withRSA
>> Subject Public Key Algorithm: 2048-bit RSA key
>> Version: 3
>>
>> Extensions:
>>
>> #1: ObjectId: 2.5.29.14 Criticality=false
>> SubjectKeyIdentifier [
>> KeyIdentifier [
>> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
>> 0010: 28 63 A8 D8 (c..
>> ]
>> ]
>>
>>
>>
>> *******************************************
>> *******************************************
>>
>>
>> Alias name: pc18379_3
>> Creation date: Mar 15, 2018
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 1
>> Certificate[1]:
>> Owner: CN=pc18379
>> Issuer: CN=pc18379
>> Serial number: 4c6d4854
>> Valid from: Thu Mar 15 14:06:44 CET 2018 until: Mon Mar 15 14:06:44 CET
>> 2021
>> Certificate fingerprints:
>> MD5: CC:FD:D2:DA:38:A1:0F:3E:B1:6D:A3:62:65:D0:E3:82
>> SHA1: EE:37:84:C3:8E:B1:42:06:32:07:A4:CF:F0:EA:39:E7:3D:9F:3B:4F
>> SHA256:
>> 18:D4:41:2D:40:F1:19:35:68:6A:90:A3:2D:8A:64:4D:AC:1E:30:DF:
>> 48:C9:13:F1:92:EF:A2:02:8B:B9:D3:B7
>> Signature algorithm name: SHA512withRSA
>> Subject Public Key Algorithm: 2048-bit RSA key
>> Version: 3
>>
>> Extensions:
>>
>> #1: ObjectId: 2.5.29.14 Criticality=false
>> SubjectKeyIdentifier [
>> KeyIdentifier [
>> 0000: CE 2A EE 5D B0 4A DE AA 47 97 A1 B2 70 14 9A 0A .*.].J..G...p...
>> 0010: BE 4F 84 87 .O..
>> ]
>> ]
>>
>>
>>
>> *******************************************
>> *******************************************
>>
>>
>> *I have keystore configured like (alias set to pc18379_1) in config.json*
>>
>> "keystores" : [ {
>> "id" : "7eaa413b-0759-4552-b962-8393f492bed5",
>> "name" : "keyStore",
>> "type" : "FileKeyStore",
>> "certificateAlias" : "pc18379_1",
>> "keyStoreType" : "pkcs12",
>> "password" : "123456",
>> "storeUrl" : "path_to/keystore",
>> "lastUpdatedBy" : "admin",
>> "lastUpdatedTime" : 1521120324562,
>> "createdBy" : null,
>> "createdTime" : 1520409258289
>> }
>>
>> But when I try to connect it seems server always offers certificate with
>> alias pc18379_2 (according to certificate serial number).
>>
>> *Part of client output with ssl debug below *
>>
>> ***
>> adding as trusted cert:
>> Subject: CN=pc18379
>> Issuer: CN=pc18379
>> Algorithm: RSA; Serial number: 0x54f1c168
>> Valid from Thu Mar 15 14:05:07 CET 2018 until Mon Mar 15 14:05:07 CET
>> 2021
>>
>> trigger seeding of SecureRandom
>> done seeding SecureRandom
>> Using SSLEngineImpl.
>> Allow unsafe renegotiation: false
>> Allow legacy hello messages: true
>> Is initial handshake: true
>> Is secure renegotiation: false
>> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for
>> TLSv1
>> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
>> TLSv1
>> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for
>> TLSv1
>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
>> TLSv1
>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
>> TLSv1
>> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for
>> TLSv1.1
>> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
>> TLSv1.1
>> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for
>> TLSv1.1
>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
>> TLSv1.1
>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
>> TLSv1.1
>> %% No cached client session
>> *** ClientHello, TLSv1.2
>> RandomCookie: GMT: 1504343366 bytes = { 242, 16, 210, 94, 238, 136, 192,
>> 81, 81, 214, 102, 58, 118, 26, 105, 92, 227, 208, 129, 50, 61, 64, 149,
>> 184,
>> 63, 8, 156, 167 }
>> Session ID: {}
>> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256,
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_
>> GCM_SHA256,
>> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_
>> CBC_SHA,
>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
>> Compression Methods: { 0 }
>> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1,
>> sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1,
>> secp256k1}
>> Extension ec_point_formats, formats: [uncompressed]
>> Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
>> SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
>> SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA,
>> SHA224withDSA,
>> SHA1withECDSA, SHA1withRSA, SHA1withDSA
>> Extension extended_master_secret
>> ***
>> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 213
>> epollEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1181
>> *** ServerHello, TLSv1.2
>> RandomCookie: GMT: 1504343366 bytes = { 34, 240, 18, 201, 166, 150, 106,
>> 20, 7, 238, 118, 230, 164, 241, 16, 205, 144, 166, 225, 15, 198, 46, 255,
>> 202, 105, 76, 188, 245 }
>> Session ID: {90, 170, 117, 70, 148, 189, 188, 50, 181, 3, 51, 89, 233,
>> 185,
>> 36, 131, 116, 25, 85, 242, 62, 233, 49, 26, 251, 189, 219, 18, 78, 95, 78,
>> 192}
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> Compression Method: 0
>> Extension renegotiation_info, renegotiated_connection: <empty>
>> Extension extended_master_secret
>> ***
>> %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
>> ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> *** Certificate chain
>> chain [0] = [
>> [
>> Version: V3
>> Subject: CN=pc18379
>> Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
>>
>> Key: Sun RSA public key, 2048 bits
>> modulus:
>> 165438698110777102574935180066646178230189714551405711000916
>> 502231729221499168988929095436092143629756893423630326110074
>> 611129606788770716290100233694798872132130313346237270268074
>> 600727967433242271462965976511106532762191403789966800934214
>> 703128344239387335255206277776901505998285012989408302330099
>> 101903223715581339670048094254818467715367589045654455766621
>> 391363764385129266254840326773292376711967879512715408835168
>> 905677748756299230477536746741007092191896220734233520322065
>> 536695611138534864481068128580398582561034709070229388393652
>> 615212670230082739228411698920125306860255123140496291356609
>> 48872714396612667
>> public exponent: 65537
>> Validity: [From: Thu Mar 15 14:06:38 CET 2018,
>> To: Mon Mar 15 14:06:38 CET 2021]
>> Issuer: CN=pc18379
>> SerialNumber: [ 23e58c32]
>>
>> Certificate Extensions: 1
>> [1]: ObjectId: 2.5.29.14 Criticality=false
>> SubjectKeyIdentifier [
>> KeyIdentifier [
>> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
>> 0010: 28 63 A8 D8 (c..
>> ]
>> ]
>>
>> ]
>> Algorithm: [SHA512withRSA]
>> Signature:
>> 0000: 5B E5 5C 5E FE B7 1E 7C 32 B5 F8 22 A2 4A 37 5A [.\^....2..".J7Z
>> 0010: 82 19 72 71 DE 65 00 05 56 6F 85 DD A3 EF BA 3C ..rq.e..Vo.....<
>> 0020: 7F 1E 90 A3 26 6B 18 4D F7 79 59 92 A0 6D 53 06 ....&k.M.yY..mS.
>> 0030: 38 C4 47 A1 CC D1 D1 D3 64 8E D2 13 F1 4D C1 EB 8.G.....d....M..
>> 0040: C2 F4 57 2A 9C 90 F9 3B 5B F8 72 C5 37 9E 09 57 ..W*...;[.r.7..W
>> 0050: FB 33 2C 00 70 22 82 94 27 E1 F4 9D 0E A5 76 77 .3,.p"..'.....vw
>> 0060: 7C C1 02 E7 B3 7A 13 C4 CE F4 62 9E 3E 1F FA F6 .....z....b.>...
>> 0070: 6C BD 2C AE 53 2C 6D 9E BC 21 50 46 44 85 B5 62 l.,.S,m..!PFD..b
>> 0080: 0F 11 23 60 9D 48 F2 41 7D BD 30 23 0E 21 D5 A7 ..#`.H.A..0#.!..
>> 0090: 30 E7 E4 33 0C 7D 0B 8A EA 2D 30 6C 25 ED D3 2A 0..3.....-0l%..*
>> 00A0: 79 E7 9E 6C 1C C5 D0 D7 25 AF B7 A6 BD D1 C4 21 y..l....%......!
>> 00B0: 11 91 6E 8A BA 9F E9 47 B4 09 65 10 28 49 A5 1E ..n....G..e.(I..
>> 00C0: 77 6A 5B 62 8C 01 FA E2 F1 22 46 E2 0C D8 5F DF wj[b....."F..._.
>> 00D0: 71 E5 51 52 73 DD FB 70 3C 42 61 08 F7 30 84 7E q.QRs..p<Ba..0..
>> 00E0: 68 3B A1 FC 8F F4 72 DD 91 38 C5 4D 8F ED D5 69 h;....r..8.M...i
>> 00F0: 25 A7 3C 4F 51 20 48 22 1C F7 18 63 A4 18 73 A0 %.<OQ H"...c..s.
>>
>> ]
>> ***
>> epollEventLoopGroup-2-1, fatal error: 46: General SSLEngine problem
>> sun.security.validator.ValidatorException: PKIX path validation failed:
>> java.security.cert.CertPathValidatorException: signature check failed
>> %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
>> epollEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description =
>> certificate_unknown
>> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
>> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>> epollEventLoopGroup-2-1, called closeOutbound()
>> epollEventLoopGroup-2-1, closeOutboundInternal()
>> epollEventLoopGroup-2-1, called closeInbound()
>> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>> close_notify: possible truncation attack?
>> epollEventLoopGroup-2-1, called closeOutbound()
>> epollEventLoopGroup-2-1, closeOutboundInternal()
>> epollEventLoopGroup-2-1, called closeInbound()
>> epollEventLoopGroup-2-1, closeInboundInternal()
>>
>> Even when certificate alias in java broker keystore configuration is set to
>> pc18379_1 (serial number - 54f1c168), java broker always offers certificate
>> with alias pc18379_2 (serial number - 23e58c32).
>>
>> Am I doing anything wrong?
>>
>> Java Broker version 7.0.1
>> Qpid JMS client version 0.27.0
>>
>> Regards,
>> Tomas
>>
>>
>>
>> --
>> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-
>> f2158936.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>> For additional commands, e-mail: users-help@qpid.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: [Java Broker] Select certificate from broker keystore
Posted by Rob Godfrey <ro...@gmail.com>.
Hi Tomas,
there is/was a bug in the broker whereby it would always pick the first
certificate rather than the one with the correct alias. I fixed the bug as
part of QPID-7567[1] last year, however I think that is only on master (and
scheduled for 7.1) and hasn't been backported to 7.0.x.
-- Rob
[1] https://issues.apache.org/jira/browse/QPID-7567
On 15 March 2018 at 15:03, Vavricka <va...@gmail.com> wrote:
> Hi,
>
> *I generate multiple self-signed certificates by:*
>
> keytool -genkeypair -alias pc18379_1 -dname CN=pc18379 -validity 1096
> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
> -storepass
> 123456 -deststoretype PKCS12 -keystore pc18379_1.jks
> keytool -genkeypair -alias pc18379_2 -dname CN=pc18379 -validity 1096
> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
> -storepass
> 123456 -deststoretype PKCS12 -keystore pc18379_2.jks
> keytool -genkeypair -alias pc18379_3 -dname CN=pc18379 -validity 1096
> -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass '123456'
> -storepass
> 123456 -deststoretype PKCS12 -keystore pc18379_3.jks
>
> Each generated keypair has own keystore.
>
> *I export private keys to keystore which broker will use by:*
>
> keytool -importkeystore -srckeystore pc18379_1.jks -srcstoretype PKCS12
> -storepass '123456' -srcstorepass '123456' -alias pc18379_1 -deststoretype
> PKCS12 -destkeystore keystore
> keytool -importkeystore -srckeystore pc18379_2.jks -srcstoretype PKCS12
> -storepass '123456' -srcstorepass '123456' -alias pc18379_2 -deststoretype
> PKCS12 -destkeystore keystore
> keytool -importkeystore -srckeystore pc18379_3.jks -srcstoretype PKCS12
> -storepass '123456' -srcstorepass '123456' -alias pc18379_3 -deststoretype
> PKCS12 -destkeystore keystore
>
> *I export public certificates by:*
>
> keytool -exportcert -keystore pc18379_1.jks -storepass '123456' -alias
> pc18379_1 -rfc -file pc18379_1.crt
> keytool -exportcert -keystore pc18379_2.jks -storepass '123456' -alias
> pc18379_2 -rfc -file pc18379_2.crt
> keytool -exportcert -keystore pc18379_3.jks -storepass '123456' -alias
> pc18379_3 -rfc -file pc18379_3.crt
>
> *I create truststores for clients by:*
>
> keytool -import -alias pc18379_1 -file pc18379_1.crt -storepass '123456'
> -noprompt -deststoretype PKCS12 -keystore pc18379_1.truststore
> keytool -import -alias pc18379_2 -file pc18379_2.crt -storepass '123456'
> -noprompt -deststoretype PKCS12 -keystore pc18379_2.truststore
> keytool -import -alias pc18379_3 -file pc18379_3.crt -storepass '123456'
> -noprompt -deststoretype PKCS12 -keystore pc18379_3.truststore
>
> *List of certificates in "keystore" (keystore broker will use)*
>
> Enter keystore password:
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 3 entries
>
> Alias name: pc18379_1
> Creation date: Mar 15, 2018
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=pc18379
> Issuer: CN=pc18379
> Serial number: 54f1c168
> Valid from: Thu Mar 15 14:05:07 CET 2018 until: Mon Mar 15 14:05:07 CET
> 2021
> Certificate fingerprints:
> MD5: 60:6C:94:B6:5D:18:C3:AC:89:56:3F:A9:A2:70:83:37
> SHA1: 0D:D4:14:24:E6:92:35:B7:5B:A3:71:A7:BF:45:B3:6C:37:65:7F:4E
> SHA256:
> 79:F0:77:65:27:93:5C:D0:55:73:42:B6:2D:4E:75:94:9A:64:6A:35:
> 7C:12:4F:B0:CD:82:D7:89:96:8F:88:59
> Signature algorithm name: SHA512withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 87 A5 26 94 CC 30 E8 63 66 61 87 1A 83 29 E7 63 ..&..0.cfa...).c
> 0010: EE 16 2D B6 ..-.
> ]
> ]
>
>
>
> *******************************************
> *******************************************
>
>
> Alias name: pc18379_2
> Creation date: Mar 15, 2018
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=pc18379
> Issuer: CN=pc18379
> Serial number: 23e58c32
> Valid from: Thu Mar 15 14:06:38 CET 2018 until: Mon Mar 15 14:06:38 CET
> 2021
> Certificate fingerprints:
> MD5: 15:71:70:31:43:11:D9:15:3B:5B:E7:F0:DD:AB:96:DB
> SHA1: D6:37:E3:4B:75:C7:9E:4B:D2:92:5C:50:92:DB:71:17:BE:58:FC:2F
> SHA256:
> 52:88:88:AA:AE:C3:68:88:02:4D:CA:4E:32:76:DF:98:09:B9:03:9A:
> AB:3E:C1:CF:69:6C:B2:B2:97:D8:87:ED
> Signature algorithm name: SHA512withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
> 0010: 28 63 A8 D8 (c..
> ]
> ]
>
>
>
> *******************************************
> *******************************************
>
>
> Alias name: pc18379_3
> Creation date: Mar 15, 2018
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=pc18379
> Issuer: CN=pc18379
> Serial number: 4c6d4854
> Valid from: Thu Mar 15 14:06:44 CET 2018 until: Mon Mar 15 14:06:44 CET
> 2021
> Certificate fingerprints:
> MD5: CC:FD:D2:DA:38:A1:0F:3E:B1:6D:A3:62:65:D0:E3:82
> SHA1: EE:37:84:C3:8E:B1:42:06:32:07:A4:CF:F0:EA:39:E7:3D:9F:3B:4F
> SHA256:
> 18:D4:41:2D:40:F1:19:35:68:6A:90:A3:2D:8A:64:4D:AC:1E:30:DF:
> 48:C9:13:F1:92:EF:A2:02:8B:B9:D3:B7
> Signature algorithm name: SHA512withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: CE 2A EE 5D B0 4A DE AA 47 97 A1 B2 70 14 9A 0A .*.].J..G...p...
> 0010: BE 4F 84 87 .O..
> ]
> ]
>
>
>
> *******************************************
> *******************************************
>
>
> *I have keystore configured like (alias set to pc18379_1) in config.json*
>
> "keystores" : [ {
> "id" : "7eaa413b-0759-4552-b962-8393f492bed5",
> "name" : "keyStore",
> "type" : "FileKeyStore",
> "certificateAlias" : "pc18379_1",
> "keyStoreType" : "pkcs12",
> "password" : "123456",
> "storeUrl" : "path_to/keystore",
> "lastUpdatedBy" : "admin",
> "lastUpdatedTime" : 1521120324562,
> "createdBy" : null,
> "createdTime" : 1520409258289
> }
>
> But when I try to connect it seems server always offers certificate with
> alias pc18379_2 (according to certificate serial number).
>
> *Part of client output with ssl debug below *
>
> ***
> adding as trusted cert:
> Subject: CN=pc18379
> Issuer: CN=pc18379
> Algorithm: RSA; Serial number: 0x54f1c168
> Valid from Thu Mar 15 14:05:07 CET 2018 until Mon Mar 15 14:05:07 CET
> 2021
>
> trigger seeding of SecureRandom
> done seeding SecureRandom
> Using SSLEngineImpl.
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> %% No cached client session
> *** ClientHello, TLSv1.2
> RandomCookie: GMT: 1504343366 bytes = { 242, 16, 210, 94, 238, 136, 192,
> 81, 81, 214, 102, 58, 118, 26, 105, 92, 227, 208, 129, 50, 61, 64, 149,
> 184,
> 63, 8, 156, 167 }
> Session ID: {}
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_
> GCM_SHA256,
> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_
> CBC_SHA,
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods: { 0 }
> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1,
> sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1,
> secp256k1}
> Extension ec_point_formats, formats: [uncompressed]
> Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
> SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
> SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA,
> SHA224withDSA,
> SHA1withECDSA, SHA1withRSA, SHA1withDSA
> Extension extended_master_secret
> ***
> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 213
> epollEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1181
> *** ServerHello, TLSv1.2
> RandomCookie: GMT: 1504343366 bytes = { 34, 240, 18, 201, 166, 150, 106,
> 20, 7, 238, 118, 230, 164, 241, 16, 205, 144, 166, 225, 15, 198, 46, 255,
> 202, 105, 76, 188, 245 }
> Session ID: {90, 170, 117, 70, 148, 189, 188, 50, 181, 3, 51, 89, 233,
> 185,
> 36, 131, 116, 25, 85, 242, 62, 233, 49, 26, 251, 189, 219, 18, 78, 95, 78,
> 192}
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> Compression Method: 0
> Extension renegotiation_info, renegotiated_connection: <empty>
> Extension extended_master_secret
> ***
> %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
> ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> *** Certificate chain
> chain [0] = [
> [
> Version: V3
> Subject: CN=pc18379
> Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
>
> Key: Sun RSA public key, 2048 bits
> modulus:
> 165438698110777102574935180066646178230189714551405711000916
> 502231729221499168988929095436092143629756893423630326110074
> 611129606788770716290100233694798872132130313346237270268074
> 600727967433242271462965976511106532762191403789966800934214
> 703128344239387335255206277776901505998285012989408302330099
> 101903223715581339670048094254818467715367589045654455766621
> 391363764385129266254840326773292376711967879512715408835168
> 905677748756299230477536746741007092191896220734233520322065
> 536695611138534864481068128580398582561034709070229388393652
> 615212670230082739228411698920125306860255123140496291356609
> 48872714396612667
> public exponent: 65537
> Validity: [From: Thu Mar 15 14:06:38 CET 2018,
> To: Mon Mar 15 14:06:38 CET 2021]
> Issuer: CN=pc18379
> SerialNumber: [ 23e58c32]
>
> Certificate Extensions: 1
> [1]: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 97 0A 71 24 FA C9 EB 52 72 D8 30 AC 46 FA 87 02 ..q$...Rr.0.F...
> 0010: 28 63 A8 D8 (c..
> ]
> ]
>
> ]
> Algorithm: [SHA512withRSA]
> Signature:
> 0000: 5B E5 5C 5E FE B7 1E 7C 32 B5 F8 22 A2 4A 37 5A [.\^....2..".J7Z
> 0010: 82 19 72 71 DE 65 00 05 56 6F 85 DD A3 EF BA 3C ..rq.e..Vo.....<
> 0020: 7F 1E 90 A3 26 6B 18 4D F7 79 59 92 A0 6D 53 06 ....&k.M.yY..mS.
> 0030: 38 C4 47 A1 CC D1 D1 D3 64 8E D2 13 F1 4D C1 EB 8.G.....d....M..
> 0040: C2 F4 57 2A 9C 90 F9 3B 5B F8 72 C5 37 9E 09 57 ..W*...;[.r.7..W
> 0050: FB 33 2C 00 70 22 82 94 27 E1 F4 9D 0E A5 76 77 .3,.p"..'.....vw
> 0060: 7C C1 02 E7 B3 7A 13 C4 CE F4 62 9E 3E 1F FA F6 .....z....b.>...
> 0070: 6C BD 2C AE 53 2C 6D 9E BC 21 50 46 44 85 B5 62 l.,.S,m..!PFD..b
> 0080: 0F 11 23 60 9D 48 F2 41 7D BD 30 23 0E 21 D5 A7 ..#`.H.A..0#.!..
> 0090: 30 E7 E4 33 0C 7D 0B 8A EA 2D 30 6C 25 ED D3 2A 0..3.....-0l%..*
> 00A0: 79 E7 9E 6C 1C C5 D0 D7 25 AF B7 A6 BD D1 C4 21 y..l....%......!
> 00B0: 11 91 6E 8A BA 9F E9 47 B4 09 65 10 28 49 A5 1E ..n....G..e.(I..
> 00C0: 77 6A 5B 62 8C 01 FA E2 F1 22 46 E2 0C D8 5F DF wj[b....."F..._.
> 00D0: 71 E5 51 52 73 DD FB 70 3C 42 61 08 F7 30 84 7E q.QRs..p<Ba..0..
> 00E0: 68 3B A1 FC 8F F4 72 DD 91 38 C5 4D 8F ED D5 69 h;....r..8.M...i
> 00F0: 25 A7 3C 4F 51 20 48 22 1C F7 18 63 A4 18 73 A0 %.<OQ H"...c..s.
>
> ]
> ***
> epollEventLoopGroup-2-1, fatal error: 46: General SSLEngine problem
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: signature check failed
> %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
> epollEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description =
> certificate_unknown
> epollEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> epollEventLoopGroup-2-1, called closeOutbound()
> epollEventLoopGroup-2-1, closeOutboundInternal()
> epollEventLoopGroup-2-1, called closeInbound()
> epollEventLoopGroup-2-1, fatal: engine already closed. Rethrowing
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
> epollEventLoopGroup-2-1, called closeOutbound()
> epollEventLoopGroup-2-1, closeOutboundInternal()
> epollEventLoopGroup-2-1, called closeInbound()
> epollEventLoopGroup-2-1, closeInboundInternal()
>
> Even when certificate alias in java broker keystore configuration is set to
> pc18379_1 (serial number - 54f1c168), java broker always offers certificate
> with alias pc18379_2 (serial number - 23e58c32).
>
> Am I doing anything wrong?
>
> Java Broker version 7.0.1
> Qpid JMS client version 0.27.0
>
> Regards,
> Tomas
>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-
> f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>