[ https://issues.apache.org/jira/browse/QPID-8064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy updated QPID-8064: ----------------------------- Status: Reviewable (was: In Progress) > [Broker-J] FileKeyStore should validate java keystore content to make sure > that private key is present > ------------------------------------------------------------------------------------------------------ > > Key: QPID-8064 > URL: https://issues.apache.org/jira/browse/QPID-8064 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Affects Versions: qpid-java-6.0.8, qpid-java-broker-7.0.0, qpid-java-6.1.5 > Reporter: Alex Rudyy > Assignee: Keith Wall > Priority: Minor > Fix For: qpid-java-broker-7.1.0, qpid-java-broker-7.0.3 > > > Currently Broker-J does not issue any error or warning when private key is > missed in java keystore (i.e., truststore is provided instead of keystore). > We should add a validation for the private key and deny keystore creation (or > recovery) if private key is not present. > When keystore without private key is configured, an attempt to make TLS > fails, but the root cause of the failure is difficult to debug. Even when > java debug logging is enabled (-Djavax.net.debug=all) the logs for the > handshake failure are confusing: "fatal error: 40: no cipher suites in > common", for example > {noformat} > HttpManagement-HTTP-392, READ: TLSv1 Handshake, length = 224 > *** ClientHello, TLSv1.2 > RandomCookie: GMT: -1512757423 bytes = { 141, 10, 192, 6, 218, 230, 103, > 203, 46, 231, 80, 160, 40, 21, 47, 125, 0, 149, 138, 74, 65, 251, 5, 165, > 194, 45, 196, 236 } > Session ID: {} > Cipher Suites: [Unknown 0xaa:0xaa, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, > Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] > Compression Methods: { 0 } > Unsupported extension type_10794, data: > Extension renegotiation_info, renegotiated_connection: <empty> > Extension server_name, server_name: [type=host_name (0), > value=abcd24p9390.abc.ef.g1234567.net] > Unsupported extension type_23, data: > Unsupported extension type_35, data: > Extension signature_algorithms, signature_algorithms: SHA256withECDSA, > Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown > (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), > SHA512withRSA, SHA1withRSA > Unsupported extension status_request, data: 01:00:00:00:00 > Unsupported extension type_18, data: > Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 > Unsupported extension type_30032, data: > Extension ec_point_formats, formats: [uncompressed] > Extension elliptic_curves, curve names: {unknown curve 56026, unknown curve > 29, secp256r1, secp384r1} > Unsupported extension type_23130, data: 00 > *** > [read] MD5 and SHA1 hashes: len = 224 > 0000: 01 00 00 DC 03 03 A6 D5 27 51 8D 0A C0 06 DA E6 ........'Q...... > 0010: 67 CB 2E E7 50 A0 28 15 2F 7D 00 95 8A 4A 41 FB g...P.(./....JA. > 0020: 05 A5 C2 2D C4 EC 00 00 26 AA AA C0 2B C0 2F 00 ...-....&...+./. > 0030: 9E C0 2C C0 30 CC A9 CC A8 CC 14 CC 13 C0 13 00 ..,.0........... > 0040: 33 C0 14 00 39 00 9C 00 9D 00 2F 00 35 00 0A 01 3...9...../.5... > 0050: 00 00 8D 2A 2A 00 00 FF 01 00 01 00 00 00 00 24 ...**..........$ > 0060: 00 22 00 00 1F 76 73 69 6E 32 34 70 39 33 39 30 ."...abcd24p9390 > 0070: 2E 73 76 72 2E 75 73 2E 6A 70 6D 63 68 61 73 65 .abc.ef.g1234567 > 0080: 2E 6E 65 74 00 17 00 00 00 23 00 00 00 0D 00 14 .net.....#...... > 0090: 00 12 04 03 08 04 04 01 05 03 08 05 05 01 08 06 ................ > 00A0: 06 01 02 01 00 05 00 05 01 00 00 00 00 00 12 00 ................ > 00B0: 00 00 10 00 0E 00 0C 02 68 32 08 68 74 74 70 2F ........h2.http/ > 00C0: 31 2E 31 75 50 00 00 00 0B 00 02 01 00 00 0A 00 1.1uP........... > 00D0: 0A 00 08 DA DA 00 1D 00 17 00 18 5A 5A 00 01 00 ...........ZZ... > %% Initialized: [Session-37, SSL_NULL_WITH_NULL_NULL] > HttpManagement-HTTP-392, fatal error: 40: no cipher suites in common > javax.net.ssl.SSLHandshakeException: no cipher suites in common > %% Invalidated: [Session-37, SSL_NULL_WITH_NULL_NULL] > HttpManagement-HTTP-392, SEND TLSv1.2 ALERT: fatal, description = > handshake_failure > HttpManagement-HTTP-392, WRITE: TLSv1.2 Alert, length = 2 > HttpManagement-HTTP-392, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: no cipher suites in common > {noformat} > The broker should not allow keystore creation without private key or at least > one certificate. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org