[jira] [Work logged] (AMQ-7301) Expired certificates trigger a full stack trace

Mon, 09 Mar 2020 23:51:04 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-7301?focusedWorklogId=400578&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-400578
 ]

ASF GitHub Bot logged work on AMQ-7301:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Mar/20 06:50
            Start Date: 10/Mar/20 06:50
    Worklog Time Spent: 10m 
      Work Description: jbonofre commented on pull request #507: [AMQ-7301] 
Propagate the exception in order to close the connection cleanly
URL: https://github.com/apache/activemq/pull/507
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 400578)
    Time Spent: 50m  (was: 40m)

> Expired certificates trigger a full stack trace
> -----------------------------------------------
>
>                 Key: AMQ-7301
>                 URL: https://issues.apache.org/jira/browse/AMQ-7301
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Security/JAAS
>    Affects Versions: 5.15.10
>         Environment: ActiveMQ 5.15.10 as standalone broker
>            Reporter: Lionel Cons
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 5.16.0, 5.15.12
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> When using an expired certificate to authenticate via STOMP, ActiveMQ logs a 
> complete stack trace:
>   
> {code}
> 2019-09-10 10:36:07,784 [ActiveMQ BrokerService[broker.acme.com] Task-12] 
> ERROR TransportConnector - Could not accept connection from null : {}
>  java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine 
> problem
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
>  at 
> org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)
>  at 
> org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
>  at 
> org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
>  at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
>  at 
> org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)
>  at 
> org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
>  at 
> org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
>  at 
> org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
>  at 
> org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
>  at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)
>  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>  at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
>  at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
>  at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
>  at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
>  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>  at 
> org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:452)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
>  ... 14 more
>  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
>  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
>  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
>  at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
>  at 
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
>  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
>  at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
>  at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
>  at 
> org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:448)
>  ... 15 more
>  Caused by: sun.security.validator.ValidatorException: PKIX path validation 
> failed: java.security.cert.CertPathValidatorException: validity check failed
>  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
>  at 
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
>  at sun.security.validator.Validator.validate(Validator.java:262)
>  at 
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
>  at 
> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
>  at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970)
>  ... 22 more
>  Caused by: java.security.cert.CertPathValidatorException: validity check 
> failed
>  at 
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
>  at 
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
>  at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
>  at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
>  ... 28 more
>  Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu May 
> 23 12:21:49 CEST 2019
>  at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
>  at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
>  at 
> sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
>  at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
>  at 
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
>  ... 33 more
> {code}
> There are several problems here:
>  # this should be a {{WARN}} and not an {{ERROR}} (like an invalid password)
>  # the IP address and/or certificate DN should be logged
>  # a single line should be reported, not the full stack trace



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to