[
https://issues.apache.org/jira/browse/ARTEMIS-5509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17955272#comment-17955272
]
Justin Bertram commented on ARTEMIS-5509:
-----------------------------------------
It appears to me that the SSL debug logging is from 2 different use-cases. The
first looks to be from a normal messaging connection which involves Netty.
However, the second looks to be from an HTTP connection (e.g. for Jolokia/web
console). Logging from these two things isn't comparable. Also, I wouldn't
expect _any_ Java SSL debug logging for messaging connections when using
OpenSSL since the Netty won't be using Java SSL at all in that case.
Ultimately, there's not much (if anything) the broker can do about this. This
behavior is governed by the integration between Netty and OpenSSL. If you
really want to understand why there's a difference between using Java vs.
OpenSSL for the underlying {{io.netty.handler.ssl.SslContext}} I recommend you
work with the Netty community.
> SSL Exception not logged by broker in WARN/ERROR level with OPENSSL Provider
> ----------------------------------------------------------------------------
>
> Key: ARTEMIS-5509
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5509
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Broker
> Affects Versions: 2.37.0
> Reporter: Mohanavalli A
> Priority: Major
>
> When running the broker with JDK SSL Provider in acceptor, when a client
> connects to the broker without any certificate, the broker logs the exception
> as:
> {noformat}AMQ222208: SSL handshake failed for client from /x.x.x.x:63060:
> javax.net.ssl.SSLHandshakeException: Empty client certificate chain.{noformat}
> Whereas if the broker is configured with OPENSSL Provider in the acceptor,
> there is no log at the broker (though the client connection fails with a
> bad_certificate exception).
> On running the broker with java SSL debug enabled, below are the logs for JDK
> and OPENSSL. In both cases there is a {{javax.net.ssl.SSLHandshakeException}}
> thrown during the SSL authentication. In case of JDK, a WARN level log is
> logged after the exception is thrown, but in case of OPENSSL it is not
> logged at WARN or ERROR level by the broker.
>
> h3. JDK
> {noformat}
> javax.net.ssl|DEBUG|74|Thread-1 (activemq-netty-threads)|2025-05-29
> 09:19:40.243 CEST|ServerHelloDone.java:97|Produced ServerHelloDone handshake
> message (
> <empty>
> )
> javax.net.ssl|DEBUG|74|Thread-1 (activemq-netty-threads)|2025-05-29
> 09:19:40.245 CEST|CertificateMessage.java:372|Consuming client Certificate
> handshake message (
> "Certificates": <empty list>
> )
> javax.net.ssl|ERROR|74|Thread-1 (activemq-netty-threads)|2025-05-29
> 09:19:40.245 CEST|TransportContext.java:358|Fatal (BAD_CERTIFICATE): Empty
> client certificate chain (
> "throwable" :
> { javax.net.ssl.SSLHandshakeException: Empty client certificate chain
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:300)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
> at
> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
> at
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
> at
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1076)
> at
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1063)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1010)
> at
> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1649)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1495)
> at
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1336)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1385)
> at
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
> at
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1407)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:501)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:399)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)}
> )
> javax.net.ssl|WARNING|74|Thread-1 (activemq-netty-threads)|2025-05-29
> 09:19:40.246 CEST|SSLEngineOutputRecord.java:182|outbound has closed, ignore
> outbound application data
> 2025-05-29 09:19:40,246 WARN [org.apache.activemq.artemis.core.server]
> AMQ222208: SSL handshake failed for client from /x.x.x.x:63060:
> javax.net.ssl.SSLHandshakeException: Empty client certificate chain.{noformat}
> h3. OPENSSL
> {noformat}
> javax.net.ssl|DEBUG|60|qtp984832924-96|2025-05-29 08:45:30.144
> CEST|ServerHelloDone.java:97|Produced ServerHelloDone handshake message (
> <empty>
> )
> javax.net.ssl|DEBUG|60|qtp984832924-96|2025-05-29 08:45:30.147
> CEST|Alert.java:238|Received alert message (
> "Alert": {
> "level" : "fatal",
> "description": "bad_certificate"
> }
> )
> javax.net.ssl|ERROR|60|qtp984832924-96|2025-05-29 08:45:30.148
> CEST|TransportContext.java:358|Fatal (BAD_CERTIFICATE): Received fatal alert:
> bad_certificate (
> "throwable" : {
> javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
> at
> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
> at
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:192)
> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
> at
> java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
> at
> java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
> at
> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
> at
> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
> at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
> at org.eclipse.jetty.io.ssl.SslConnection.unwrap(SslConnection.java:398)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:721)
> at
> org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:375)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
> at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
> at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at
> org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
> at java.base/java.lang.Thread.run(Thread.java:829)}
> ){noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
