[JBoss JIRA] (ELY-1528) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1528?page=com.atlassian.jira.plugin.s... ]
Martin Choma moved WFLY-9922 to ELY-1528:
-----------------------------------------
Project: WildFly Elytron (was: WildFly)
Key: ELY-1528 (was: WFLY-9922)
Component/s: SSL
(was: Security)
Affects Version/s: 1.2.1.Final
(was: 12.0.0.CR1)
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: ELY-1528
> URL: https://issues.jboss.org/browse/ELY-1528
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.2.1.Final
> Reporter: Martin Choma
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> Full SSL handshake log is in attached ssl_handshake_CA.log
> * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> Full SSL handshake log is in attached ssl_handshake_certificate.log
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9922) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
Martin Choma created WFLY-9922:
----------------------------------
Summary: Unable to create SSL connection if expired certificate chain used
Key: WFLY-9922
URL: https://issues.jboss.org/browse/WFLY-9922
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 12.0.0.CR1
Reporter: Martin Choma
Reproducer:
* Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
* Server certificate is expired
* Client has Intermediate CA in Elytron truststore
* SSL handshake fails using Elytron client ssl context:
{code}
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
{code}
Full SSL handshake log is in attached ssl_handshake_CA.log
* If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
{code}
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
Full SSL handshake log is in attached ssl_handshake_certificate.log
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
[1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-9921:
-------------------------------
Description:
Reproducer:
* Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
* Server certificate is expired
* Client has Intermediate CA in Elytron truststore
* SSL handshake fails using Elytron client ssl context:
{code}
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
{code}
Full SSL handshake log is in attached ssl_handshake_CA.log
* If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
{code}
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
Full SSL handshake log is in attached ssl_handshake_certificate.log
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
[1] https://issues.jboss.org/browse/JBEAP-6157
was:
Reproducer:
* Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
* Server certificate is expired
* Client has Intermediate CA in Elytron truststore
* SSL handshake fails using Elytron client ssl context:
{code}
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
{code}
If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
{code}
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
[1] https://issues.jboss.org/browse/JBEAP-6157
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: WFLY-9921
> URL: https://issues.jboss.org/browse/WFLY-9921
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.CR1
> Reporter: Martin Choma
> Attachments: ssl_handshake_CA.log, ssl_handshake_certificate.log
>
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> Full SSL handshake log is in attached ssl_handshake_CA.log
> * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> Full SSL handshake log is in attached ssl_handshake_certificate.log
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-9921:
-------------------------------
Description:
Reproducer:
* Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
* Server certificate is expired
* Client has Intermediate CA in Elytron truststore
* SSL handshake fails using Elytron client ssl context:
{code}
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
{code}
Full SSL handshake log is in attached ssl_handshake_CA.log
* If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
{code}
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
Full SSL handshake log is in attached ssl_handshake_certificate.log
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
[1] https://issues.jboss.org/browse/JBEAP-6157
was:
Reproducer:
* Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
* Server certificate is expired
* Client has Intermediate CA in Elytron truststore
* SSL handshake fails using Elytron client ssl context:
{code}
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
{code}
Full SSL handshake log is in attached ssl_handshake_CA.log
* If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
{code}
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
Full SSL handshake log is in attached ssl_handshake_certificate.log
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
[1] https://issues.jboss.org/browse/JBEAP-6157
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: WFLY-9921
> URL: https://issues.jboss.org/browse/WFLY-9921
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.CR1
> Reporter: Martin Choma
> Attachments: ssl_handshake_CA.log, ssl_handshake_certificate.log
>
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> Full SSL handshake log is in attached ssl_handshake_CA.log
> * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> Full SSL handshake log is in attached ssl_handshake_certificate.log
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-9921:
-------------------------------
Attachment: ssl_handshake_CA.log
ssl_handshake_certificate.log
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: WFLY-9921
> URL: https://issues.jboss.org/browse/WFLY-9921
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.CR1
> Reporter: Martin Choma
> Attachments: ssl_handshake_CA.log, ssl_handshake_certificate.log
>
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-9921:
-------------------------------
Attachment: (was: ssl_handshake_chain.log)
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: WFLY-9921
> URL: https://issues.jboss.org/browse/WFLY-9921
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.CR1
> Reporter: Martin Choma
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-9921:
-------------------------------
Attachment: ssl_handshake_chain.log
ssl_handshake_self_signed.log
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: WFLY-9921
> URL: https://issues.jboss.org/browse/WFLY-9921
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.CR1
> Reporter: Martin Choma
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-9921:
-------------------------------
Attachment: (was: ssl_handshake_self_signed.log)
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: WFLY-9921
> URL: https://issues.jboss.org/browse/WFLY-9921
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.CR1
> Reporter: Martin Choma
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months
[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
by Martin Choma (JIRA)
Martin Choma created WFLY-9921:
----------------------------------
Summary: Unable to create SSL connection if expired certificate chain used
Key: WFLY-9921
URL: https://issues.jboss.org/browse/WFLY-9921
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 12.0.0.CR1
Reporter: Martin Choma
Assignee: Darran Lofthouse
Reproducer:
* Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
* Server certificate is expired
* Client has Intermediate CA in Elytron truststore
* SSL handshake fails using Elytron client ssl context:
{code}
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
{code}
If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
{code}
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
[1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 10 months