February 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9921: ------------------------------- Description: Reproducer: * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. * Server certificate is expired * Client has Intermediate CA in Elytron truststore * SSL handshake fails using Elytron client ssl context: {code} 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 {code} Full SSL handshake log is in attached ssl_handshake_CA.log * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. {code} 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) at java.lang.Thread.run(Thread.java:748) {code} Full SSL handshake log is in attached ssl_handshake_certificate.log So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. [1] https://issues.jboss.org/browse/JBEAP-6157 was: Reproducer: * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. * Server certificate is expired * Client has Intermediate CA in Elytron truststore * SSL handshake fails using Elytron client ssl context: {code} 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 {code} If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. {code} 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) at java.lang.Thread.run(Thread.java:748) {code} So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. [1] https://issues.jboss.org/browse/JBEAP-6157 > Unable to create SSL connection if expired certificate chain used > ----------------------------------------------------------------- > > Key: WFLY-9921 > URL: https://issues.jboss.org/browse/WFLY-9921 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.CR1 > Reporter: Martin Choma > Attachments: ssl_handshake_CA.log, ssl_handshake_certificate.log > > > Reproducer: > * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. > * Server certificate is expired > * Client has Intermediate CA in Elytron truststore > * SSL handshake fails using Elytron client ssl context: > {code} > 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown > 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 > 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 > 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... > 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() > 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 > {code} > Full SSL handshake log is in attached ssl_handshake_CA.log > * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. > {code} > 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) > at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) > at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) > at java.lang.Thread.run(Thread.java:748) > {code} > Full SSL handshake log is in attached ssl_handshake_certificate.log > So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. > [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9921: ------------------------------- Description: Reproducer: * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. * Server certificate is expired * Client has Intermediate CA in Elytron truststore * SSL handshake fails using Elytron client ssl context: {code} 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 {code} Full SSL handshake log is in attached ssl_handshake_CA.log * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. {code} 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) at java.lang.Thread.run(Thread.java:748) {code} Full SSL handshake log is in attached ssl_handshake_certificate.log So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. [1] https://issues.jboss.org/browse/JBEAP-6157 was: Reproducer: * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. * Server certificate is expired * Client has Intermediate CA in Elytron truststore * SSL handshake fails using Elytron client ssl context: {code} 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 {code} Full SSL handshake log is in attached ssl_handshake_CA.log * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. {code} 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) at java.lang.Thread.run(Thread.java:748) {code} Full SSL handshake log is in attached ssl_handshake_certificate.log So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. [1] https://issues.jboss.org/browse/JBEAP-6157 > Unable to create SSL connection if expired certificate chain used > ----------------------------------------------------------------- > > Key: WFLY-9921 > URL: https://issues.jboss.org/browse/WFLY-9921 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.CR1 > Reporter: Martin Choma > Attachments: ssl_handshake_CA.log, ssl_handshake_certificate.log > > > Reproducer: > * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. > * Server certificate is expired > * Client has Intermediate CA in Elytron truststore > * SSL handshake fails using Elytron client ssl context: > {code} > 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown > 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 > 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 > 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... > 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() > 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 > {code} > Full SSL handshake log is in attached ssl_handshake_CA.log > * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. > {code} > 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) > at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) > at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) > at java.lang.Thread.run(Thread.java:748) > {code} > Full SSL handshake log is in attached ssl_handshake_certificate.log > So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. > [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9921: ------------------------------- Attachment: ssl_handshake_CA.log ssl_handshake_certificate.log > Unable to create SSL connection if expired certificate chain used > ----------------------------------------------------------------- > > Key: WFLY-9921 > URL: https://issues.jboss.org/browse/WFLY-9921 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.CR1 > Reporter: Martin Choma > Attachments: ssl_handshake_CA.log, ssl_handshake_certificate.log > > > Reproducer: > * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. > * Server certificate is expired > * Client has Intermediate CA in Elytron truststore > * SSL handshake fails using Elytron client ssl context: > {code} > 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown > 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 > 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 > 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... > 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() > 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 > {code} > If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. > {code} > 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) > at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) > at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) > at java.lang.Thread.run(Thread.java:748) > {code} > So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. > [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (SWSQE-37) [QE] - SWS-51 - View Istio's services details

by Hayk Hovsepyan (JIRA)

[ https://issues.jboss.org/browse/SWSQE-37?page=com.atlassian.jira.plugin.s... ] Hayk Hovsepyan updated SWSQE-37: -------------------------------- Summary: [QE] - SWS-51 - View Istio's services details (was: [QE] - SWS-51) > [QE] - SWS-51 - View Istio's services details > --------------------------------------------- > > Key: SWSQE-37 > URL: https://issues.jboss.org/browse/SWSQE-37 > Project: Swift Sunshine QE > Issue Type: Task > Reporter: Hayk Hovsepyan > Assignee: Sunil kondkar > > Test subtasks of https://issues.jboss.org/browse/SWS-51 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9921: ------------------------------- Attachment: (was: ssl_handshake_chain.log) > Unable to create SSL connection if expired certificate chain used > ----------------------------------------------------------------- > > Key: WFLY-9921 > URL: https://issues.jboss.org/browse/WFLY-9921 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.CR1 > Reporter: Martin Choma > > Reproducer: > * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. > * Server certificate is expired > * Client has Intermediate CA in Elytron truststore > * SSL handshake fails using Elytron client ssl context: > {code} > 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown > 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 > 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 > 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... > 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() > 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 > {code} > If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. > {code} > 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) > at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) > at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) > at java.lang.Thread.run(Thread.java:748) > {code} > So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. > [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9921: ------------------------------- Attachment: ssl_handshake_chain.log ssl_handshake_self_signed.log > Unable to create SSL connection if expired certificate chain used > ----------------------------------------------------------------- > > Key: WFLY-9921 > URL: https://issues.jboss.org/browse/WFLY-9921 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.CR1 > Reporter: Martin Choma > > Reproducer: > * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. > * Server certificate is expired > * Client has Intermediate CA in Elytron truststore > * SSL handshake fails using Elytron client ssl context: > {code} > 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown > 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 > 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 > 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... > 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() > 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 > {code} > If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. > {code} > 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) > at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) > at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) > at java.lang.Thread.run(Thread.java:748) > {code} > So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. > [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9921: ------------------------------- Attachment: (was: ssl_handshake_self_signed.log) > Unable to create SSL connection if expired certificate chain used > ----------------------------------------------------------------- > > Key: WFLY-9921 > URL: https://issues.jboss.org/browse/WFLY-9921 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.CR1 > Reporter: Martin Choma > > Reproducer: > * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. > * Server certificate is expired > * Client has Intermediate CA in Elytron truststore > * SSL handshake fails using Elytron client ssl context: > {code} > 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown > 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 > 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 > 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... > 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() > 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 > {code} > If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. > {code} > 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) > at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) > at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) > at java.lang.Thread.run(Thread.java:748) > {code} > So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. > [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

Martin Choma created WFLY-9921: ---------------------------------- Summary: Unable to create SSL connection if expired certificate chain used Key: WFLY-9921 URL: https://issues.jboss.org/browse/WFLY-9921 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 12.0.0.CR1 Reporter: Martin Choma Assignee: Darran Lofthouse Reproducer: * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. * Server certificate is expired * Client has Intermediate CA in Elytron truststore * SSL handshake fails using Elytron client ssl context: {code} 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 {code} If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. {code} 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) at java.lang.Thread.run(Thread.java:748) {code} So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin.... ] Martin Choma reassigned WFLY-9921: ---------------------------------- Assignee: (was: Darran Lofthouse) > Unable to create SSL connection if expired certificate chain used > ----------------------------------------------------------------- > > Key: WFLY-9921 > URL: https://issues.jboss.org/browse/WFLY-9921 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.CR1 > Reporter: Martin Choma > > Reproducer: > * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA. > * Server certificate is expired > * Client has Intermediate CA in Elytron truststore > * SSL handshake fails using Elytron client ssl context: > {code} > 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown > 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 > 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 > 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... > 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() > 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017 > {code} > If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. > {code} > 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 > at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) > at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) > at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) > at java.lang.Thread.run(Thread.java:748) > {code} > So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1]. > [1] https://issues.jboss.org/browse/JBEAP-6157 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (SWSQE-38) [QE] - SWS-60 - Display the list of services

by Hayk Hovsepyan (JIRA)

[ https://issues.jboss.org/browse/SWSQE-38?page=com.atlassian.jira.plugin.s... ] Hayk Hovsepyan updated SWSQE-38: -------------------------------- Summary: [QE] - SWS-60 - Display the list of services (was: [QE] - SWS-60) > [QE] - SWS-60 - Display the list of services > -------------------------------------------- > > Key: SWSQE-38 > URL: https://issues.jboss.org/browse/SWSQE-38 > Project: Swift Sunshine QE > Issue Type: Task > Reporter: Hayk Hovsepyan > Assignee: Hayk Hovsepyan > > Test subtasks of https://issues.jboss.org/browse/SWS-60 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2018