[jboss-jira] [JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used
[
https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin....
]
Martin Choma updated WFLY-9921:
-------------------------------
Attachment: ssl_handshake_chain.log
ssl_handshake_self_signed.log
Unable to create SSL connection if expired certificate chain used
-----------------------------------------------------------------
Key: WFLY-9921
URL: https://issues.jboss.org/browse/WFLY-9921
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 12.0.0.CR1
Reporter: Martin Choma
Reproducer:
* Server secured by certificate chain, it means Certificate is signed with Intermediate
CA which is signed by root CA.
* Server certificate is expired
* Client has Intermediate CA in Elytron truststore
* SSL handshake fails using Elytron client ssl context:
{code}
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal,
description = certificate_unknown
18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length =
2
18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E
.......
18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:
NotAfter: Sat Dec 16 10:49:56 CET 2017
{code}
If I put expired certificate itself into truststore SSL handshake pass, although warning
is logged.
{code}
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024:
Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red
hat, inc.", st=north carolina, c=us] in KeyStore is not valid:
java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at
org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
at
org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
at java.lang.Thread.run(Thread.java:748)
{code}
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass
SSL handshake with expired certificate but warn about it in log [1].
[1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)