[JBoss JIRA] (WFLY-9921) Unable to create SSL connection if expired certificate chain used

Tuesday, 13 March 2018

    [
https://issues.jboss.org/browse/WFLY-9921?page=com.atlassian.jira.plugin....
] 

Martin Choma commented on WFLY-9921:
------------------------------------

[~honza889] you are right. It fits together as you describe. The key fact is "java
trust manager check certificates expiration only for subordinate certificates". Thank
you.

...
 Unable to create SSL connection if expired certificate chain used
 -----------------------------------------------------------------

                 Key: WFLY-9921
                 URL: https://issues.jboss.org/browse/WFLY-9921
             Project: WildFly
          Issue Type: Bug
          Components: Security
    Affects Versions: 12.0.0.CR1
            Reporter: Martin Choma
            Assignee: Jan Kalina
         Attachments: ssl_handshake_CA.log, ssl_handshake_certificate.log

 Reproducer:
 * Server secured by certificate chain, it means Certificate is signed with Intermediate
CA which is signed by root CA.
 * Server certificate is expired
 * Client has Intermediate CA in Elytron truststore 
 * SSL handshake fails using Elytron client ssl context:
 {code}
 18:27:54,540 INFO  [stdout] (default task-1) default task-1, SEND TLSv1 ALERT:  fatal,
description = certificate_unknown
 18:27:54,540 INFO  [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length =
2
 18:27:54,540 INFO  [stdout] (default task-1) [Raw write]: length = 7
 18:27:54,540 INFO  [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E                  
            .......
 18:27:54,541 INFO  [stdout] (default task-1) default task-1, called closeSocket()
 18:27:54,541 INFO  [stdout] (default task-1) default task-1, handling exception:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:
NotAfter: Sat Dec 16 10:49:56 CET 2017
 {code}
 Full SSL handshake log is in attached ssl_handshake_CA.log
 * If I put expired certificate itself into truststore SSL handshake pass, although
warning is logged.
 {code}
 18:35:28,648 WARN  [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024:
Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red
hat, inc.", st=north carolina, c=us] in KeyStore is not valid:
java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
 	at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
 	at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
 	at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
 	at
org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
 	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
 	at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
 	at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
 	at
org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
 	at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
 	at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
 	at java.lang.Thread.run(Thread.java:748)
 {code}
 Full SSL handshake log is in attached ssl_handshake_certificate.log
 So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass
SSL handshake with expired certificate but warn about it in log [1].
 [1] https://issues.jboss.org/browse/JBEAP-6157 

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006