[jboss-jira] [JBoss JIRA] (WFCORE-2821) Elytron two way SSL with CRL set does not work
Ondrej Kotek (JIRA)
issues at jboss.org
Wed May 17 09:46:00 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2821?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Kotek moved JBEAP-10971 to WFCORE-2821:
----------------------------------------------
Project: WildFly Core (was: JBoss Enterprise Application Platform)
Key: WFCORE-2821 (was: JBEAP-10971)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta21
(was: 7.1.0.DR18)
Affects Testing: (was: Blocks Testing)
> Elytron two way SSL with CRL set does not work
> ----------------------------------------------
>
> Key: WFCORE-2821
> URL: https://issues.jboss.org/browse/WFCORE-2821
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta21
> Reporter: Ondrej Kotek
> Priority: Blocker
> Labels: eap7.1-rfe-blocker
>
> Having set two way SSL Elytron {{server-ssl-context}} [1] but with {{trust-managers}} with {{certificate-revocation-list}} set (and {{algorithm}} unset), a client is not able to connect to the server, because the server closes connections.
> Debugging reveals that just {{getAcceptedIssuers}} method is called on {{X509CRLExtendedTrustManager}} and returns {{null}} (as set from the subsystem).
> There is also unexpected error in server log (twice):
> {noformat}
> ERROR [org.xnio.nio] (default I/O-3) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1 at 106b714d failed with an exception: java.lang.RuntimeException: Delegated task threw Exception/Error
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
> Caused by: java.lang.NullPointerException
> at sun.security.ssl.HandshakeMessage$CertificateRequest.<init>(HandshakeMessage.java:1306)
> at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:963)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
> at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> {noformat}
> The CRL functionality is required by EAP7-203, hence Blocker priority is set.
> [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSinWildFlyforApplications
> [2] https://docs.jboss.org/author/display/WFLY/SSL+Configuration+using+Elytron+Subsystem#SSLConfigurationusingElytronSubsystem-UsingaCertificateRevocationList
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list