[jboss-jira] [JBoss JIRA] (ELY-1528) Unable to create SSL connection if expired certificate chain used
Martin Choma (JIRA)
issues at jboss.org
Wed Mar 14 03:41:00 EDT 2018
[ https://issues.jboss.org/browse/ELY-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13545497#comment-13545497 ]
Martin Choma commented on ELY-1528:
-----------------------------------
Just note to topic - on IBM java seems also trust anchor is validated, because I get
{{javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: Certificate expired}}
> Unable to create SSL connection if expired certificate chain used
> -----------------------------------------------------------------
>
> Key: ELY-1528
> URL: https://issues.jboss.org/browse/ELY-1528
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.2.1.Final
> Reporter: Martin Choma
> Assignee: Jan Kalina
>
> Reproducer:
> * Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
> * Server certificate is expired
> * Client has Intermediate CA in Elytron truststore
> * SSL handshake fails using Elytron client ssl context:
> {code}
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
> 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
> 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7
> 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E .......
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket()
> 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
> {code}
> Full SSL handshake log is in attached ssl_handshake_CA.log
> * If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
> {code}
> 18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
> at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
> at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
> at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> Full SSL handshake log is in attached ssl_handshake_certificate.log
> So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
> [1] https://issues.jboss.org/browse/JBEAP-6157
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list