[jboss-jira] [JBoss JIRA] (WFLY-11007) Using OpenShift generated certificates and client auth cause TLS errors

Jan Lieskovsky (JIRA) issues at jboss.org
Wed Sep 12 11:15:01 EDT 2018 

    [ https://issues.jboss.org/browse/WFLY-11007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13632518#comment-13632518 ] 

Jan Lieskovsky commented on WFLY-11007:
---------------------------------------

Thanks, Sebastian!

Adding Darran to the Cc-list yet. Per this [ticket|https://bugs.erlang.org/browse/ERL-83] it happens when the server has a very long list of trusted CAs, the TLS record might overflow the maximum allowed 16384 (2^14) length, required by [RFC 5246 section 6.2.1|https://tools.ietf.org/html/rfc5246#section-6.2.1]. What's not clear to me yet, if the current behaviour is the OpenShift's service certificate secrets service's fault, or JBoss EAP server's fault.

Since the 2nd attempt (with your own certificate) worked for you. Could you retry to rerun it with that own certificate, for which the scenario worked, but this time to put much more trusted CA certificates into the truststore? Some example longer CA file is [here|http://curl.haxx.se/ca/cacert.pem].

Alternatively, you can retry the scenario with autogenerated OpenShift certificates, but comment out that code part inserting the whole Java system PKI CA certs into the truststore (insert just that one certificate you need, the client cert verification to succeed into the truststore). 

If these modified scenarios work, some component (like said, not completely sure yet, which of them it is. But since the truststore is created on EAP server side, it might be issue on EAP part) is producing longer TLS records than actually allowed by the RFC, and it should be addressed.

If you manage to reproduce the issue, with the own certificate (having a lot CA cert entries in the truststore), or not reproduce the issue with the OpenShift certificate, not having that much CA cert entries in the truststore, like in the default case, we might be wiser, what's causing the issue.

> Using OpenShift generated certificates and client auth cause TLS errors
> -----------------------------------------------------------------------
>
>                 Key: WFLY-11007
>                 URL: https://issues.jboss.org/browse/WFLY-11007
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web (Undertow)
>    Affects Versions: 13.0.0.Final
>            Reporter: Sebastian Łaskawiec
>            Assignee: Stuart Douglas
>
> h2. Summary
> It seems that when using OpenShift generated certificates and client auth (with {{want-client-auth="true"}}) the TLS handshake fails with {{RECV TLSv1.2 ALERT:  fatal, record_overflow}} message.
> h2. Explanation
> I'm using {{oc cluster up}} and deploying Keycloak (WF 13 based) on OpenShift local cluster using the (1) template. The service in the the template uses OpenShift generated certificates ({{"service.alpha.openshift.io/serving-cert-secret-name": "keycloak-x509-https-secret"}}). Both files are mounted in the Keycloak pod and translated into keystore and truststore (see the configuration after the transformation (2)). Once the pod is up and running, I'm issuing a {{curl}} command as shown in (3). {{curl}} fails saying that {{* error:1408F092:SSL routines:ssl3_get_record:data length too long}}. The server logs with TLS Handshake debugging turned on might be found here (4). As shown in the link, the server has written {{16384}} bytes. 
> I also did a test with manually created certificates (5). The result might be found here (6). As shown in the link, we've written {{16050}} bytes instead of {{16384}} and the handshake was successful.
> h2. Possible solution
> Perhaps we should cut the list CAs transmitted by the server when asking for client auth when it exceeds certain number of bytes. It would be helpful to write a warn message too.
> Links:
> - (1) Keycloak OCP Template https://gist.github.com/slaskawi/57ed810a7109a02a9d884b61ce2e7f13
> - (2) Transformed configuration https://gist.github.com/slaskawi/92aead6c519b867621129b640b4a3c88
> - (3) curl command https://gist.github.com/slaskawi/3bc32b8e96c2499cb7b48c3c5cb28616
> - (4) https://gist.github.com/slaskawi/b6477fe3cd65890c879cfe6f95359450#file-logs-bad-L1485
> - (5) Keycloak and OpenShift integration demo https://github.com/keycloak/openshift-integration/blob/master/install-keycloak#L11-L22
> - (6) https://gist.github.com/slaskawi/7fd87e1f2e6c4faf657d9e8289ed3392#file-logs-good-L1383



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list