Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-7301

Expired certificates trigger a full stack trace

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.15.10
    • 5.16.0, 5.15.12
    • Security/JAAS
    • None

    • ActiveMQ 5.15.10 as standalone broker

    Description

      When using an expired certificate to authenticate via STOMP, ActiveMQ logs a complete stack trace:
       

      2019-09-10 10:36:07,784 [ActiveMQ BrokerService[broker.acme.com] Task-12] ERROR TransportConnector - Could not accept connection from null : {}
 java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
 at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
 at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)
 at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
 at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
 at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)
 at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
 at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
 at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)
 at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
 at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
 at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
 at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)
 Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
 at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
 at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
 at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
 at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
 at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
 at org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
 at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:452)
 at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
 ... 14 more
 Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
 at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
 at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
 at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:448)
 ... 15 more
 Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
 at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
 at sun.security.validator.Validator.validate(Validator.java:262)
 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
 at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
 at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970)
 ... 22 more
 Caused by: java.security.cert.CertPathValidatorException: validity check failed
 at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
 at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
 at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
 at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
 at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
 at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
 ... 28 more
 Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu May 23 12:21:49 CEST 2019
 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
 at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
 at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
 at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
 at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
 ... 33 more

      There are several problems here:

      1. this should be a WARN and not an ERROR (like an invalid password)
      2. the IP address and/or certificate DN should be logged
      3. a single line should be reported, not the full stack trace

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. AMQ-7444 Invalid certificate warnings should include client IP information

          • Major - Major loss of function.
          • Resolved
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. AMQ-7433 Use short rendering of exception/throwable in log by default

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #488

          Web Link GitHub Pull Request #501

          Web Link GitHub Pull Request #507

          Web Link GitHub Pull Request #510

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              lionel.cons Lionel Cons
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 20m
                  1h 20m