Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-8946

Original SSLHandshakeException was overridden by Camel Netty Http producer

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.12.5
    • Fix Version/s: 2.16.0
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      I am having difficulties to troubleshoot some of the SSL failures when my application attempts to connect to back ends. I am not able to understand by looking at the logs what is making the connection to fail.

      When inspecting the behavior of 'camel-netty-http' for a particular use case where no trusted certificates are available, I realize that Netty is throwing an SSLHandshakeException, but then it gets lost and a ClosedChannelExcetpion is thrown back instead.

      While DEBUG and WARN level messages give indication about the real source of the problem, the final ERROR level message looses the error context. This is problematic when I run the system in ERROR level, and when I see failures I can't determine the reasons.

      The sequence of logs is as follows:
      1) first a DEBUG trace:
      DEBUG Closing channel as an exception was thrown from Netty
      javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      ... Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      ... Caused by: sun.security.validator.ValidatorException: No trusted certificate found

      2) then a WARN trace:
      WARN HttpServerChannelHandler is not found as attachment to handle exception, send 404 back to the client.
      javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

      3) and an ERROR trace:
      ERROR Failed delivery for...
      ... java.nio.channels.ClosedChannelException
      at org.jboss.netty.handler.ssl.SslHandler$7.run(SslHandler.java:1766)

      I have made a simple fix on NettyProducer.java class since NettyHttpProducer class is inherited from it.

      I'll also attach a junit test
      org/apache/camel/component/netty/http/NettyHttpSSLHandshakeErrorTest.java
      that reproduces the situation as well as a patch (patch.txt) to this JIRA.

      Note, the junit test requires some keystore files so you will need to copy over following four files:
      camel-cxf/src/test/resources/wssecurity/keystore/client-keystore.jks
      camel-cxf/src/test/resources/wssecurity/keystore/client-truststore.jks
      camel-cxf/src/test/resources/wssecurity/keystore/server-keystore.jks
      camel-cxf/src/test/resources/wssecurity/keystore/server-truststore.jks

      over to camel-netty-http/src/test/resources/jsse/ folder in order to get the junit test to work.

        Attachments

        1. client-keystore.jks
          1 kB
          Joe Luo
        2. client-truststore.jks
          0.6 kB
          Joe Luo
        3. NettyHttpSSLHandshakeErrorTest.java
          3 kB
          Joe Luo
        4. patch.txt
          6 kB
          Joe Luo
        5. server-keystore.jks
          1 kB
          Joe Luo
        6. server-truststore.jks
          0.6 kB
          Joe Luo

          Activity

            People

            • Assignee:
              davsclaus Claus Ibsen
              Reporter:
              joeluo Joe Luo
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: