Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
2.12.5
-
None
-
Unknown
Description
I am having difficulties to troubleshoot some of the SSL failures when my application attempts to connect to back ends. I am not able to understand by looking at the logs what is making the connection to fail.
When inspecting the behavior of 'camel-netty-http' for a particular use case where no trusted certificates are available, I realize that Netty is throwing an SSLHandshakeException, but then it gets lost and a ClosedChannelExcetpion is thrown back instead.
While DEBUG and WARN level messages give indication about the real source of the problem, the final ERROR level message looses the error context. This is problematic when I run the system in ERROR level, and when I see failures I can't determine the reasons.
The sequence of logs is as follows:
1) first a DEBUG trace:
DEBUG Closing channel as an exception was thrown from Netty
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
... Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
... Caused by: sun.security.validator.ValidatorException: No trusted certificate found
2) then a WARN trace:
WARN HttpServerChannelHandler is not found as attachment to handle exception, send 404 back to the client.
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
3) and an ERROR trace:
ERROR Failed delivery for...
... java.nio.channels.ClosedChannelException
at org.jboss.netty.handler.ssl.SslHandler$7.run(SslHandler.java:1766)
I have made a simple fix on NettyProducer.java class since NettyHttpProducer class is inherited from it.
I'll also attach a junit test
org/apache/camel/component/netty/http/NettyHttpSSLHandshakeErrorTest.java
that reproduces the situation as well as a patch (patch.txt) to this JIRA.
Note, the junit test requires some keystore files so you will need to copy over following four files:
camel-cxf/src/test/resources/wssecurity/keystore/client-keystore.jks
camel-cxf/src/test/resources/wssecurity/keystore/client-truststore.jks
camel-cxf/src/test/resources/wssecurity/keystore/server-keystore.jks
camel-cxf/src/test/resources/wssecurity/keystore/server-truststore.jks
over to camel-netty-http/src/test/resources/jsse/ folder in order to get the junit test to work.