Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4740

SSL/TLS server incorrectly closes socket before reporting certificate failure to client

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.7.1
    • None
    • Transports
    • None

    • Linux, Ubuntu 12.04
      java version "1.6.0_24"
      OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
      OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

    • Unknown

    Description

      In an earlier version of CXF, 2.2.5, when a client certificate failures to validate for some reason the server replied with a fatal error bad_certificate. This is correct according the the TLS RFC 2246, section 7.2.1. Closure alerts.

      However, in CXF 2.7.0 and 2.7.1 the socket is closed prematurely, so that the client never gets a close or error message. This should not happen since it leaves open the possibility of a truncation attack.

      These are the log outputs for each version. These are based on the wsdl_first_https example project where it is configured so that the server does not have the client certificate in its trust store.

      CXF 2.2.5

      Client
      Invocation failed with the following: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

      Server
      167179228@qtp-764924063-0, READ: TLSv1 Handshake, length = 109
      *** Certificate chain
      ***
      167179228@qtp-764924063-0, SEND TLSv1 ALERT: fatal, description = bad_certificate
      167179228@qtp-764924063-0, WRITE: TLSv1 Alert, length = 2
      167179228@qtp-764924063-0, called closeSocket()
      167179228@qtp-764924063-0, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
      167179228@qtp-764924063-0, called close()
      167179228@qtp-764924063-0, called closeInternal(true)

      CXF 2.7.1

      Client
      Caused by: java.io.EOFException: SSL peer shut down incorrectly
      at sun.security.ssl.InputRecord.read(InputRecord.java:352)
      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)
      ... 35 more

      Invocation failed with the following: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: Remote host closed connection during handshake

      Server
      qtp111947068-20, READ: TLSv1 Handshake, length = 109
      *** Certificate chain
      ***
      qtp111947068-20, fatal error: 42: null cert chain
      javax.net.ssl.SSLHandshakeException: null cert chain
      qtp111947068-20, SEND TLSv1 ALERT: fatal, description = bad_certificate
      qtp111947068-20, WRITE: TLSv1 Alert, length = 2
      qtp111947068-20, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
      Jan 9, 2013 11:34:58 AM org.eclipse.jetty.io.nio.SelectChannelEndPoint handle
      WARNING: javax.net.ssl.SSLHandshakeException: null cert chain

      Attachments

        Activity

          People

            Unassigned Unassigned
            jodyfanning Jody Fanning
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: