Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.7.1
-
None
-
None
-
Linux, Ubuntu 12.04
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
-
Unknown
Description
In an earlier version of CXF, 2.2.5, when a client certificate failures to validate for some reason the server replied with a fatal error bad_certificate. This is correct according the the TLS RFC 2246, section 7.2.1. Closure alerts.
However, in CXF 2.7.0 and 2.7.1 the socket is closed prematurely, so that the client never gets a close or error message. This should not happen since it leaves open the possibility of a truncation attack.
These are the log outputs for each version. These are based on the wsdl_first_https example project where it is configured so that the server does not have the client certificate in its trust store.
Client
Invocation failed with the following: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Server
167179228@qtp-764924063-0, READ: TLSv1 Handshake, length = 109
*** Certificate chain
***
167179228@qtp-764924063-0, SEND TLSv1 ALERT: fatal, description = bad_certificate
167179228@qtp-764924063-0, WRITE: TLSv1 Alert, length = 2
167179228@qtp-764924063-0, called closeSocket()
167179228@qtp-764924063-0, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
167179228@qtp-764924063-0, called close()
167179228@qtp-764924063-0, called closeInternal(true)
Client
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:352)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)
... 35 more
Invocation failed with the following: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: Remote host closed connection during handshake
Server
qtp111947068-20, READ: TLSv1 Handshake, length = 109
*** Certificate chain
***
qtp111947068-20, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
qtp111947068-20, SEND TLSv1 ALERT: fatal, description = bad_certificate
qtp111947068-20, WRITE: TLSv1 Alert, length = 2
qtp111947068-20, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
Jan 9, 2013 11:34:58 AM org.eclipse.jetty.io.nio.SelectChannelEndPoint handle
WARNING: javax.net.ssl.SSLHandshakeException: null cert chain