Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-2760

javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over TOMEE8

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Information Provided
    • Affects Version/s: 8.0.0-Final
    • Fix Version/s: None
    • Component/s: TomEE Core Server
    • Labels:
      None

      Description

      Hi,

       

      We are trying to deploy an enterprise level EAR application on the TomEE 8.0 environment with JDK 1.8.x and ActiveMQ setup war.

       

      During the startup of the TomEE server, while deploying the EAR file.. we got into below exceptions..

       

      org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept connection from null : {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept connection from null : {}java.io.IOException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196) at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174) at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470) at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169) at org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072) at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393) at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428) at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164) ... 14 more

       

      Further the below stack trace –

       

      org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching myhost found at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115) at java.io.DataOutputStream.flush(DataOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194) at org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335) at org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317) at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181) at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84) at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74) at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017) at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148) at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133) at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused by: java.security.cert.CertificateException: No name matching myhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 22 more

       

       

      The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.

       

      While researching, we found that the similar issue w.r.t hostname verification was added recently as part of ActiveMQ 5.15.x change @ https://securitytracker.com/id/1041618

      The vendor advisory is available at:

      http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|

       

      We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml 

       

      Please let us know if there is any issue w.r.t above configurations.

        Attachments

          Activity

            People

            • Assignee:
              jgallimore Jonathan Gallimore
              Reporter:
              somasaninikhil Nikhil
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: