Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Information Provided
-
8.0.0-Final
-
None
-
None
Description
Hi,
We are trying to deploy an enterprise level EAR application on the TomEE 8.0 environment with JDK 1.8.x and ActiveMQ setup war.
During the startup of the TomEE server, while deploying the EAR file.. we got into below exceptions..
org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept connection from null : {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept connection from null : {}java.io.IOException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196) at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174) at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470) at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169) at org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072) at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393) at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428) at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164) ... 14 more
Further the below stack trace –
org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching myhost found at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115) at java.io.DataOutputStream.flush(DataOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194) at org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335) at org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317) at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181) at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84) at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74) at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017) at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148) at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133) at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused by: java.security.cert.CertificateException: No name matching myhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 22 more
The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.
While researching, we found that the similar issue w.r.t hostname verification was added recently as part of ActiveMQ 5.15.x change @ https://securitytracker.com/id/1041618
The vendor advisory is available at: |
http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml
Please let us know if there is any issue w.r.t above configurations.