Maven Wagon
  1. Maven Wagon
  2. WAGON-372

SSL client-side certificates stopped working in maven 3.0.4

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2
    • Fix Version/s: 2.4
    • Component/s: wagon-http
    • Labels:
      None
    • Environment:
      Fedora, Ubuntu

      Description

      The following command works perfectly in Maven 3.0.3, but 3.0.4 does not seem to open the key store and therefore client side certificate authentication fails as maven never presents a certificate to the server.

      mvn deploy -Djavax.net.ssl.keyStore=/home/<user>/ssl/key.p12 -Djavax.net.ssl.keyStorePassword=****** -Djavax.net.ssl.keyStoreType=pkcs12

      adding -Djavax.net.debug=all reveals that the keystore is never loaded. Confirmed with strace that the keystore file is never touched or opened.

        Issue Links

          Activity

          Igor von Nyssen created issue -
          Olivier Lamy (*$^¨%`£) made changes -
          Field Original Value New Value
          Project Maven 2 & 3 [ 10500 ] Maven Wagon [ 10335 ]
          Component/s wagon-ftp [ 12159 ]
          Affects Version/s 2.2 [ 18090 ]
          Component/s Deployment [ 12029 ]
          Complexity Intermediate [ 10011 ]
          Key MNG-5272 WAGON-372
          Affects Version/s 3.0.4 [ 17215 ]
          Component/s Command Line [ 11982 ]
          Olivier Lamy (*$^¨%`£) made changes -
          Component/s wagon-http [ 12151 ]
          Component/s wagon-ftp [ 12159 ]
          Show
          Olivier Lamy (*$^¨%`£) added a comment - as workaround you can put the file from http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http-lightweight/2.2/wagon-http-lightweight-2.2.jar to $M2_HOME/lib/ext .
          Robert Scholte made changes -
          Link This issue is depended upon by MNG-5363 [ MNG-5363 ]
          Hide
          Graham Leggett added a comment -

          We can also confirm that client certificate support is broken in maven v3.0.4, we also see no attempt by maven to read the keystore when -Djavax.net.debug=ssl:handshake is enabled.

          The workaround works, however this is a support burden for us, as every new developer that comes on board must manually configure this.

          Show
          Graham Leggett added a comment - We can also confirm that client certificate support is broken in maven v3.0.4, we also see no attempt by maven to read the keystore when -Djavax.net.debug=ssl:handshake is enabled. The workaround works, however this is a support burden for us, as every new developer that comes on board must manually configure this.
          Hide
          Olivier Lamy (*$^¨%`£) added a comment -

          Did you try with -Dmaven.wagon.http.ssl.easy=false ?

          Show
          Olivier Lamy (*$^¨%`£) added a comment - Did you try with -Dmaven.wagon.http.ssl.easy=false ?
          Hide
          Graham Leggett added a comment -

          Sorry, should have been more specific, this was with -Dmaven.wagon.http.ssl.easy=false. If we switch -Dmaven.wagon.http.ssl.easy=true, we also get the keystore being ignored, but in this case we fail with a handshake failure instead of peer is not authenticated.

          In both cases (false or true), Server Name Indication (RFC3546) breaks, the SSL handshake debug log shows the wrong certificate being sent by the server (the first certificate). Once the http-lightweight wagon v2.2 workaround is put in place, SNI starts working again and the server sends the correct certificate. I suspect whatever SSL options that the new code is setting, it is unintentionally switching other SSL options like SNI off.

          Show
          Graham Leggett added a comment - Sorry, should have been more specific, this was with -Dmaven.wagon.http.ssl.easy=false. If we switch -Dmaven.wagon.http.ssl.easy=true, we also get the keystore being ignored, but in this case we fail with a handshake failure instead of peer is not authenticated. In both cases (false or true), Server Name Indication (RFC3546) breaks, the SSL handshake debug log shows the wrong certificate being sent by the server (the first certificate). Once the http-lightweight wagon v2.2 workaround is put in place, SNI starts working again and the server sends the correct certificate. I suspect whatever SSL options that the new code is setting, it is unintentionally switching other SSL options like SNI off.
          Hide
          Oleg Kalnichevski added a comment -

          By default Apache HttpClient does not make use of global system properties. One needs to explicitly configure the connection manager to take system properties into account at the initialization time, if appropriate winthin a particular application context. The attach patch should fix the issue by tweaking SSL context initialization in the AbstractHttpClientWagon class.

          Please review.

          Oleg

          Show
          Oleg Kalnichevski added a comment - By default Apache HttpClient does not make use of global system properties. One needs to explicitly configure the connection manager to take system properties into account at the initialization time, if appropriate winthin a particular application context. The attach patch should fix the issue by tweaking SSL context initialization in the AbstractHttpClientWagon class. Please review. Oleg
          Oleg Kalnichevski made changes -
          Attachment maven-httpwagen-httpclient-ssl-setup.patch [ 62478 ]
          Hide
          Oleg Kalnichevski added a comment -

          Sorry, I should have mentioned that in my previous post. All tests when run as 'mvn clean test' pass for me.


          [INFO] ------------------------------------------------------------------------
          [INFO] Reactor Summary:
          [INFO]
          [INFO] Apache Maven Wagon ................................ SUCCESS [2.100s]
          [INFO] Apache Maven Wagon :: API ......................... SUCCESS [3.069s]
          [INFO] Apache Maven Wagon :: Provider Test ............... SUCCESS [1.273s]
          [INFO] Apache Maven Wagon :: Providers ................... SUCCESS [0.296s]
          [INFO] Apache Maven Wagon :: Providers :: File Provider .. SUCCESS [1.139s]
          [INFO] Apache Maven Wagon :: Providers :: FTP Provider ... SUCCESS [6.410s]
          [INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library 4 SUCCESS [1.284s]
          [INFO] Apache Maven Wagon :: Test Compatibility Kits ..... SUCCESS [0.214s]
          [INFO] Apache Maven Wagon :: HTTP Test Compatibility Kit . SUCCESS [0.625s]
          [INFO] Apache Maven Wagon :: Providers :: HTTP Provider .. SUCCESS [2:19.005s]
          [INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library SUCCESS [1.027s]
          [INFO] Apache Maven Wagon :: Providers :: Lightweight HTTP Provider SUCCESS [1:52.511s]
          [INFO] Apache Maven Wagon :: Providers :: SCM Provider ... SUCCESS [4.794s]
          [INFO] Apache Maven Wagon :: Providers :: SSH Common Library SUCCESS [0.708s]
          [INFO] Apache Maven Wagon :: Providers :: SSH Common Tests SUCCESS [0.543s]
          [INFO] Apache Maven Wagon :: Providers :: SSH External Provider SUCCESS [0.491s]
          [INFO] Apache Maven Wagon :: Providers :: SSH Provider ... SUCCESS [0.569s]
          [INFO] Apache Maven Wagon :: Providers :: WebDav Provider SUCCESS [37.491s]
          [INFO] ------------------------------------------------------------------------
          [INFO] BUILD SUCCESS
          [INFO] ------------------------------------------------------------------------
          [INFO] Total time: 5:14.309s
          [INFO] Finished at: Mon Jan 28 15:27:05 CET 2013
          [INFO] Final Memory: 26M/205M-

          git status

          oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ git status

          1. On branch master
          2. Changes to be committed:
          3. (use "git reset HEAD <file>..." to unstage)
            #
          4. modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/AbstractHttpClientWagon.java
          5. modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactory.java
          6. new file: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactoryDecorator.java

          git rev-parse HEAD

          d8b1974e91b1944efe964579b858bb54168fb70a

          Oleg

          Show
          Oleg Kalnichevski added a comment - Sorry, I should have mentioned that in my previous post. All tests when run as 'mvn clean test' pass for me. — [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary: [INFO] [INFO] Apache Maven Wagon ................................ SUCCESS [2.100s] [INFO] Apache Maven Wagon :: API ......................... SUCCESS [3.069s] [INFO] Apache Maven Wagon :: Provider Test ............... SUCCESS [1.273s] [INFO] Apache Maven Wagon :: Providers ................... SUCCESS [0.296s] [INFO] Apache Maven Wagon :: Providers :: File Provider .. SUCCESS [1.139s] [INFO] Apache Maven Wagon :: Providers :: FTP Provider ... SUCCESS [6.410s] [INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library 4 SUCCESS [1.284s] [INFO] Apache Maven Wagon :: Test Compatibility Kits ..... SUCCESS [0.214s] [INFO] Apache Maven Wagon :: HTTP Test Compatibility Kit . SUCCESS [0.625s] [INFO] Apache Maven Wagon :: Providers :: HTTP Provider .. SUCCESS [2:19.005s] [INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library SUCCESS [1.027s] [INFO] Apache Maven Wagon :: Providers :: Lightweight HTTP Provider SUCCESS [1:52.511s] [INFO] Apache Maven Wagon :: Providers :: SCM Provider ... SUCCESS [4.794s] [INFO] Apache Maven Wagon :: Providers :: SSH Common Library SUCCESS [0.708s] [INFO] Apache Maven Wagon :: Providers :: SSH Common Tests SUCCESS [0.543s] [INFO] Apache Maven Wagon :: Providers :: SSH External Provider SUCCESS [0.491s] [INFO] Apache Maven Wagon :: Providers :: SSH Provider ... SUCCESS [0.569s] [INFO] Apache Maven Wagon :: Providers :: WebDav Provider SUCCESS [37.491s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 5:14.309s [INFO] Finished at: Mon Jan 28 15:27:05 CET 2013 [INFO] Final Memory: 26M/205M- — git status — oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ git status On branch master Changes to be committed: (use "git reset HEAD <file>..." to unstage) # modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/AbstractHttpClientWagon.java modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactory.java new file: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactoryDecorator.java — git rev-parse HEAD — d8b1974e91b1944efe964579b858bb54168fb70a — Oleg
          Hide
          Olivier Lamy (*$^¨%`£) added a comment -

          what is your env ?
          Because here https test doesn't pass anymore.

          Maven home: /Users/olamy/softs/maven/trunk
          Java version: 1.6.0_37, vendor: Apple Inc.
          Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
          Default locale: fr_FR, platform encoding: MacRoman
          OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
          
          Show
          Olivier Lamy (*$^¨%`£) added a comment - what is your env ? Because here https test doesn't pass anymore. Maven home: /Users/olamy/softs/maven/trunk Java version: 1.6.0_37, vendor: Apple Inc. Java home: / System /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home Default locale: fr_FR, platform encoding: MacRoman OS name: "mac os x" , version: "10.8.2" , arch: "x86_64" , family: "mac"
          Hide
          Oleg Kalnichevski added a comment - - edited


          oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ mvn -version
          Maven home: /opt/maven
          Java version: 1.6.0_35, vendor: Sun Microsystems Inc.
          Java home: /opt/oracle-jdk-1.6.0.35/jre
          Default locale: en_US, platform encoding: UTF-8
          OS name: "linux", version: "3.5.0-22-generic", arch: "amd64", family: "unix"

          Oleg

          Show
          Oleg Kalnichevski added a comment - - edited — oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ mvn -version Maven home: /opt/maven Java version: 1.6.0_35, vendor: Sun Microsystems Inc. Java home: /opt/oracle-jdk-1.6.0.35/jre Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "3.5.0-22-generic", arch: "amd64", family: "unix" — Oleg
          Hide
          Oleg Kalnichevski added a comment -

          Let us try to tackle the problem in several incremental steps. Could you please see if all test cases pass for you locally with this patch only? The patch only refactors the SSL initialization code sowewhat without (intentionally) changing its behavior.

          Oleg

          Show
          Oleg Kalnichevski added a comment - Let us try to tackle the problem in several incremental steps. Could you please see if all test cases pass for you locally with this patch only? The patch only refactors the SSL initialization code sowewhat without (intentionally) changing its behavior. Oleg
          Oleg Kalnichevski made changes -
          Attachment maven-httpwagen-httpclient-ssl-setup-refactoring.patch [ 62480 ]
          Hide
          Olivier Lamy (*$^¨%`£) added a comment -

          ok I have reverted some commits and it's better now.

          Show
          Olivier Lamy (*$^¨%`£) added a comment - ok I have reverted some commits and it's better now.
          Olivier Lamy (*$^¨%`£) made changes -
          Assignee Olivier Lamy [ olamy ]
          Fix Version/s 2.4 [ 18697 ]
          Olivier Lamy (*$^¨%`£) made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Closed [ 6 ]
          Hide
          Olivier Lamy (*$^¨%`£) added a comment -

          bin.zip or bin.tar.gz available for testing here https://builds.apache.org/view/M-R/view/Maven/job/maven-3.x/

          Show
          Olivier Lamy (*$^¨%`£) added a comment - bin.zip or bin.tar.gz available for testing here https://builds.apache.org/view/M-R/view/Maven/job/maven-3.x/
          Hervé Boutemy made changes -
          Link This issue is related to MNG-5175 [ MNG-5175 ]
          Hide
          Chris Owens added a comment -

          I am still experiencing this problem with the tomcat7-maven-plugin, whose "Deploy" goal I believe uses the same underlying plumbing.

          It fails under tomcat7 plugin versions 2.0 or 2.1, under
          Maven 3.0.5, with either the wagon 2.4 code that ships with maven 3.0.5, or with the lightweight 2.2 version in the comments above, and with -Dmaven.wagon.http.ssl.easy=false or true.

          Show
          Chris Owens added a comment - I am still experiencing this problem with the tomcat7-maven-plugin, whose "Deploy" goal I believe uses the same underlying plumbing. It fails under tomcat7 plugin versions 2.0 or 2.1, under Maven 3.0.5, with either the wagon 2.4 code that ships with maven 3.0.5, or with the lightweight 2.2 version in the comments above, and with -Dmaven.wagon.http.ssl.easy=false or true.
          Mark Thomas made changes -
          Project Import Sun Apr 05 13:30:21 UTC 2015 [ 1428240621566 ]
          Mark Thomas made changes -
          Workflow jira [ 12729095 ] Default workflow, editable Closed status [ 12765167 ]
          Mark Thomas made changes -
          Project Import Mon Apr 06 01:53:53 UTC 2015 [ 1428285233407 ]
          Mark Thomas made changes -
          Workflow jira [ 12966632 ] Default workflow, editable Closed status [ 13002176 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Closed Closed
          292d 23h 6m 1 Olivier Lamy (*$^¨%`£) 28/Jan/13 14:44

            People

            • Assignee:
              Olivier Lamy (*$^¨%`£)
              Reporter:
              Igor von Nyssen
            • Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development