tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Gallimore (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TOMEE-2760) javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over TOMEE8
Date Thu, 09 Jan 2020 09:43:00 GMT

    [ https://issues.apache.org/jira/browse/TOMEE-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17011619#comment-17011619
] 

Jonathan Gallimore commented on TOMEE-2760:
-------------------------------------------

You're welcome. Documentation-wise, PRs to the website are most welcome. [~ivanjunckes] made
a video demonstrating how to do this: [https://www.youtube.com/watch?v=P6IM0LDevVU]

In terms of your product and how you're shipping it, that's really for you to work out, and
no doubt your organization has a security policy in place for this sort of thing. The vulnerability
fixed by this update (CVE-2018-11775) would potentially allow a "man in the middle" attack,
where someone could present an endpoint between TomEE and the ActiveMQ broker and eavesdrop
on traffic between the two. By using this setting, you are re-enabling that vulnerability
- I think its important that I point that out - if/how you mitigate that is up to you.

I do understand the desire to ship everything with the product and have it "just work", but
you're effectively relying on that hostname check being disabled. I don't know much about
your package, but if you're shipping the ActiveMQ broker as well, you're potentially also
shipping a default private key, which also presents a risk. If it were me, personally,  I'd
enable to the customer to generate/update keys and certificates in the product, and they can
choose if they want the insecure setting. If for no other reason, certificates have a habit
of expiring, and that tends to break things as well. [https://www.theregister.co.uk/2018/12/06/ericsson_o2_telefonica_uk_outage/]

I do hope that helps. Thanks for filing this ticket - I'll mark it as resolved, but let us
know (you can follow up here, another ticket, or on users@tomee.apache.org) if you have further
queries.

Jon

> javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over
TOMEE8
> --------------------------------------------------------------------------------------------
>
>                 Key: TOMEE-2760
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2760
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.0-Final
>            Reporter: Nikhil
>            Priority: Major
>
> Hi,
>  
> We are trying to deploy an enterprise level EAR application on the TomEE 8.0 environment
with JDK 1.8.x and ActiveMQ setup war.
>  
> During the startup of the TomEE server, while deploying the EAR file.. we got into below
exceptions..
>  
> org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept
connection from null : {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE]
Could not accept connection from null : {}java.io.IOException: javax.net.ssl.SSLException:
Received fatal alert: certificate_unknown at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470) at
org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
at org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused
by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393)
at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428)
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
... 14 more
>  
> Further the below stack trace --
>  
> org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail
to: nio+ssl+context://myhost:27145, reason: {}org.apache.activemq.transport.failover.FailoverTransport
doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No name matching myhost found at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
at java.io.DataOutputStream.flush(DataOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194)
at org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335)
at org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017)
at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148)
at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133) at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Caused by: java.security.cert.CertificateException:
No name matching myhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 22
more
>  
>  
> The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.
>  
> While researching, we found that the similar issue w.r.t hostname verification was added
recently as part of ActiveMQ 5.15.x change @ [https://securitytracker.com/id/1041618]
> |
> |The vendor advisory is available at:
> http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
> |
>  
> We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml 
>  
> Please let us know if there is any issue w.r.t above configurations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message