tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nikhil (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TOMEE-2760) javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over TOMEE8
Date Thu, 09 Jan 2020 13:54:00 GMT

    [ https://issues.apache.org/jira/browse/TOMEE-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17011831#comment-17011831
] 

Nikhil commented on TOMEE-2760:
-------------------------------

Thank you for your detailed explanation on the issue. That really makes a lot of difference
as security is concerned and we are looking into it on how can we handle it in our project.

 

Would be happy to add this information into documentation soon by following the video shared
above.

> javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over
TOMEE8
> --------------------------------------------------------------------------------------------
>
>                 Key: TOMEE-2760
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2760
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.0-Final
>            Reporter: Nikhil
>            Assignee: Jonathan Gallimore
>            Priority: Major
>
> Hi,
>  
> We are trying to deploy an enterprise level EAR application on the TomEE 8.0 environment
with JDK 1.8.x and ActiveMQ setup war.
>  
> During the startup of the TomEE server, while deploying the EAR file.. we got into below
exceptions..
>  
> org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept
connection from null : {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE]
Could not accept connection from null : {}java.io.IOException: javax.net.ssl.SSLException:
Received fatal alert: certificate_unknown at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470) at
org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)
at org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72)
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused
by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393)
at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428)
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164)
... 14 more
>  
> Further the below stack trace --
>  
> org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail
to: nio+ssl+context://myhost:27145, reason: {}org.apache.activemq.transport.failover.FailoverTransport
doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No name matching myhost found at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
at java.io.DataOutputStream.flush(DataOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194)
at org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335)
at org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017)
at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148)
at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133) at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Caused by: java.security.cert.CertificateException:
No name matching myhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 22
more
>  
>  
> The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.
>  
> While researching, we found that the similar issue w.r.t hostname verification was added
recently as part of ActiveMQ 5.15.x change @ [https://securitytracker.com/id/1041618]
> |
> |The vendor advisory is available at:
> http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
> |
>  
> We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml 
>  
> Please let us know if there is any issue w.r.t above configurations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message