Bug 642779

Summary: Error connecting to Active Directory (AD) over SSL.
Product: Red Hat Enterprise Linux 6 Reporter: Vincent Danen <vdanen>
Component: java-1.6.0-openjdkAssignee: Deepak Bhole <dbhole>
Status: CLOSED ERRATA QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0CC: ahughes, jvanek, mmillson, patrickm
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 618290 Environment:
Last Closed: 2010-11-10 18:51:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 618290    
Bug Blocks:    

Description Vincent Danen 2010-10-13 20:07:06 UTC 
+++ This bug was initially created as a clone of Bug #618290 +++

Description of problem:

JBoss JAAS security module not able to connect to Active Directory (AD) over SSL.


How reproducible:
Configure JBoss security module to connect to AD over SSL.


Actual results:

javax.naming.CommunicationException: simple bind failed: 10.158.131.139:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]]
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
       at javax.naming.InitialContext.init(InitialContext.java:240)
       at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:151)
       at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:589)
       at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:382)
       at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:267)
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:616)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
       at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
       at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
       at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
       at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:445)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:677)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:636)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
       at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1639)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:215)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:209)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1033)
       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146)
       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:546)
       at sun.security.ssl.Handshaker.process_record(Handshaker.java:482)
       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1140)
       at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:643)
       at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:78)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
       at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
       at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
       ... 44 more
Caused by: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
       at sun.security.validator.EndEntityChecker.checkRemainingExtensions(EndEntityChecker.java:175)
       at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:297)
       at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:138)
       at sun.security.validator.Validator.validate(Validator.java:238)
       at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1012)
       ... 56 more


Expected results:

JBoss should retrieve security information from AD.


Additional info:

A workaround is to add the AD server certificate to the application server truststore. However, this is not a practical solution, as when the AD certificate expires, it requires updating all application server instances with the new AD server certificate.

--- Additional comment from mmillson on 2010-07-26 11:07:08 EDT ---

This OpenJDK7 changeset includes the fix:
http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/8da00cb83d01

Backport the changes to EndEntityChecker:

--- a/src/share/classes/sun/security/validator/EndEntityChecker.java Wed Apr 23 14:35:26 2008 +0400
+++ b/src/share/classes/sun/security/validator/EndEntityChecker.java Sun May 04 07:05:42 2008 -0700
@@ -86,6 +86,9 @@ class EndEntityChecker {
// the Microsoft Server-Gated-Cryptography EKU extension OID
private final static String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
+
+ // the recognized extension OIDs
+ private final static String OID_SUBJECT_ALT_NAME = "2.5.29.17";
private final static String NSCT_SSL_CLIENT =
NetscapeCertTypeExtension.SSL_CLIENT;
@@ -171,6 +174,13 @@ class EndEntityChecker {
throws CertificateException {
// basic constraints irrelevant in EE certs
exts.remove(SimpleValidator.OID_BASIC_CONSTRAINTS);
+
+ // If the subject field contains an empty sequence, the subjectAltName
+ // extension MUST be marked critical.
+ // We do not check the validity of the critical extension, just mark
+ // it recognizable here.
+ exts.remove(OID_SUBJECT_ALT_NAME);
+
if (!exts.isEmpty()) {
throw new CertificateException("Certificate contains unsupported "
+ "critical extensions: " + exts);
Comment 3 errata-xmlrpc 2010-11-10 18:51:12 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0865.html