612535 – Some SSL errors do not get reported up the stack or in the log file.

Bug 612535 - Some SSL errors do not get reported up the stack or in the log file.

Summary: Some SSL errors do not get reported up the stack or in the log file.

Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	qpid-java
Sub Component:
Version:	Development
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	1.3
Target Release:	---
Assignee:	Rajith Attapattu
QA Contact:	MRG Quality Engineering
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-07-08 13:18 UTC by Rajith Attapattu
Modified:	2013-02-25 10:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2013-02-25 10:44:43 UTC

Attachments	(Terms of Use)
SSL setup with expired SSL certificates (5.44 KB, application/x-gzip) 2010-07-13 02:23 UTC, Rajith Attapattu	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Description Rajith Attapattu 2010-07-08 13:18:59 UTC

Description of problem:
For example if the client has an expired certificate, the correct error does not get reported up the stack (and does not appear in the logs either).
Instead you would get "SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl" as the SSLSender is waiting for data that will not arrive.

Version-Release number of selected component (if applicable):
qpid-java-0.7.946106-5

How reproducible:
Always

Steps to Reproduce:
1. Start the broker with the ssl module loaded.
2. Create a client that connects to the broker using an SSL connection, but with an expired certificate.
3. The client will report an exception and the connection is terminated. But the exception nor the log file has any information about the real cause.
  
Actual results:
The client hangs for a few mins and timesout and throws an exception with the following message.

""SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl"

Expected results:
The client should log an error into the log file and also throw the correct exception up the stack that says the client certificate has expired.

Additional info:

Comment 1 Rajith Attapattu 2010-07-08 21:39:48 UTC

This is fixed in upstream at rev 961860 in Qpid trunk and checked into the internal git repo.

http://mrg1.lab.bos.redhat.com/cgit/qpid.git/commit/?id=076a76f1327acddd0bf55630ab11e18f06d95ca5

Comment 2 Rajith Attapattu 2010-07-13 02:23:36 UTC

Created attachment 431326 [details]
SSL setup with expired SSL certificates

The above attachment contains a set of expired client certificates that you could use to verify the fix.

Assuming you extracted the tarball into /tmp/ssl
You could run any java test program against the broker by using the following cmd line args.

Broker args
--load-module ${broker.module.ssl} --ssl-cert-name localhost.localdomain --ssl-cert-password-file /tmp/ssl/pfile --ssl-cert-db /tmp/ssl/server_db/ --ssl-require-client-authentication --ssl-port 5671


Client args
-D=javax.net.ssl.keyStore=/tmp/ssl/keystore.jks -Djavax.net.ssl.keyStorePassword=password 
-Djavax.net.ssl.trustStore=/tmp/ssl/certstore.jks
-Djavax.net.ssl.trustStorePassword=password

Please note the above JMS args should appear in the same line. I just pasted them separately to improve readability

Note You need to log in before you can comment on or make changes to this bug.