Bug 612535 - Some SSL errors do not get reported up the stack or in the log file.
Summary: Some SSL errors do not get reported up the stack or in the log file.
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-java
Version: Development
Hardware: All
OS: Linux
Target Milestone: 1.3
: ---
Assignee: Rajith Attapattu
QA Contact: MRG Quality Engineering
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-08 13:18 UTC by Rajith Attapattu
Modified: 2013-02-25 10:44 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2013-02-25 10:44:43 UTC

Attachments (Terms of Use)
SSL setup with expired SSL certificates (5.44 KB, application/x-gzip)
2010-07-13 02:23 UTC, Rajith Attapattu
no flags Details

Description Rajith Attapattu 2010-07-08 13:18:59 UTC
Description of problem:
For example if the client has an expired certificate, the correct error does not get reported up the stack (and does not appear in the logs either).
Instead you would get "SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl" as the SSLSender is waiting for data that will not arrive.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start the broker with the ssl module loaded.
2. Create a client that connects to the broker using an SSL connection, but with an expired certificate.
3. The client will report an exception and the connection is terminated. But the exception nor the log file has any information about the real cause.
Actual results:
The client hangs for a few mins and timesout and throws an exception with the following message.

""SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl"

Expected results:
The client should log an error into the log file and also throw the correct exception up the stack that says the client certificate has expired.

Additional info:

Comment 1 Rajith Attapattu 2010-07-08 21:39:48 UTC
This is fixed in upstream at rev 961860 in Qpid trunk and checked into the internal git repo.


Comment 2 Rajith Attapattu 2010-07-13 02:23:36 UTC
Created attachment 431326 [details]
SSL setup with expired SSL certificates

The above attachment contains a set of expired client certificates that you could use to verify the fix.

Assuming you extracted the tarball into /tmp/ssl
You could run any java test program against the broker by using the following cmd line args.

Broker args
--load-module ${broker.module.ssl} --ssl-cert-name localhost.localdomain --ssl-cert-password-file /tmp/ssl/pfile --ssl-cert-db /tmp/ssl/server_db/ --ssl-require-client-authentication --ssl-port 5671

Client args
-D=javax.net.ssl.keyStore=/tmp/ssl/keystore.jks -Djavax.net.ssl.keyStorePassword=password 

Please note the above JMS args should appear in the same line. I just pasted them separately to improve readability

Note You need to log in before you can comment on or make changes to this bug.