Description of problem: For example if the client has an expired certificate, the correct error does not get reported up the stack (and does not appear in the logs either). Instead you would get "SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl" as the SSLSender is waiting for data that will not arrive. Version-Release number of selected component (if applicable): qpid-java-0.7.946106-5 How reproducible: Always Steps to Reproduce: 1. Start the broker with the ssl module loaded. 2. Create a client that connects to the broker using an SSL connection, but with an expired certificate. 3. The client will report an exception and the connection is terminated. But the exception nor the log file has any information about the real cause. Actual results: The client hangs for a few mins and timesout and throws an exception with the following message. ""SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl" Expected results: The client should log an error into the log file and also throw the correct exception up the stack that says the client certificate has expired. Additional info:
This is fixed in upstream at rev 961860 in Qpid trunk and checked into the internal git repo. http://mrg1.lab.bos.redhat.com/cgit/qpid.git/commit/?id=076a76f1327acddd0bf55630ab11e18f06d95ca5
Created attachment 431326 [details] SSL setup with expired SSL certificates The above attachment contains a set of expired client certificates that you could use to verify the fix. Assuming you extracted the tarball into /tmp/ssl You could run any java test program against the broker by using the following cmd line args. Broker args --load-module ${broker.module.ssl} --ssl-cert-name localhost.localdomain --ssl-cert-password-file /tmp/ssl/pfile --ssl-cert-db /tmp/ssl/server_db/ --ssl-require-client-authentication --ssl-port 5671 Client args -D=javax.net.ssl.keyStore=/tmp/ssl/keystore.jks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/tmp/ssl/certstore.jks -Djavax.net.ssl.trustStorePassword=password Please note the above JMS args should appear in the same line. I just pasted them separately to improve readability