Bug 612535 - Some SSL errors do not get reported up the stack or in the log file.
Some SSL errors do not get reported up the stack or in the log file.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-java (Show other bugs)
Development
All Linux
low Severity low
: 1.3
: ---
Assigned To: Rajith Attapattu
MRG Quality Engineering
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-08 09:18 EDT by Rajith Attapattu
Modified: 2013-02-25 05:44 EST (History)
2 users (show)

See Also:
Fixed In Version: 0.10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-25 05:44:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SSL setup with expired SSL certificates (5.44 KB, application/x-gzip)
2010-07-12 22:23 EDT, Rajith Attapattu
no flags Details

  None (edit)
Description Rajith Attapattu 2010-07-08 09:18:59 EDT
Description of problem:
For example if the client has an expired certificate, the correct error does not get reported up the stack (and does not appear in the logs either).
Instead you would get "SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl" as the SSLSender is waiting for data that will not arrive.

Version-Release number of selected component (if applicable):
qpid-java-0.7.946106-5

How reproducible:
Always

Steps to Reproduce:
1. Start the broker with the ssl module loaded.
2. Create a client that connects to the broker using an SSL connection, but with an expired certificate.
3. The client will report an exception and the connection is terminated. But the exception nor the log file has any information about the real cause.
  
Actual results:
The client hangs for a few mins and timesout and throws an exception with the following message.

""SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl"

Expected results:
The client should log an error into the log file and also throw the correct exception up the stack that says the client certificate has expired.

Additional info:
Comment 1 Rajith Attapattu 2010-07-08 17:39:48 EDT
This is fixed in upstream at rev 961860 in Qpid trunk and checked into the internal git repo.

http://mrg1.lab.bos.redhat.com/cgit/qpid.git/commit/?id=076a76f1327acddd0bf55630ab11e18f06d95ca5
Comment 2 Rajith Attapattu 2010-07-12 22:23:36 EDT
Created attachment 431326 [details]
SSL setup with expired SSL certificates

The above attachment contains a set of expired client certificates that you could use to verify the fix.

Assuming you extracted the tarball into /tmp/ssl
You could run any java test program against the broker by using the following cmd line args.

Broker args
--load-module ${broker.module.ssl} --ssl-cert-name localhost.localdomain --ssl-cert-password-file /tmp/ssl/pfile --ssl-cert-db /tmp/ssl/server_db/ --ssl-require-client-authentication --ssl-port 5671


Client args
-D=javax.net.ssl.keyStore=/tmp/ssl/keystore.jks -Djavax.net.ssl.keyStorePassword=password 
-Djavax.net.ssl.trustStore=/tmp/ssl/certstore.jks
-Djavax.net.ssl.trustStorePassword=password

Please note the above JMS args should appear in the same line. I just pasted them separately to improve readability

Note You need to log in before you can comment on or make changes to this bug.