Bug 612535 - Some SSL errors do not get reported up the stack or in the log file.
Summary: Some SSL errors do not get reported up the stack or in the log file.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-java
Version: Development
Hardware: All
OS: Linux
low
low
Target Milestone: 1.3
: ---
Assignee: Rajith Attapattu
QA Contact: MRG Quality Engineering
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-08 13:18 UTC by Rajith Attapattu
Modified: 2013-02-25 10:44 UTC (History)
2 users (show)

Fixed In Version: 0.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-25 10:44:43 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
SSL setup with expired SSL certificates (5.44 KB, application/x-gzip)
2010-07-13 02:23 UTC, Rajith Attapattu
no flags Details

Description Rajith Attapattu 2010-07-08 13:18:59 UTC
Description of problem:
For example if the client has an expired certificate, the correct error does not get reported up the stack (and does not appear in the logs either).
Instead you would get "SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl" as the SSLSender is waiting for data that will not arrive.

Version-Release number of selected component (if applicable):
qpid-java-0.7.946106-5

How reproducible:
Always

Steps to Reproduce:
1. Start the broker with the ssl module loaded.
2. Create a client that connects to the broker using an SSL connection, but with an expired certificate.
3. The client will report an exception and the connection is terminated. But the exception nor the log file has any information about the real cause.
  
Actual results:
The client hangs for a few mins and timesout and throws an exception with the following message.

""SSL Engine timed out waiting for a response. To get more info,run with -Djavax.net.debug=ssl"

Expected results:
The client should log an error into the log file and also throw the correct exception up the stack that says the client certificate has expired.

Additional info:

Comment 1 Rajith Attapattu 2010-07-08 21:39:48 UTC
This is fixed in upstream at rev 961860 in Qpid trunk and checked into the internal git repo.

http://mrg1.lab.bos.redhat.com/cgit/qpid.git/commit/?id=076a76f1327acddd0bf55630ab11e18f06d95ca5

Comment 2 Rajith Attapattu 2010-07-13 02:23:36 UTC
Created attachment 431326 [details]
SSL setup with expired SSL certificates

The above attachment contains a set of expired client certificates that you could use to verify the fix.

Assuming you extracted the tarball into /tmp/ssl
You could run any java test program against the broker by using the following cmd line args.

Broker args
--load-module ${broker.module.ssl} --ssl-cert-name localhost.localdomain --ssl-cert-password-file /tmp/ssl/pfile --ssl-cert-db /tmp/ssl/server_db/ --ssl-require-client-authentication --ssl-port 5671


Client args
-D=javax.net.ssl.keyStore=/tmp/ssl/keystore.jks -Djavax.net.ssl.keyStorePassword=password 
-Djavax.net.ssl.trustStore=/tmp/ssl/certstore.jks
-Djavax.net.ssl.trustStorePassword=password

Please note the above JMS args should appear in the same line. I just pasted them separately to improve readability


Note You need to log in before you can comment on or make changes to this bug.