Bug 618290 - Error connecting to Active Directory (AD) over SSL.
Summary: Error connecting to Active Directory (AD) over SSL.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: java-1.6.0-openjdk
Version: 5.5.z
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Deepak Bhole
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks: 642744 642745 642779
TreeView+ depends on / blocked
 
Reported: 2010-07-26 15:03 UTC by Mike Millson
Modified: 2018-11-26 19:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 642779 (view as bug list)
Environment:
Last Closed: 2010-10-13 16:24:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0768 0 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security and bug fix update 2010-10-13 16:23:43 UTC

Description Mike Millson 2010-07-26 15:03:52 UTC 
Description of problem:

JBoss JAAS security module not able to connect to Active Directory (AD) over SSL.


How reproducible:
Configure JBoss security module to connect to AD over SSL.


Actual results:

javax.naming.CommunicationException: simple bind failed: 10.158.131.139:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]]
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
       at javax.naming.InitialContext.init(InitialContext.java:240)
       at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:151)
       at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:589)
       at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:382)
       at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:267)
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:616)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
       at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
       at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
       at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
       at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:445)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:677)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:636)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
       at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1639)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:215)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:209)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1033)
       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146)
       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:546)
       at sun.security.ssl.Handshaker.process_record(Handshaker.java:482)
       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1140)
       at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:643)
       at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:78)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
       at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
       at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
       ... 44 more
Caused by: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
       at sun.security.validator.EndEntityChecker.checkRemainingExtensions(EndEntityChecker.java:175)
       at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:297)
       at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:138)
       at sun.security.validator.Validator.validate(Validator.java:238)
       at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1012)
       ... 56 more


Expected results:

JBoss should retrieve security information from AD.


Additional info:

A workaround is to add the AD server certificate to the application server truststore. However, this is not a practical solution, as when the AD certificate expires, it requires updating all application server instances with the new AD server certificate.
Comment 1 Mike Millson 2010-07-26 15:07:08 UTC 
This OpenJDK7 changeset includes the fix:
http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/8da00cb83d01

Backport the changes to EndEntityChecker:

--- a/src/share/classes/sun/security/validator/EndEntityChecker.java Wed Apr 23 14:35:26 2008 +0400
+++ b/src/share/classes/sun/security/validator/EndEntityChecker.java Sun May 04 07:05:42 2008 -0700
@@ -86,6 +86,9 @@ class EndEntityChecker {
// the Microsoft Server-Gated-Cryptography EKU extension OID
private final static String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
+
+ // the recognized extension OIDs
+ private final static String OID_SUBJECT_ALT_NAME = "2.5.29.17";
private final static String NSCT_SSL_CLIENT =
NetscapeCertTypeExtension.SSL_CLIENT;
@@ -171,6 +174,13 @@ class EndEntityChecker {
throws CertificateException {
// basic constraints irrelevant in EE certs
exts.remove(SimpleValidator.OID_BASIC_CONSTRAINTS);
+
+ // If the subject field contains an empty sequence, the subjectAltName
+ // extension MUST be marked critical.
+ // We do not check the validity of the critical extension, just mark
+ // it recognizable here.
+ exts.remove(OID_SUBJECT_ALT_NAME);
+
if (!exts.isEmpty()) {
throw new CertificateException("Certificate contains unsupported "
+ "critical extensions: " + exts);
Comment 2 Andrew John Hughes 2010-07-26 16:10:52 UTC 
http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/df5d7e6ac15e is the actual fix, the above link is to just a merge changeset.

Deepak, this is fixed in 1.7.4 so fixing this depends on that update reaching RHEL 5.
Comment 6 jiri vanek 2010-10-13 12:06:30 UTC 
Icedtea 1.7.5  was included in last release of openjdk. This bug was proven to be solved here.
Comment 10 errata-xmlrpc 2010-10-13 16:24:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0768.html
Note You need to log in before you can comment on or make changes to this bug.