Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1260

client cert missing during SSL handshake closes connection without SSL error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • 2.0.2.Final, 1.4.24.Final
    • 1.4.21.Final
    • SSL
    • None
    • Hide

      Start an Undertow server with SslClientAuthMode.REQUIRED.

      Then use the following:

      openssl s_client -connect localhost:8080

      With Undertow, you'll get:

      140735837348744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s23_lib.c:124:

      Doing the same thing with Jetty, Tomcat or Netty shows:

      140735837348744:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s3_pkt.c:1133:SSL alert number 42
140735837348744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s23_lib.c:124:
      Show
      Start an Undertow server with SslClientAuthMode.REQUIRED . Then use the following: openssl s_client -connect localhost:8080 With Undertow, you'll get: 140735837348744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s23_lib.c:124: Doing the same thing with Jetty, Tomcat or Netty shows: 140735837348744:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s3_pkt.c:1133:SSL alert number 42 140735837348744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s23_lib.c:124:

      When setting up an Undertow server to require SSL client authentication with SslClientAuthMode.REQUIRED, and the SSL client does not have any, the server closes the connection during the SSL handshake without providing an SSL error.

      This means that for a Java-base client, we're getting an IO/Socket Exception instead of an expected SSLException.

            sdouglas1@redhat.com Stuart Douglas
            brian@clozel.fr Brian Clozel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: