Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
12.0.0.CR1
-
None
Description
Reproducer:
- Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
- Server certificate is expired
- Client has Intermediate CA in Elytron truststore
- SSL handshake fails using Elytron client ssl context:
18:27:54,540 INFO [stdout] (default task-1) default task-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown 18:27:54,540 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2 18:27:54,540 INFO [stdout] (default task-1) [Raw write]: length = 7 18:27:54,540 INFO [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E ....... 18:27:54,541 INFO [stdout] (default task-1) default task-1, called closeSocket() 18:27:54,541 INFO [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017
Full SSL handshake log is in attached ssl_handshake_CA.log
- If I put expired certificate itself into truststore SSL handshake pass, although warning is logged.
18:35:28,648 WARN [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177) at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374) at java.lang.Thread.run(Thread.java:748)
Full SSL handshake log is in attached ssl_handshake_certificate.log
So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].
Attachments
Issue Links
- is cloned by
-
ELY-1528 Unable to create SSL connection if expired certificate chain used
- Closed