Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-9921

Unable to create SSL connection if expired certificate chain used

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • None
    • 12.0.0.CR1
    • Security
    • None

    Description

      Reproducer:

      • Server secured by certificate chain, it means Certificate is signed with Intermediate CA which is signed by root CA.
      • Server certificate is expired
      • Client has Intermediate CA in Elytron truststore
      • SSL handshake fails using Elytron client ssl context: 
        18:27:54,540 INFO  [stdout] (default task-1) default task-1, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
18:27:54,540 INFO  [stdout] (default task-1) default task-1, WRITE: TLSv1 Alert, length = 2
18:27:54,540 INFO  [stdout] (default task-1) [Raw write]: length = 7
18:27:54,540 INFO  [stdout] (default task-1) 0000: 15 03 01 00 02 02 2E                               .......
18:27:54,541 INFO  [stdout] (default task-1) default task-1, called closeSocket()
18:27:54,541 INFO  [stdout] (default task-1) default task-1, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 10:49:56 CET 2017

        Full SSL handshake log is in attached ssl_handshake_CA.log

      • If I put expired certificate itself into truststore SSL handshake pass, although warning is logged. 
        18:35:28,648 WARN  [org.wildfly.extension.elytron] (MSC service thread 1-8) WFLYELY00024: Certificate [cn=rhds05.mw.lab.eng.bos.redhat.com, ou=engineering operations, o="red hat, inc.", st=north carolina, c=us] in KeyStore is not valid: java.security.cert.CertificateExpiredException: NotAfter: Sat Dec 16 12:39:06 CET 2017
	at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
	at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
	at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
	at org.wildfly.extension.elytron.KeyStoreService.checkCertificatesValidity(KeyStoreService.java:177)
	at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:140)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1701)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1680)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1527)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1979)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1481)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1374)
	at java.lang.Thread.run(Thread.java:748)

        Full SSL handshake log is in attached ssl_handshake_certificate.log

      So behaviour in these 2 cases is inconsistent. I think we have agreed before we let pass SSL handshake with expired certificate but warn about it in log [1].

      [1] https://issues.jboss.org/browse/JBEAP-6157

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1528 Unable to create SSL connection if expired certificate chain used

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              mchoma@redhat.com Martin Choma
              Farah Juma, Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: