activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guy Allard (Commented) (JIRA)" <>
Subject [jira] [Commented] (APLO-178) Using key_alias= causes all SSL connects to fail
Date Sun, 01 Apr 2012 14:50:26 GMT


Guy Allard commented on APLO-178:

Here is a clue I think.  In the log with key_alias= being used I see this message several

X509KeyManager passed to SSLContext.init():  need an X509ExtendedKeyManager for SSLEngine

I do not see that in the log with no key_alias=.

> Using key_alias= causes all SSL connects to fail
> ------------------------------------------------
>                 Key: APLO-178
>                 URL:
>             Project: ActiveMQ Apollo
>          Issue Type: Bug
>          Components: apollo-broker
>    Affects Versions: wish-list
>         Environment: Ubuntu 11.01, Java OpenJDK Runtime Environment (IcedTea6 1.11pre)
(6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> apache-apollo-99-trunk-20120328.201231-9-unix-distro.tar.gz
>            Reporter: Guy Allard
>             Fix For: 1.2
>         Attachments: log_no_key_alias.txt, log_with_key_alias.txt
> After adding 'key_alias=' to the 'key_storage' element, all attempts to connect using
SSL fail.
> The only thing I see in connection.log is a connect/disconnect sequence.  Log files apollo.log
and security.log show nothing.  I see no real errors in Apollo logs.
> The client gets only:
> Connection reset by peer
> I am running with:
> - the Ruby stomp gem 1.2.2 client
> - <authentication enabled="false"/>
> - default login.config
> - client_auth= not specified (defaulted)
> The alias name is correct I believe:
> apollo@tjjackson:~/my-broker-snap/etc$ grep servertj apollo.xml
>   <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password"
key_alias="servertj" />
> and:
> apollo@tjjackson:~/my-broker-snap/etc$ keytool -list -keystore keystore -storepass password
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 2 entries
> clienttjca, Mar 31, 2012, PrivateKeyEntry, 
> Certificate fingerprint (MD5): FD:F8:2F:94:5F:F2:55:2C:B9:C7:E6:EA:CA:18:52:6C
> servertj, Mar 31, 2012, PrivateKeyEntry, 
> Certificate fingerprint (MD5): F2:F3:89:68:4D:EF:46:EB:23:50:57:76:0B:01:58:58
> So, the store has two entries:
> 1) A server cert
> 2) A Client CA cert (signs all client certs)
> Simply removing key_alias= allows at least some SSL functionality to work.
> Let me know what I can do to assist, docs etc., but key_alias= seems to be ........ not
functional in general.
> Regards, Guy

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message