cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jody Fanning (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4740) SSL/TLS server incorrectly closes socket before reporting certificate failure to client
Date Fri, 11 Jan 2013 11:54:13 GMT

    [ https://issues.apache.org/jira/browse/CXF-4740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13551060#comment-13551060
] 

Jody Fanning commented on CXF-4740:
-----------------------------------

While investigating further I found that 2.2.5 is using jetty bio connector, and 2.7.1 is
using nio. I guess the change to direct usage of the SSLEngine and overriding the Jetty default
connector has introduced the problem.
                
> SSL/TLS server incorrectly closes socket before reporting certificate failure to client
> ---------------------------------------------------------------------------------------
>
>                 Key: CXF-4740
>                 URL: https://issues.apache.org/jira/browse/CXF-4740
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.7.1
>         Environment: Linux, Ubuntu 12.04
> java version "1.6.0_24"
> OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
> OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
>            Reporter: Jody Fanning
>
> In an earlier version of CXF, 2.2.5, when a client certificate failures to validate for
some reason the server replied with a fatal error {{bad_certificate}}. This is correct according
the the TLS RFC 2246, section 7.2.1. Closure alerts.
> However, in CXF 2.7.0 and 2.7.1 the socket is closed prematurely, so that the client
never gets a close or error message. This should not happen since it leaves open the possibility
of a truncation attack.
> These are the log outputs for each version. These are based on the wsdl_first_https example
project where it is configured so that the server does not have the client certificate in
its trust store.
> {panel:title=CXF 2.2.5}
> *Client*
> {{Invocation failed with the following: javax.net.ssl.SSLHandshakeException: Received
fatal alert: bad_certificate}}
> *Server*
> {{167179228@qtp-764924063-0, READ: TLSv1 Handshake, length = 109}}
> {{*** Certificate chain}}
> {{***}}
> {{167179228@qtp-764924063-0, SEND TLSv1 ALERT:  fatal, description = bad_certificate}}
> {{167179228@qtp-764924063-0, WRITE: TLSv1 Alert, length = 2}}
> {{167179228@qtp-764924063-0, called closeSocket()}}
> {{167179228@qtp-764924063-0, handling exception: javax.net.ssl.SSLHandshakeException:
null cert chain}}
> {{167179228@qtp-764924063-0, called close()}}
> {{167179228@qtp-764924063-0, called closeInternal(true)}}
> {panel}
> {panel:title=CXF 2.7.1}
> *Client*
> {{Caused by: java.io.EOFException: SSL peer shut down incorrectly}}
> {{at sun.security.ssl.InputRecord.read(InputRecord.java:352)}}
> {{at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)}}
> {{... 35 more}}
> {{Invocation failed with the following: javax.net.ssl.SSLHandshakeException: SSLHandshakeException
invoking https://localhost:9001/SoapContext/SoapPort: Remote host closed connection during
handshake}}
> *Server*
> {{qtp111947068-20, READ: TLSv1 Handshake, length = 109}}
> {{*** Certificate chain}}
> {{***}}
> {{qtp111947068-20, fatal error: 42: null cert chain}}
> {{javax.net.ssl.SSLHandshakeException: null cert chain}}
> {{qtp111947068-20, SEND TLSv1 ALERT:  fatal, description = bad_certificate}}
> {{qtp111947068-20, WRITE: TLSv1 Alert, length = 2}}
> {{qtp111947068-20, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException:
null cert chain}}
> {{Jan 9, 2013 11:34:58 AM org.eclipse.jetty.io.nio.SelectChannelEndPoint handle}}
> {{WARNING: javax.net.ssl.SSLHandshakeException: null cert chain}}
> {panel}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message