Mohanavalli A created ARTEMIS-5509:
--------------------------------------
Summary: SSL Exception not logged by broker in WARN/ERROR level
with OPENSSL Provider
Key: ARTEMIS-5509
URL: https://issues.apache.org/jira/browse/ARTEMIS-5509
Project: ActiveMQ Artemis
Issue Type: Bug
Components: Broker
Affects Versions: 2.37.0
Reporter: Mohanavalli A
SSL Exception not logged by broker with OPENSSL Provider
When running the artemis broker with JDK SSL Provider in acceptor, when a
client connects to the broker without any certificate, the broker logs the
exception as `AMQ222208: SSL handshake failed for client from /x.x.x.x:63060:
javax.net.ssl.SSLHandshakeException: Empty client certificate chain.`
Whereas if the artemis broker is configured with OPENSSL Provider in the
acceptor, there is no log at the broker (though the client connection fails
with a bad_certificate exception).
On running the broker with java SSL debug enabled, below are the logs for JDK
and OPENSSL. In both cases there is a javax.net.ssl.SSLHandshakeException
thrown during the SSL authentication. In case of JDK, a WARN level log is
logged after the exception is thrown, but in case of OPENSSL it is not logged
at WARN or ERROR level by the broker.
JDK
----------
javax.net.ssl|DEBUG|74|Thread-1 (activemq-netty-threads)|2025-05-29
09:19:40.243 CEST|ServerHelloDone.java:97|Produced ServerHelloDone handshake
message (
<empty>
)
javax.net.ssl|DEBUG|74|Thread-1 (activemq-netty-threads)|2025-05-29
09:19:40.245 CEST|CertificateMessage.java:372|Consuming client Certificate
handshake message (
"Certificates": <empty list>
)
javax.net.ssl|ERROR|74|Thread-1 (activemq-netty-threads)|2025-05-29
09:19:40.245 CEST|TransportContext.java:358|Fatal (BAD_CERTIFICATE): Empty
client certificate chain (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Empty client certificate chain
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:300)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1076)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1063)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1010)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1649)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1495)
at
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1336)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1385)
at
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1407)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918)
at
io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
at
io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:501)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:399)
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994)
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)}
)
javax.net.ssl|WARNING|74|Thread-1 (activemq-netty-threads)|2025-05-29
09:19:40.246 CEST|SSLEngineOutputRecord.java:182|outbound has closed, ignore
outbound application data
2025-05-29 09:19:40,246 WARN [org.apache.activemq.artemis.core.server]
AMQ222208: SSL handshake failed for client from /x.x.x.x:63060:
javax.net.ssl.SSLHandshakeException: Empty client certificate chain.
************************************************************************
OPENSSL
----------
javax.net.ssl|DEBUG|60|qtp984832924-96|2025-05-29 08:45:30.144
CEST|ServerHelloDone.java:97|Produced ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|60|qtp984832924-96|2025-05-29 08:45:30.147
CEST|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "bad_certificate"
}
)
javax.net.ssl|ERROR|60|qtp984832924-96|2025-05-29 08:45:30.148
CEST|TransportContext.java:358|Fatal (BAD_CERTIFICATE): Received fatal alert:
bad_certificate (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:192)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
at
java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
at org.eclipse.jetty.io.ssl.SslConnection.unwrap(SslConnection.java:398)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:721)
at
org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:375)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at
org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
at java.base/java.lang.Thread.run(Thread.java:829)}
)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
