Jody Fanning created CXF-4740:
---------------------------------
Summary: SSL/TLS server incorrectly closes socket before reporting
certificate failure to client
Key: CXF-4740
URL: https://issues.apache.org/jira/browse/CXF-4740
Project: CXF
Issue Type: Bug
Components: Transports
Affects Versions: 2.7.1
Environment: Linux, Ubuntu 12.04
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
Reporter: Jody Fanning
In an earlier version of CXF, 2.2.5, when a client certificate failures to
validate for some reason the server replied with a fatal error
{{bad_certificate}}. This is correct according the the TLS RFC 2246, section
7.2.1. Closure alerts.
However, in CXF 2.7.0 and 2.7.1 the socket is closed prematurely, so that the
client never gets a close or error message. This should not happen since it
leaves open the possibility of a truncation attack.
These are the log outputs for each version. These are based on the
wsdl_first_https example project where it is configured so that the server does
not have the client certificate in its trust store.
{panel:title=CXF 2.2.5}
*Client*
{{Invocation failed with the following: javax.net.ssl.SSLHandshakeException:
Received fatal alert: bad_certificate}}
*Server*
{{167179228@qtp-764924063-0, READ: TLSv1 Handshake, length = 109}}
{{*** Certificate chain}}
{{***}}
{{167179228@qtp-764924063-0, SEND TLSv1 ALERT: fatal, description =
bad_certificate}}
{{167179228@qtp-764924063-0, WRITE: TLSv1 Alert, length = 2}}
{{167179228@qtp-764924063-0, called closeSocket()}}
{{167179228@qtp-764924063-0, handling exception:
javax.net.ssl.SSLHandshakeException: null cert chain}}
{{167179228@qtp-764924063-0, called close()}}
{{167179228@qtp-764924063-0, called closeInternal(true)}}
{panel}
{panel:title=CXF 2.7.1}
*Client*
{{Caused by: java.io.EOFException: SSL peer shut down incorrectly}}
{{at sun.security.ssl.InputRecord.read(InputRecord.java:352)}}
{{at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)}}
{{... 35 more}}
{{Invocation failed with the following: javax.net.ssl.SSLHandshakeException:
SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort:
Remote host closed connection during handshake}}
*Server*
{{qtp111947068-20, READ: TLSv1 Handshake, length = 109}}
{{*** Certificate chain}}
{{***}}
{{qtp111947068-20, fatal error: 42: null cert chain}}
{{javax.net.ssl.SSLHandshakeException: null cert chain}}
{{qtp111947068-20, SEND TLSv1 ALERT: fatal, description = bad_certificate}}
{{qtp111947068-20, WRITE: TLSv1 Alert, length = 2}}
{{qtp111947068-20, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: null cert chain}}
{{Jan 9, 2013 11:34:58 AM org.eclipse.jetty.io.nio.SelectChannelEndPoint
handle}}
{{WARNING: javax.net.ssl.SSLHandshakeException: null cert chain}}
{panel}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
