Hello Justin, Thanks for the response. We have clients using Core/AMQP/OpenWire with certificates.
Passing SSL debugging flag is good idea but given we have many clients using broker concurrently, I fear we will have lot of logs and it will be difficult to analyse. I am also checking with netty community if they can provide some input. Best Regards Shiv -----Original Message----- From: Justin Bertram <jbert...@apache.org> Sent: 28 March 2025 08:33 AM To: users@activemq.apache.org Subject: Re: Additional Info on certificate based authentication errors Unverified Sender: The sender of this email has not been verified. Review the content of the message carefully and verify the identity of the sender before acting on this email: replying, opening attachments or clicking links. Unfortunately I don't think the broker itself will be able to provide additional information because it simply doesn't have it. The SSL handshake is delegated by Netty to the JDK (or potentially to OpenSSL) and it's the first thing done when the client connects. It happens before the messaging protocol handshake takes place so there's definitely no way to get the client ID because it hasn't been sent yet. Netty only provides a Throwable [1] and we print the relevant information from it. It's possible you could get some relevant information from Java's SSL debug logging by passing something like -Djavax.net.debug=ssl:handshake to the JVM at startup. What kind of client are you using to connect to the broker in this case? Justin [1] https://github.com/apache/activemq-artemis/blob/c4b315ba0c1fafbe2d2c3ebf0cdd84f921f42b5a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java#L1014 On Thu, Mar 27, 2025 at 2:03 AM Shiv Kumar Dixit <shivkumar.di...@it.eurofinseu.com.invalid> wrote: > Hi team, > Currently we are using Apache Artemis 2.37.0. We have > certificate-based customers. Many times, we see errors like below in broker > log: > > AMQ222208: SSL handshake failed for client from /a.b.c.d:53838: > javax.net.ssl.SSLHandshakeException: Empty server certificate chain. > > AMQ222208: SSL handshake failed for client from /a.b.c.d:59132: > java.security.cert.CertificateExpiredException: NotAfter: Tue Mar 25 > 00:00:11 IST 2025 > > AMQ224088: Timeout (10 seconds) on acceptor "artemis" during protocol > handshake with /a.b.c.d:62403 has occurred. > > Here we only get customer IP along with error message. In real world, > we have many customer applications running from same IP but not all > use expired certificate or invalid certificate. We may have only of > such misbehaving client. Troubleshooting such cases require validating > all customer applications on single IP to trace the issue. It is very > time consuming as we need to check customer configuration, start/stop > applications to see how it impacts the broker error etc. > > Can we get some additional information such as client id, certificate > CN details or any other certificate information which can help us in > identifying the erring client faster? If there is any log level change > which can enable to put such information in broker log will be helpful. > > Thanks > Shiv > >
