Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12633

(7.2.0)NPE when accessing via HttpClientConnection with wrong bad certificate

    XMLWordPrintable

Details

    • Hide
      1. Unzip EAP zip archive and start via ./bin/standalone.sh
      2. Prepare keys, keystores and truststores: 
        keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret
keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore bad.jks -dname "CN=localhost" -keypass secret -storepass secret
keytool -exportcert  -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
keytool -exportcert  -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer
keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer
keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer
keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret
keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret
      3. Configure server-side SSL 
        /subsystem=elytron/key-store=twoWayKSserver:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=twoWayTSserver:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=twoWayKMserver:add(key-store=twoWayKSserver,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/trust-manager=twoWayTMserver:add(key-store=twoWayTSserver,algorithm="SunX509")

/subsystem=elytron/server-ssl-context=twoWaySSCserver:add(providers=openssl,key-manager=twoWayKMserver,protocols=["TLSv1.2"],trust-manager=twoWayTMserver,need-client-auth=true)
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSCserver)
run-batch
      4. Prepare client-side SSL: 
        /subsystem=elytron/key-store=twoWayKSclient:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=twoWayTSclient:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=twoWayKMclient:add(key-store=twoWayKSclient,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/trust-manager=twoWayTMclient:add(key-store=twoWayTSclient,algorithm="SunX509")

/subsystem=elytron/client-ssl-context=twoWaySSCclient:add(providers=openssl,key-manager=twoWayKMclient,protocols=["TLSv1.2"],trust-manager=twoWayTMclient)
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443)
/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add()
/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSCclient,scheme=https)
/subsystem=undertow/server=default-server/host=default-host/location=\/proxy:add(handler=my-proxy)
reload
      5. Import client.p12 certificate into your client
      6. Perform request to https://localhost:8443/proxy - this should succeed and no exception in the log
      7. Now let's change clients certificate which server does not trust: 
        /subsystem=elytron/key-store=bad:add(type=JKS,path=bad.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=bad:add(key-store=bad,credential-reference={clear-text=secret})
/subsystem=elytron/client-ssl-context=twoWaySSCclient:write-attribute(name=key-manager,value=bad)
reload
      8. Perform request to https://localhost:8443/proxy again and see exceptions in the server.log
      Show
      Unzip EAP zip archive and start via ./bin/standalone.sh Prepare keys, keystores and truststores: keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore bad.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret Configure server-side SSL /subsystem=elytron/key-store=twoWayKSserver:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTSserver:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKMserver:add(key-store=twoWayKSserver,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTMserver:add(key-store=twoWayTSserver,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSCserver:add(providers=openssl,key-manager=twoWayKMserver,protocols=[ "TLSv1.2" ],trust-manager=twoWayTMserver,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSCserver) run-batch Prepare client-side SSL: /subsystem=elytron/key-store=twoWayKSclient:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTSclient:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKMclient:add(key-store=twoWayKSclient,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTMclient:add(key-store=twoWayTSclient,algorithm= "SunX509" ) /subsystem=elytron/client-ssl-context=twoWaySSCclient:add(providers=openssl,key-manager=twoWayKMclient,protocols=[ "TLSv1.2" ],trust-manager=twoWayTMclient) /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443) /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSCclient,scheme=https) /subsystem=undertow/server= default -server/host= default -host/location=\/proxy:add(handler=my-proxy) reload Import client.p12 certificate into your client Perform request to https://localhost:8443/proxy - this should succeed and no exception in the log Now let's change clients certificate which server does not trust: /subsystem=elytron/key-store=bad:add(type=JKS,path=bad.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=bad:add(key-store=bad,credential-reference={clear-text=secret}) /subsystem=elytron/client-ssl-context=twoWaySSCclient:write-attribute(name=key-manager,value=bad) reload Perform request to https://localhost:8443/proxy again and see exceptions in the server.log

    Description

      When I configure EAP to use reverse-proxy against itself with wrong client-side certificate, I can see some NPE in server.log:

      18:27:41,500 ERROR [io.undertow.proxy] (default I/O-2) UT005028: Proxy request to /proxy failed: java.nio.channels.ClosedChannelException
        at io.undertow.client.http.HttpClientConnection$5.handleEvent(HttpClientConnection.java:194)
        at io.undertow.client.http.HttpClientConnection$5.handleEvent(HttpClientConnection.java:173)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.StreamConnection.invokeCloseListener(StreamConnection.java:80)
        at org.xnio.Connection.writeClosed(Connection.java:117)
        at io.undertow.protocols.ssl.UndertowSslConnection.writeClosed(UndertowSslConnection.java:145)
        at io.undertow.protocols.ssl.SslConduit.notifyWriteClosed(SslConduit.java:588)
        at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:625)
        at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:713)
        at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:648)
        at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
        at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1100)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)

18:27:41,501 ERROR [org.xnio.listener] (default I/O-2) XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException
        at io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:102)
        at io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:660)
        at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
        at org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:413)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:409)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
        at io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1227)
        at io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)

18:27:41,501 ERROR [org.xnio.listener] (default I/O-2) XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException
        at io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:102)
        at io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:660)
        at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
        at org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:413)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:409)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
        at io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1227)
        at io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)

      See 'Steps to Reproduce' to reproduce the issue.

      We should generally avoid NPEs.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1154 NPE when accessing via HttpClientConnection with wrong bad certificate

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-3394 Upgrade Undertow from 1.4.18 to 1.4.21.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              rpelisse@redhat.com Romain Pelisse
              jstourac@redhat.com Jan Stourac
              Jan Stourac Jan Stourac
              Jan Stourac Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: