SSL Question - keyStore not used

Question

SSL Question - keyStore not used

efrogger opened this issue 2 years ago · 5 comments

Hi,

the readme states that SSL can be used by using "-Djavax.net.ssl.keyStore" and "-Djavax.net.ssl.trustStore":

java -Djavax.net.ssl.keyStore=/Users/petter/client.jks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/Users/petter/truststore.jks -Djavax.net.ssl.trustStorePassword=password -jar a-1.6.0-jar-with-dependencies.jar -b ssl://example.org:61618 MY.QUEUE

As I'm working with self signed certs in my setup (2-way-SSL) I need both - a client keyStore and trustStore. While passing both arguments works perfectly fine for the trustStore, it does not work for the keyStore. It seems to me that -Djavax.net.ssl.keyStore is somehow 'ignored', so the keyStore is never used during the TLS/SSL handshake. The result is that the client certificate cannot be found and the handshake is not successful.

Any idea why this happens?

Answer 1 · 2023-04-02T15:07:45.000Z

Try typing all settings for your keystore.
I.e. add both -Djavax.net.ssl.keyStoreType and -Djavax.net.ssl.keyStorePassword as well. This is really a java thing not something explicitly used by this project. Maybe you need to set keyStoreType to JKS or something, since they changed default value to PKCS12 in Java 9. But I have not tested this.

Answer 2 · 2023-04-02T18:41:19.000Z

Thank you for the quick reply @northlander! I already tried that ... well I believe I almost tried everything which is documented in that regard. Nothing works as the problem seems to be (as you already stated) located in JDK resp. SSLContext.

The problem described here is exactly the problem I'm having: https://bugs.openjdk.org/browse/JDK-8292574

I'm only a user not a developer to be honest, so I was hoping there might me a programmatically way around this problem (see workaround described in the referenced JDK issue about not calling sslContext.init(null, null, null)

Answer 3 · 2023-04-03T17:23:08.000Z

The problem is that any sslContext init (if done, not sure) is done in the ActiveMQ Client lib (https://github.com/apache/activemq/tree/main/activemq-client) and not in this CLI. As a matter of fact, there is no SSL code at all in A.

Tried 1.6.0 using Java 11 on a broker with connector: <transportConnector name="ssl" uri="ssl://localhost:61617?trace=true&needClientAuth=true"/> and the "default" sample keystore/truststore shipped with ActiveMQ.

java -version
openjdk version "11.0.16.1" 2022-08-12
OpenJDK Runtime Environment Temurin-11.0.16.1+1 (build 11.0.16.1+1)
OpenJDK 64-Bit Server VM Temurin-11.0.16.1+1 (build 11.0.16.1+1, mixed mode)

and this command:

java -jar -Djavax.net.ssl.keyStore=/Users/petter/Downloads/apache-activemq-5.17.2/conf/broker.ks  \
-Djavax.net.ssl.trustStore=/Users/petter/Downloads/apache-activemq-5.17.2/conf/broker.ts \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStorePassword=password \
a-1.6.0-jar-with-dependencies.jar \
-b ssl://localhost:61617 -g -c 1 q

and it worked just fine (and did not work as expected when I removed the keystore since it could not authenticate).

Not really sure how to help with this issue, since I'm unable to reproduce it. Did you try 1.6.0?

Answer 4 · 2023-04-04T20:29:36.000Z

Your comment was very helpful. I was so focused on my specific constellation / setup, that I didn't look left or right ... Your comment helped to clear that focus and your absolutely right: SSL connection works just fine with a openwire/ssl connector as described.

The thing is that I am working with an amqp+ssl connector:

<transportConnector name="amqp+ssl" uri="amqp+ssl://0.0.0.0:5671?transport.enabledProtocols=TLSv1.2&amp;needClientAuth=true"/>

And in that case (using -A parameter with A) referencing keyStore / trustStore via -Djavax.net.ssl.trustStore resp. -Djavax.net.ssl.keyStore does not work. For AMQP connection you're using the QPID client library org.apache.qpid.amqp_1_0.jms.impl.ConnectionFactoryImpl, so I have to provide this information within the URL.

Here's the command which finally worked for me when trying to connect to the connector mentioned above:

java -jar -Djavax.net.debug=ssl:keymanager:sslcontext a-1.6.0-jar-with-dependencies.jar -A -b "amqp://broker:5671?ssl=true&ssl-cert-alias=myalias&trust-store=client.ts&trust-store-password=password&key-store=client.ks&key-store-password=password" -p "foo" bar

Maybe this is something worth adding to "Use SSL" section in the Readme...

Anyway ... thanks a lot for the input and keep up the good work. I really love working with A :-)

Answer 5 · 2023-04-06T07:40:24.000Z

Thanks for input @efrogger. I have updated docs