Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-432

Jetty/tk-jetty9 logging for missing required cert is horrible

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Do
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:
    • QA Risk Assessment:
      Needs Assessment

      Description

      If client-auth is unset in TK config it defaults to need. If a client doesn't present a cert, the server refuses to connect but logs nothing above DEBUG level:

      2017-02-01 10:45:32,959 DEBUG [qtp453815228-22] [o.e.j.s.HttpConnection]
      javax.net.ssl.SSLHandshakeException: null cert chain
      	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1421)
      	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
      	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
      	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
      	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
      	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:516)
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:239)
      	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
      	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1804)
      	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:222)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
      	at sun.security.ssl.Handshaker$1.run(Handshaker.java:909)
      	at sun.security.ssl.Handshaker$1.run(Handshaker.java:906)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1359)
      	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:612)
      

      This is terrible. Log something at WARN at least, preferrably along the lines of "Jetty refusing HTTPS connection because client-auth is need / a client certificate is required but was not provided".

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                kevin.corcoran Kevin Corcoran
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support