0

I've configured an ActiveMQ broker with AMQP over SSL with mutual authentication, and it is working well with selfsigned certificates. The problem appeared when trying to test with one of my client's certificate which contains some critical extensions, causing the handshake to fail.

This is the stacktrace:

DEBUG | Transport Connection to: tcp://127.0.0.1:49318 failed: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.32] | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: ssl:///127.0.0.1:49318
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.32]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)[:1.7.0_75]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)[:1.7.0_75]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)[:1.7.0_75]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)[:1.7.0_75]
    at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1682)[:1.7.0_75]
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:176)[:1.7.0_75]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)[:1.7.0_75]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)[:1.7.0_75]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)[:1.7.0_75]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)[:1.7.0_75]
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:889)[:1.7.0_75]
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)[:1.7.0_75]
    at org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:50)[activemq-client-5.13.1.jar:5.13.1]
    at org.apache.activemq.transport.tcp.TcpTransport$2.fill(TcpTransport.java:629)[activemq-client-5.13.1.jar:5.13.1]
    at org.apache.activemq.transport.tcp.TcpBufferedInputStream.readStream(TcpBufferedInputStream.java:73)[activemq-client-5.13.1.jar:5.13.1]
    at org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:94)[activemq-client-5.13.1.jar:5.13.1]
    at org.apache.activemq.transport.tcp.TcpTransport$2.read(TcpTransport.java:619)[activemq-client-5.13.1.jar:5.13.1]
    at java.io.DataInputStream.readFully(DataInputStream.java:195)[:1.7.0_75]
    at org.fusesource.hawtbuf.Buffer.readFrom(Buffer.java:412)[hawtbuf-1.11.jar:1.11]
    at org.apache.activemq.transport.amqp.AmqpWireFormat.unmarshal(AmqpWireFormat.java:102)[activemq-amqp-5.13.1.jar:5.13.1]
    at org.apache.activemq.transport.tcp.TcpTransport.readCommand(TcpTransport.java:240)[activemq-client-5.13.1.jar:5.13.1]
    at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:232)[activemq-client-5.13.1.jar:5.13.1]
    at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.13.1.jar:5.13.1]
    at java.lang.Thread.run(Thread.java:745)[:1.7.0_75]

My understanding is that this is the default behaviour regarding the certificates extensions and that for any particular cases it should be overridden.

Does anybody knows if my assumption is correct? Anyone has a solution to this problem?

Thanks.

31torvl
  • 1
  • 1
  • a quick answer is to use different certificate with out critical Certificate Policy (2.5.29.32) extension or create a custom trust manager(X509TrustManager) to white list these kind of certificates – Deva Feb 18 '16 at 10:50
  • @Deva - Thanks for the quick answer. Using different certificates without the critical extension is not an option. But implementing a custom TrustManager might be the solution. I'll try that and update my post. – 31torvl Feb 18 '16 at 11:18
  • Any solution to this? – CppChase May 23 '18 at 11:22

0 Answers0