admin 管理员组文章数量: 1086019
Currently we are using Apache Artemis 2.37.0. We have certificate-based customers. Many times, we see errors like below in broker log:
AMQ222208: SSL handshake failed for client from /a.b.c.d:53838: javax.ssl.SSLHandshakeException: Empty server certificate chain.
AMQ222208: SSL handshake failed for client from /a.b.c.d:59132: java.security.cert.CertificateExpiredException: NotAfter: Tue Mar 25 00:00:11 IST 2025
AMQ224088: Timeout (10 seconds) on acceptor "artemis" during protocol handshake with /a.b.c.d:62403 has occurred.
Here we only get customer IP along with error message. In real world, we have many customer applications running from same IP but not all use expired certificate or invalid certificate. We may have only of such misbehaving client. Troubleshooting such cases require validating all customer applications on single IP to trace the issue. It is very time consuming as we need to check customer configuration, start/stop applications to see how it impacts the broker error etc.
Can we get some additional information such as client id, certificate CN details or any other certificate information which can help us in identifying the erring client faster? If there is any log level change which can enable to put such information in broker log will be helpful.
As per information provided by Apache Artemis team, SSL handshake is delegated by Netty to Java or OpenSSL (but we are not using OpenSSL as SSL provider). We were provided with this link - .java#L1014.
Can we get additional information like client id, certificate CN etc. from ChannelHandlerContext or other netty class which can provide more information than just remote IP?
Thanks Shiv
版权声明:本文标题:Additional Info on certificate based authentication errors on Apache Artemis using netty - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.roclinux.cn/p/1744044846a2523928.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论