SSL Connection Problem bad certificate

[anouri]

IBM WebSphere Application Server Liberty version 17.0.0.3 through 22.0.0.7 has Vulnerability

https://www.cvedetails.com/cve/CVE-2022-22476/ I have upgraded it to version 23.0.0.1. in my Java web console.

https://github.com/OpenLiberty/open-liberty/releases/tag/gm-23.0.0.1

Now if I try to connect to my web console, I get this error: Stack Dump = javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

The same code works fine with older version of open Liberty 20.0.0.3.

[acdemyers]

Hi @anouri I need more information to work with here.

• I'd like a copy of your configuration.
• What JDK are you working with, please provide java -version information
• Please recreate with Liberty trace setting of com.ibm.ws.ssl.*=all:com.ibm.websphere.ssl.*=all:SSLChannel=all. Send trace and messages logs.
• Include JSSE trace as well add -Djavax.net.debug=all to the servers jmv.options file.

Often a bad_certicate error happens if a client does not have trust, the client side will get a cert path error and the server side will get a bad_certificate error. It may also be seen if the server certificate has a size or signatureAlgorithm that violates the TLS disabled algorithms defined in the JDK's java.security file. Please check to see if you client has trust and that your server certificate is not disabled by the jdk.tls.disabledAlgorthms settings in the java.security file.

[anouri]

Hi @acdemyers Thank you very much for your replay. Here is more information about my JAVA ibm-java-x86_64-80

java -version
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 8.0.6.25 - pxa6480sr6fp25-20210115_01(SR6 FP25))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20201218_462060 (JIT enabled, AOT enabled)
OpenJ9   - 4c03b71
OMR      - 86a8e1a
IBM      - 8c30c56)
JCL - 20210108_01 based on Oracle jdk8u281-b09

I have checked the file ./java/jre/lib/security/java.security and added the following line.

jdk.tls.disabledAlgorthms=SSLv3, RC4, MD5withRSA, DH, TLSv1

The same problem:

------Start of DE processing------ = [2/22/23 4:03:41:230 PST]
Exception = javax.net.ssl.SSLHandshakeException
Source = com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback
probeid = 798
Stack Dump = javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at com.ibm.jsse2.g.a(g.java:58)
        at com.ibm.jsse2.g.a(g.java:4)
        at com.ibm.jsse2.ba.a(ba.java:221)
        at com.ibm.jsse2.g$c.consume(g$c.java:19)
        at com.ibm.jsse2.ba.a(ba.java:195)
        at com.ibm.jsse2.aZ.a(aZ.java:36)
        at com.ibm.jsse2.bf.g(bf.java:12)
        at com.ibm.jsse2.bf.f(bf.java:216)
        at com.ibm.jsse2.bf.e(bf.java:14)
        at com.ibm.jsse2.bf.unwrap(bf.java:318)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:8)
        at com.ibm.ws.channel.ssl.internal.SSLReadServiceContext.decryptMessage(SSLReadServiceContext.java:1214)
        at com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1802)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:516)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:586)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:970)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1059)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:247)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.lang.Thread.run(Thread.java:822)

The same code works fine with older version of open Liberty 20.0.0.3.

What is the different between open Liberty 20.0.0.3 and 23.0.0.1 ?

[acdemyers]

@anouri The error is likely coming from the client side of the communication. Did your server certificate change when you moved up and your client no longer has trust? You can see an error like that on the server when client does not have trust. What is the client in your scenario?

Are you able to get traces?

[anouri]

@acdemyers My client is my MacBook (Firefox) and my Server is a RedHat 7.9 Linux. I use the same combination with wlp-21.0.0.3

I have 3 directories on my server.

wlp wlp-21.0.0.3 wlp-23.0.0.1 My program uses the libraries in wlp directory.

When i copy the wlp-21.0.0.3 to wlp it works.

rm -rf wlp
cp -r wlp-21.0.0.3 wlp
restart my server

But when I copy wlp-23.0.0.1 to wlp it get the error "fatal alert: bad_certificate".

rm -rf wlp
cp -r wlp-23.0.0.1 wlp
restart my server

Here is the version numbers:

./wlp-21.0.0.3/bin/server version WebSphere Application Server 21.0.0.3 (1.0.50.cl210320210309-1101) on IBM J9 VM, version 8.0.6.25 - pxa6480sr6fp25-20210115_01(SR6 FP25) (en_US)

wlp-23.0.0.1/bin/server version Open Liberty 23.0.0.1 (1.0.73.cl230120230123-2118) on IBM J9 VM, version 8.0.6.25 - pxa6480sr6fp25-20210115_01(SR6 FP25) (en_US)

What is the different between WebSphere Application Server and Open Liberty?

[anouri]

wlp-23.0.0.1-files.txt wlp-21.0.0.3-files.txt

Here are the list of files in these 2 directories: wlp-23.0.0.1 and wlp-21.0.0.3

[acdemyers]

@anouri Given how you are copying the while wlp directory you may be using 2 different keys. You have not provided configuration information. What are you using as your keystore? Look at the key entries in your keystores are they different? If they are then that could be the cause of your problem.

[anouri]

Hi I have compared the files and fount out. Then I have downloaded this archive (wlp-base-all-23.0.0.1.jar) form IBM WebSphere

https://www.ibm.com/support/fixcentral/quickorder?fixids=wlp-core-all-23.0.0.1&product=ibm%2FWebSphere%2FWebSphere%20Liberty&source=dbluesearch&mhsrc=ibmsearch_a&mhq=ibm%20websphere%20application%20server%20liberty%20v23%26period%3B0%26period%3B0%26period%3B1

and merged it with files in https://public.dhe.ibm.com/ibmdl/export/pub/software/openliberty/runtime/release/23.0.0.1/openliberty-23.0.0.1.zip and it works. My question is how can i find the jar files from wlp-base-all-23.0.0.1.jar in open liberty: for example the following files: wlp/lib/com.ibm.ws.rest.api.discovery_1.0.73.jar wlp/lib/com.ibm.ws.rest.api.discovery.batch_1.0.73.jar wlp/lib/com.ibm.ws.rest.api.discovery.collective.member_1.0.73.jar wlp/lib/com.ibm.ws.rest.api.discovery.jmx_1.0.73.jar wlp/lib/com.ibm.ws.rest.api.discovery.public_1.0.73.jar wlp/lib/com.ibm.ws.rest.api.discovery.subscription_1.0.73.jar wlp/lib/com.ibm.ws.rest.api.discovery.ui_1.0.73.jar wlp/lib/com.ibm.ws.rest.api.discovery.ui.public_1.0.73.jar