search

ibm-messaging / mq-container

Container images for IBM® MQ
Apache License 2.0
247 stars 186 forks source link

mTLS works between client and IBM MQ if the client keystore has certificate only for serverAuth, not clientAuth #540

Closed WalkerWalker closed 11 months ago

WalkerWalker commented 11 months ago

As the title mentions, mTLS works between client and IBM MQ if the client keystore has certificate only for serverAuth, not clientAuth. But should not be the case.

for example, folloing the official guide here https://developer.ibm.com/tutorials/configuring-mutual-tls-authentication-java-messaging-app/ and we can establish the mTLS connection successfully and the client log has the following Produced client Certificate handshake message

javax.net.ssl|DEBUG|1E|pool-1-thread-1|2023-10-24 15:00:55.214 UTC|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "2A FC D8 2F BB 31 14 F4",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=openshift-service-serving-signer@1628590423",
    "not before"         : "2023-10-09 10:17:28.000 UTC",
    "not  after"         : "2025-10-08 10:17:29.000 UTC",
    "subject"            : "CN=jms-bulk-messaging.fate-sample-app-dev.svc",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 1.3.6.1.4.1.2312.17.100.2.1 Criticality=false
      },
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: 0A 3C 75 40 B5 A3 8B F3   88 E9 C0 68 52 FE 03 1C  .<u@.......hR...
        0010: E3 80 3D DE                                        ..=.
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          DigitalSignature
          Key_Encipherment
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: jms-bulk-messaging.fate-sample-app-dev.svc
          DNSName: jms-bulk-messaging.fate-sample-app-dev.svc.cluster.local
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 98 E7 99 77 B0 3A ED AA   21 51 65 D6 44 34 45 48  ...w.:..!Qe.D4EH
        0010: B0 1E 10 48                                        ...H
        ]
        ]
      }
    ]},
  "certificate" : {...},
  "certificate" : {...}
]
)

More specifically the certificate has the field 

        ExtendedKeyUsages [
          serverAuth
        ]

and in my understand, it should prevent the mTLS handshake being successful because it doesn't have clientAuth. But it seems that the IBM MQ doesn't care about ExtendedKeyUsages.

arthurbarr commented 11 months ago

The TLS handshake is managed as part of the IBM MQ software, and I don't think anything you've mentioned is related to this sample repository. Can I please suggest that you raise this as a support ticket against the MQ software?