Fix/document handling of intermediate certificates

[jbeckers]

Context/discussion: https://discord.com/channels/943670759891554316/1509120535223603381

joachim beckers

I've added a "semi" self-signed certificate to the tls-manager-plugin on my server. The certificate has a valid chain, i.e. one (self-signed) issuing CA and one (self-signed) Root CA.

Clients trust the Root CA via a modified cacerts file.
The cacerts does not contain the Issuing CA.

Connections fail. A coworker found out the reason is that mirth doesn't send the whole cert chain, only the server cert.
That tracks; the tls-manager UI only lets me import the server cert pem, not the full chain pem.

Devs can connect with a test client using startup param -Dcom.sun.security.enableAIAcaIssuer=true, but due to firewall config, the AIA x509 extension is not usable in prod.

Now I'm wondering what my options are. Should I just add the Issuing CA to the client cacerts?,

Copilot tells me to add the Root and Issuing CA certs to the Additional Trusted Certificates. I'll try, but my guess is this won't make a difference. Additional Trusted Certificates feels like it's only applicable when mirth is the client, but in my case it's the server

cgibson

Good find and can see this being a valid issue. I don't believe this is an TLS RFC non-complaint server/failure though... pbrichardson (NovaMap) / Paul Hristea (NovaMap) will defer to you guys.

I'll check today to see how the NG plugin functions as that's obviously a good parallel. I kinda suspect it works the same

Shouldn't expect a client to have arbitrary intermediates

Nor do I think clients will chase AIA

pbrichardson

Joachim Beckers Thanks for checking out the TLS Manager. Would you mind raising a GH issue please, then we can schedule someone to take a look at it. Based on what I know, I don't think it represents a bug, but you're not going to be the last to encounter this situation, so I'd like to make sure that our guidance is documented. If it does turn out to be a bug, then we would want a GH issue anyway. Thanks very much.

[paul-hristea]

Hello @jbeckers!

Have you tried importing the root CA into Additional Trusted Certificates? There are indeed cases where the plugin expects to have them imported.

Also, how does the connection fail? Could you share a screenshot or error log?

Thanks!

[jbeckers]

The connection originates from a war running in tomcat.
Tomcat runs on a java 8 jre with the Root CA added to cacerts

The logs contain this stack trace:

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1307)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1216)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:374)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1584)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)
at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:453)
at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:286)
... 97 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
... 116 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 122 more

[jbeckers]

I've added the certs to the Additional Trusted list, still waiting for test results from coworkers.