[OPENDJ-1959] Duplicated WARNING messages (and possibly inappropriate ones) when running setup Created: 20/Apr/15  Updated: 08/Nov/19  Resolved: 12/Oct/15

Status: Done
Project: OpenDJ
Component/s: core server
Affects Version/s: 3.0.0
Fix Version/s: 3.0.0

Type: Bug Priority: Major
Reporter: Ludovic Poitou Assignee: Yannick Lecaillez
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to OPENDJ-1056 Secure listener should not be created... Done
relates to OPENDJ-2212 Administrator Connector configuration... Done
is related to OPENDJ-2341 dsreplication initialize-all task fai... Done
is related to OPENDJ-2374 Pass-through-authentication with SSL ... Done
Dev Assignee: Yannick Lecaillez

 Description   

Testing with todays' nightly build, when running setup, I can see new WARNING messages that are duplicated and can be confusing:

[20/Apr/2015:16:54:03 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'admin-cert' was not found for 'Administration Connector'
[20/Apr/2015:16:54:44 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'admin-cert' was not found for 'Administration Connector'

These messages are no longer showing up after stop and start of the server.



 Comments   
Comment by Matthew Swift [ 20/May/15 ]

With replication enabled these warnings appear every time the server is started:

matt@matts-pc ~/workspace/opendj-project-clean/opendj-server-legacy/target/package/opendj $ ./bin/start-ds 
[20/May/2015:16:15:55 +0200] category=CORE severity=NOTICE msgID=org.opends.messages.core.134 msg=OpenDJ 3.0.0-SNAPSHOT (build 20150520160949, R12305) starting up
[20/May/2015:16:15:55 +0200] category=UTIL severity=NOTICE msgID=org.opends.messages.runtime.21 msg=Installation Directory:  /home/matt/workspace/opendj-project-clean/opendj-server-legacy/target/package/opendj
[20/May/2015:16:15:55 +0200] category=UTIL severity=NOTICE msgID=org.opends.messages.runtime.23 msg=Instance Directory:      /home/matt/workspace/opendj-project-clean/opendj-server-legacy/target/package/opendj
[20/May/2015:16:15:55 +0200] category=UTIL severity=NOTICE msgID=org.opends.messages.runtime.17 msg=JVM Information: 1.7.0_79-b14 by Oracle Corporation, 64-bit architecture, 3717201920 bytes heap size
[20/May/2015:16:15:55 +0200] category=UTIL severity=NOTICE msgID=org.opends.messages.runtime.18 msg=JVM Host: matts-pc, running Linux 3.16.0-37-generic amd64, 16726835200 bytes physical memory size, number of processors available 8
[20/May/2015:16:15:55 +0200] category=UTIL severity=NOTICE msgID=org.opends.messages.runtime.19 msg=JVM Arguments: "-Dorg.opends.server.scriptName=start-ds"
[20/May/2015:16:16:00 +0200] category=org.opends.server.backends.persistit.PersistItStorage severity=NOTICE msgID=org.opends.messages.backend.452 msg=The Persistit storage for backend 'userRoot' initialized to use 55952 buffers of 16384 bytes (total 895232kb)
[20/May/2015:16:16:00 +0200] category=org.opends.server.backends.pluggable.BackendImpl severity=NOTICE msgID=org.opends.messages.backend.513 msg=The database backend userRoot containing 2002 entries has started
[20/May/2015:16:16:00 +0200] category=EXTENSIONS severity=NOTICE msgID=org.opends.messages.extension.221 msg=DIGEST-MD5 SASL mechanism using a server fully qualified domain name of: matts-pc.home
[20/May/2015:16:16:00 +0200] category=SYNC severity=NOTICE msgID=org.opends.messages.replication.204 msg=Replication server RS(23169) started listening for new connections on address 0.0.0.0 port 8989
[20/May/2015:16:16:00 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'ads-certificate' was not found for '[unknown]'
[20/May/2015:16:16:00 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'ads-certificate' was not found for '[unknown]'
[20/May/2015:16:16:00 +0200] category=SYNC severity=NOTICE msgID=org.opends.messages.replication.62 msg=Directory server DS(25244) has connected to replication server RS(23169) for domain "dc=example,dc=com" at matts-pc.home/192.168.1.35:8989 with generation ID 19459565
[20/May/2015:16:16:00 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'ads-certificate' was not found for '[unknown]'
[20/May/2015:16:16:00 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'ads-certificate' was not found for '[unknown]'
[20/May/2015:16:16:00 +0200] category=SYNC severity=NOTICE msgID=org.opends.messages.replication.62 msg=Directory server DS(11752) has connected to replication server RS(23169) for domain "cn=admin data" at matts-pc.home/192.168.1.35:8989 with generation ID 115076
[20/May/2015:16:16:00 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'ads-certificate' was not found for '[unknown]'
[20/May/2015:16:16:00 +0200] category=UTIL severity=WARNING msgID=org.opends.messages.extension.636 msg=The EC_EC key with alias 'ads-certificate' was not found for '[unknown]'
[20/May/2015:16:16:00 +0200] category=SYNC severity=NOTICE msgID=org.opends.messages.replication.62 msg=Directory server DS(18933) has connected to replication server RS(23169) for domain "cn=schema" at matts-pc.home/192.168.1.35:8989 with generation ID 8408
[20/May/2015:16:16:00 +0200] category=PROTOCOL severity=NOTICE msgID=org.opends.messages.protocol.276 msg=Started listening for new connections on Administration Connector 0.0.0.0 port 4444
[20/May/2015:16:16:00 +0200] category=PROTOCOL severity=NOTICE msgID=org.opends.messages.protocol.276 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1389
[20/May/2015:16:16:00 +0200] category=CORE severity=NOTICE msgID=org.opends.messages.core.135 msg=The Directory Server has started successfully
[20/May/2015:16:16:00 +0200] category=CORE severity=NOTICE msgID=org.opends.messages.core.139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID org.opends.messages.core-135): The Directory Server has started successfully
Comment by Yannick Lecaillez [ 15/Jun/15 ]

This warning is printed during the SSL handshake process, when the client and the server try to agree on a common cipher (see SelectableCertificateKeyManager.chooseServerAlias()).
No certificate alias is found for EC (elliptic curve) ciphers because the self-signed certificate generated automatically during setup contains only a RSA key.
As a result, the warning message will be printed as many time as EC cipher are tried.

To solve that we could either:

  • Remove EC ciphers from the supported cipher list on the server ds-cfg-administration-connector.ds-cfg-ssl-cipher-suite
  • Generate an EC compatible key rather than the RSA one for generated self-signed certificates
    Platform.java
         private static final int KEY_SIZE = 571;
         private static final String KEY_ALGORITHM[] = "ec";
         private static final String SIG_ALGORITHM[] = "SHA1withECDSA";
         
Comment by Ludovic Poitou [ 15/Jun/15 ]

The second solution will generate the RSA based cipher to produce warning messages, right ?
Can we detect the certificate Key (EC or RSA), and avoir the warning for the ciphers that are not compatible with the key ?

One thing to keep in mind, during Setup, one can specify a certificate to load, so we do not fully controle the cert, but we need to warn the user if it's not usable.

Comment by Yannick Lecaillez [ 15/Jun/15 ]

No, the code i copied in my previous comment generate an EC valid key (and remove the warning). The current code generating the RSA key producing the warning is in Platform.java:

private static final int KEY_SIZE = 1024;
private static final String KEY_ALGORITHM = "rsa";
private static final String SIG_ALGORITHM = "SHA1WithRSA";

It seems possible to get the key type from the certificate with http://docs.oracle.com/javase/7/docs/api/java/security/cert/Certificate.html#getPublicKey()
While i like the idea of limiting the cipher suites to the possible ones in regards of the key/cert I'm a bit worried regarding the maintenance of a key algorithm <--> cipher mapping when new key algorithm/cipher will appear. Hopefully there is an API to get that mapping information.

Comment by Yannick Lecaillez [ 16/Jun/15 ]

What i propose:

  • Generate two certificates: one using RSA algorithm (admin-cert), one using EC algorithm (admin-cert-ec)
  • Modify the ssl-cert-nickame to make it multi-valued and add admin-cert & admin-cert-ce as default value
Comment by Ludovic Poitou [ 16/Jun/15 ]

Thanks Yannick for explaining me what was the real issue.
I agree for the proposed fix.
Just a question, how about the other self-signed certificates that we may be generating (LDAPS and HTTPS connection handlers) ?

Comment by Chris Ridd [ 13/Jul/15 ]

I will add some observations, which I think indicate that the proposed fix is not addressing the problem.

NB I am using the JCE unlimited policy in Java 7.

Firstly, by configuring the Administration Connector to support only a single cipher suite at a time, I can only reproduce the EC_EC warning for the admin-cert with either of the following 2 cipher suites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Doing the same with the LDAPS connector, and I cannot trigger the warning at all. (It would presumably be for server-cert.)

Note that other cipher suites with ECDHE do not trigger the warning for the admin connector:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

Other cipher suites with ECDSA do not trigger the warning:

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

The "EC_EC" key type is according to http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames the type used for ECDSA keys.

The server-cert seems to have the same structure as the admin-cert - same algorithm OIDs, no extensions.

The main difference between the admin connector and the LDAPS connector is that the LDAPS connector has "let the server decide" for the certificate nickname. If you set an explicit nickname for the LDAPS connector, the warning messages appear when you connect to the LDAPS connector:

[13/Jul/2015:14:28:07 +0100] category=EXTENSIONS severity=NOTICE msgID=1507964 msg=The EC_EC key with alias 'server-cert' was not found for 'LDAPS Connection Handler'
Comment by Yannick Lecaillez [ 16/Jul/15 ]

Actually, you just found another bug: it looks like DJ needs to be restarted to apply the new configuration settings for (at least) the Administrator Connector.

Using dsconfig, i changed cipher suite to only TLS_ECDHE_ECDSA_WITH_RC4_128_SHA without restart here the openssl result:

  $ openssl s_client -connect localhost:4444
  ....
  ---
  SSL handshake has read 989 bytes and written 501 bytes
  ---
  New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
  Server public key is 1024 bit
  ...

See that the cipher used is actually not ECDSA but RSA: So the admin-cert works for it.

After a restart:

$ openssl s_client -connect localhost:4444
CONNECTED(00000003)
140682126874256:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Since ECDSA cannot be used and that no other cipher are available, the handshake cannot be performed.

Comment by Matthew Swift [ 07/Nov/19 ]

Moved to closed state because the fixVersion has already been released.

Generated at Tue Nov 24 21:21:56 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.