Maven Wagon

SSL client-side certificates stopped working in maven 3.0.4

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.2
  • Fix Version/s: 2.4
  • Component/s: wagon-http
  • Labels:
    None
  • Environment:
    Fedora, Ubuntu
  • Number of attachments :
    2

Description

The following command works perfectly in Maven 3.0.3, but 3.0.4 does not seem to open the key store and therefore client side certificate authentication fails as maven never presents a certificate to the server.

mvn deploy -Djavax.net.ssl.keyStore=/home/<user>/ssl/key.p12 -Djavax.net.ssl.keyStorePassword=****** -Djavax.net.ssl.keyStoreType=pkcs12

adding -Djavax.net.debug=all reveals that the keystore is never loaded. Confirmed with strace that the keystore file is never touched or opened.

Issue Links

is depended upon by

Bug - A problem which impairs or prevents the functions of the product. WAGON-383 Regression for SSLv3

  • Critical - Crashes, loss of data, severe memory leak.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.
is related to

Improvement - An improvement or enhancement to an existing feature or task. MNG-5175 replace wagon http lightweight with wagon http 2.1

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Olivier Lamy added a comment -

as workaround you can put the file from http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http-lightweight/2.2/wagon-http-lightweight-2.2.jar to $M2_HOME/lib/ext .

Show
Olivier Lamy added a comment - as workaround you can put the file from http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-http-lightweight/2.2/wagon-http-lightweight-2.2.jar to $M2_HOME/lib/ext .
Hide
Permalink
Graham Leggett added a comment -

We can also confirm that client certificate support is broken in maven v3.0.4, we also see no attempt by maven to read the keystore when -Djavax.net.debug=ssl:handshake is enabled.

The workaround works, however this is a support burden for us, as every new developer that comes on board must manually configure this.

Show
Graham Leggett added a comment - We can also confirm that client certificate support is broken in maven v3.0.4, we also see no attempt by maven to read the keystore when -Djavax.net.debug=ssl:handshake is enabled. The workaround works, however this is a support burden for us, as every new developer that comes on board must manually configure this.
Hide
Permalink
Olivier Lamy added a comment -

Did you try with -Dmaven.wagon.http.ssl.easy=false ?

Show
Olivier Lamy added a comment - Did you try with -Dmaven.wagon.http.ssl.easy=false ?
Hide
Permalink
Graham Leggett added a comment -

Sorry, should have been more specific, this was with -Dmaven.wagon.http.ssl.easy=false. If we switch -Dmaven.wagon.http.ssl.easy=true, we also get the keystore being ignored, but in this case we fail with a handshake failure instead of peer is not authenticated.

In both cases (false or true), Server Name Indication (RFC3546) breaks, the SSL handshake debug log shows the wrong certificate being sent by the server (the first certificate). Once the http-lightweight wagon v2.2 workaround is put in place, SNI starts working again and the server sends the correct certificate. I suspect whatever SSL options that the new code is setting, it is unintentionally switching other SSL options like SNI off.

Show
Graham Leggett added a comment - Sorry, should have been more specific, this was with -Dmaven.wagon.http.ssl.easy=false. If we switch -Dmaven.wagon.http.ssl.easy=true, we also get the keystore being ignored, but in this case we fail with a handshake failure instead of peer is not authenticated. In both cases (false or true), Server Name Indication (RFC3546) breaks, the SSL handshake debug log shows the wrong certificate being sent by the server (the first certificate). Once the http-lightweight wagon v2.2 workaround is put in place, SNI starts working again and the server sends the correct certificate. I suspect whatever SSL options that the new code is setting, it is unintentionally switching other SSL options like SNI off.
Hide
Permalink
Oleg Kalnichevski added a comment -

By default Apache HttpClient does not make use of global system properties. One needs to explicitly configure the connection manager to take system properties into account at the initialization time, if appropriate winthin a particular application context. The attach patch should fix the issue by tweaking SSL context initialization in the AbstractHttpClientWagon class.

Please review.

Oleg

Show
Oleg Kalnichevski added a comment - By default Apache HttpClient does not make use of global system properties. One needs to explicitly configure the connection manager to take system properties into account at the initialization time, if appropriate winthin a particular application context. The attach patch should fix the issue by tweaking SSL context initialization in the AbstractHttpClientWagon class. Please review. Oleg
Hide
Permalink
Oleg Kalnichevski added a comment -

Sorry, I should have mentioned that in my previous post. All tests when run as 'mvn clean test' pass for me.


[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] Apache Maven Wagon ................................ SUCCESS [2.100s]
[INFO] Apache Maven Wagon :: API ......................... SUCCESS [3.069s]
[INFO] Apache Maven Wagon :: Provider Test ............... SUCCESS [1.273s]
[INFO] Apache Maven Wagon :: Providers ................... SUCCESS [0.296s]
[INFO] Apache Maven Wagon :: Providers :: File Provider .. SUCCESS [1.139s]
[INFO] Apache Maven Wagon :: Providers :: FTP Provider ... SUCCESS [6.410s]
[INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library 4 SUCCESS [1.284s]
[INFO] Apache Maven Wagon :: Test Compatibility Kits ..... SUCCESS [0.214s]
[INFO] Apache Maven Wagon :: HTTP Test Compatibility Kit . SUCCESS [0.625s]
[INFO] Apache Maven Wagon :: Providers :: HTTP Provider .. SUCCESS [2:19.005s]
[INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library SUCCESS [1.027s]
[INFO] Apache Maven Wagon :: Providers :: Lightweight HTTP Provider SUCCESS [1:52.511s]
[INFO] Apache Maven Wagon :: Providers :: SCM Provider ... SUCCESS [4.794s]
[INFO] Apache Maven Wagon :: Providers :: SSH Common Library SUCCESS [0.708s]
[INFO] Apache Maven Wagon :: Providers :: SSH Common Tests SUCCESS [0.543s]
[INFO] Apache Maven Wagon :: Providers :: SSH External Provider SUCCESS [0.491s]
[INFO] Apache Maven Wagon :: Providers :: SSH Provider ... SUCCESS [0.569s]
[INFO] Apache Maven Wagon :: Providers :: WebDav Provider SUCCESS [37.491s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5:14.309s
[INFO] Finished at: Mon Jan 28 15:27:05 CET 2013
[INFO] Final Memory: 26M/205M-

git status

oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ git status

  1. On branch master
  2. Changes to be committed:
  3. (use "git reset HEAD <file>..." to unstage)
    #
  4. modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/AbstractHttpClientWagon.java
  5. modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactory.java
  6. new file: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactoryDecorator.java

git rev-parse HEAD

d8b1974e91b1944efe964579b858bb54168fb70a

Oleg

Show
Oleg Kalnichevski added a comment - Sorry, I should have mentioned that in my previous post. All tests when run as 'mvn clean test' pass for me. — [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary: [INFO] [INFO] Apache Maven Wagon ................................ SUCCESS [2.100s] [INFO] Apache Maven Wagon :: API ......................... SUCCESS [3.069s] [INFO] Apache Maven Wagon :: Provider Test ............... SUCCESS [1.273s] [INFO] Apache Maven Wagon :: Providers ................... SUCCESS [0.296s] [INFO] Apache Maven Wagon :: Providers :: File Provider .. SUCCESS [1.139s] [INFO] Apache Maven Wagon :: Providers :: FTP Provider ... SUCCESS [6.410s] [INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library 4 SUCCESS [1.284s] [INFO] Apache Maven Wagon :: Test Compatibility Kits ..... SUCCESS [0.214s] [INFO] Apache Maven Wagon :: HTTP Test Compatibility Kit . SUCCESS [0.625s] [INFO] Apache Maven Wagon :: Providers :: HTTP Provider .. SUCCESS [2:19.005s] [INFO] Apache Maven Wagon :: Providers :: HTTP Shared Library SUCCESS [1.027s] [INFO] Apache Maven Wagon :: Providers :: Lightweight HTTP Provider SUCCESS [1:52.511s] [INFO] Apache Maven Wagon :: Providers :: SCM Provider ... SUCCESS [4.794s] [INFO] Apache Maven Wagon :: Providers :: SSH Common Library SUCCESS [0.708s] [INFO] Apache Maven Wagon :: Providers :: SSH Common Tests SUCCESS [0.543s] [INFO] Apache Maven Wagon :: Providers :: SSH External Provider SUCCESS [0.491s] [INFO] Apache Maven Wagon :: Providers :: SSH Provider ... SUCCESS [0.569s] [INFO] Apache Maven Wagon :: Providers :: WebDav Provider SUCCESS [37.491s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 5:14.309s [INFO] Finished at: Mon Jan 28 15:27:05 CET 2013 [INFO] Final Memory: 26M/205M- — git status — oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ git status On branch master Changes to be committed: (use "git reset HEAD <file>..." to unstage) # modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/AbstractHttpClientWagon.java modified: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactory.java new file: wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/ConfigurableSSLSocketFactoryDecorator.java — git rev-parse HEAD — d8b1974e91b1944efe964579b858bb54168fb70a — Oleg
Hide
Permalink
Olivier Lamy added a comment -

what is your env ?
Because here https test doesn't pass anymore.

Maven home: /Users/olamy/softs/maven/trunk
Java version: 1.6.0_37, vendor: Apple Inc.
Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
Default locale: fr_FR, platform encoding: MacRoman
OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
Show
Olivier Lamy added a comment - what is your env ? Because here https test doesn't pass anymore. Maven home: /Users/olamy/softs/maven/trunk Java version: 1.6.0_37, vendor: Apple Inc. Java home: / System /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home Default locale: fr_FR, platform encoding: MacRoman OS name: "mac os x" , version: "10.8.2" , arch: "x86_64" , family: "mac"
Hide
Permalink
Oleg Kalnichevski added a comment - - edited


oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ mvn -version
Maven home: /opt/maven
Java version: 1.6.0_35, vendor: Sun Microsystems Inc.
Java home: /opt/oracle-jdk-1.6.0.35/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "3.5.0-22-generic", arch: "amd64", family: "unix"

Oleg

Show
Oleg Kalnichevski added a comment - - edited — oleg@ubuntu:~/src/apache.org/maven/maven-wagon$ mvn -version Maven home: /opt/maven Java version: 1.6.0_35, vendor: Sun Microsystems Inc. Java home: /opt/oracle-jdk-1.6.0.35/jre Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "3.5.0-22-generic", arch: "amd64", family: "unix" — Oleg
Hide
Permalink
Oleg Kalnichevski added a comment -

Let us try to tackle the problem in several incremental steps. Could you please see if all test cases pass for you locally with this patch only? The patch only refactors the SSL initialization code sowewhat without (intentionally) changing its behavior.

Oleg

Show
Oleg Kalnichevski added a comment - Let us try to tackle the problem in several incremental steps. Could you please see if all test cases pass for you locally with this patch only? The patch only refactors the SSL initialization code sowewhat without (intentionally) changing its behavior. Oleg
Hide
Permalink
Olivier Lamy added a comment -

ok I have reverted some commits and it's better now.

Show
Olivier Lamy added a comment - ok I have reverted some commits and it's better now.
Hide
Permalink
Olivier Lamy added a comment -

bin.zip or bin.tar.gz available for testing here https://builds.apache.org/view/M-R/view/Maven/job/maven-3.x/

Show
Olivier Lamy added a comment - bin.zip or bin.tar.gz available for testing here https://builds.apache.org/view/M-R/view/Maven/job/maven-3.x/
Hide
Permalink
Chris Owens added a comment -

I am still experiencing this problem with the tomcat7-maven-plugin, whose "Deploy" goal I believe uses the same underlying plumbing.

It fails under tomcat7 plugin versions 2.0 or 2.1, under
Maven 3.0.5, with either the wagon 2.4 code that ships with maven 3.0.5, or with the lightweight 2.2 version in the comments above, and with -Dmaven.wagon.http.ssl.easy=false or true.

Show
Chris Owens added a comment - I am still experiencing this problem with the tomcat7-maven-plugin, whose "Deploy" goal I believe uses the same underlying plumbing. It fails under tomcat7 plugin versions 2.0 or 2.1, under Maven 3.0.5, with either the wagon 2.4 code that ships with maven 3.0.5, or with the lightweight 2.2 version in the comments above, and with -Dmaven.wagon.http.ssl.easy=false or true.

People

  • Assignee:
    Olivier Lamy
    Reporter:
    Igor von Nyssen
Vote (3)
Watch (8)

Dates

  • Created:
    Updated:
    Resolved: