1 Reply Latest reply on May 26, 2016 6:20 AM by mchoma

    WildFly 10 SSL + Client certificate UT000124: renegotiation timed out

    kevcodez
    kevcodez May 25, 2016 11:07 AM

      Hey,

       

      I am using WildFly 10 and defined a SecurityRealm with a SSL certificate and a truststore containing a client certificate.

       

      <security-realm name="UndertowRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="selfsigned.jks" relative-to="jboss.server.config.dir" keystore-password="secret" alias="selfsigned" key-password="secret"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <truststore path="wildflytruststore.jks" relative-to="jboss.server.config.dir" keystore-password="secret"/>

                      </authentication>

                  </security-realm>

       

      This works fine for most of the time. However, from time to time (every ~1000th) request, I am getting the following exception:

       

      2016-05-13 11:14:56,071 ERROR [io.undertow.request] (default task-19) UT005023: Exception handling request to /openshop-web/api/v1/signature/raw: java.lang.IllegalStateException: UT000124: renegotiation timed out
       at io.undertow.server.ConnectionSSLSessionInfo.renegotiateNoRequest(ConnectionSSLSessionInfo.java:175)
       at io.undertow.server.ConnectionSSLSessionInfo.renegotiateBufferRequest(ConnectionSSLSessionInfo.java:135)
       at io.undertow.server.ConnectionSSLSessionInfo.renegotiate(ConnectionSSLSessionInfo.java:91)
       at io.undertow.security.impl.ClientCertAuthenticationMechanism.getPeerCertificates(ClientCertAuthenticationMechanism.java:125)
       at io.undertow.security.impl.ClientCertAuthenticationMechanism.authenticate(ClientCertAuthenticationMechanism.java:92)
       at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
       at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
       at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
       at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
       at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
       at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
       at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
       at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
       at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
       at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
       at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
       at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)

       

      An external system requests our REST endpoint (RESTeasy) with the client certificate and I have no further information, how this external system builds the HTTP request.

       

      I was unable to find further information or a solution to this problem. This might aswell just be a client-sided issue...

       

      Any help in finding out what is going on here is appreciated.

       

      Thanks in advance.