| Back | Main view

"Certificate expired" error occurs in timestamping service plugin during SSL handshake when using expired client certificate for authentication

Product:IMiS/ARChive
Release:All
Date:02/26/2020

Case: Using timestamping service over SSL with expired client certificate for authentication, SSLHandshakeException error will occur during SSL handshake.

Description:

When timestamping service is used over SSL and expired client certificate is used for authentication, SSLHandshakeException error will occur during SSL handshake and timestamp will fail. Server stacktrace example using RFC3161 timestamp service plugin:

02/25/20 16:40:30.705 [iarcd:10432:2055207744] DBG[7] Maximal batch size '256' for job '1481' reached, starting timestamping...
02/25/20 16:40:30.705 [iarcd:10432:2055207744] DBG[7] Start building Merkle tree ('256' leafs).
02/25/20 16:40:30.835 [iarcd:10432:2055207744] DBG[7] Timestamping started...
02/25/20 16:40:31.449 [iarcd:10432:2055207744] ERR[3] Error occurred while creating timestamp. Reason: 'Error creating timestamp. Reason: com.imis.imisarc.server.tsp.TimeStampingProtocolException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_expired
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:272)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_expired
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570)
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415)
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:219)' at 'src/iajtsp.cpp:320'
02/25/20 16:40:31.449 [iarcd:10432:2055207744] DBG[7] CleanupOnFailure started (AipQueueIds '256', CreateAipQueueIds '0', TimestampId '0').
02/25/20 16:40:32.179 [iarcd:10432:2055207744] DBG[7] CleanupOnFailure ended.

Solution:
Replace expired client certificate with new one. Under timestamp provider arguments, locate '<SSLKSFile>' tag and change the path to the new client certificate. Also correct '<SSLKSPassword>' or '<SSLKSType>' values if needed. Example of RFC3161 timestamp client authentication configuration:

<Service>
    <Protocol>HTTPS</Protocol>
    <Address>https://rfc3161.timestamp.provider</Address>
    <Interface>RFC3161</Interface>
    <AuthType>NONE</AuthType>
    <SSLProtocols>TLS</SSLProtocols>
    <SSLKSType>PKCS12</SSLKSType>
    <SSLKSFile>/path/to/client_certificate.pfx</SSLKSFile>
    <SSLKSPassword>client-certificate-password</SSLKSPassword>
    <SSLTSType>IAKS</SSLTSType>
</Service>

Related Documents:



| Back | Main view

Copyright © Imaging Systems Ltd, 2024