I generated a CSR with the following command:
openssl req -new -out activemq.csr -newkey rsa:2048 -nodes -sha256 -keyout activemq.key -config req.conf
I received back my-cer.cer after submitting my CSR, from which I created a JKS keystore:
keytool -importcert -noprompt -alias server -file my-cer.cer -keypass $KEY_PASS -keystore server-keystore.jks -storepass $STORE_PASS -storetype JKS
Similarly made a client JKS keystore with the CA.cer file. But when I am trying to connect to broker on port 61616, I get this error on ActiveMQ Artemis broker -
WARN [org.apache.activemq.artemis.core.server] AMQ222208: SSL handshake failed for client from /127.0.0.1:65172: javax.net.ssl.SSLHandshakeException: No available authentication scheme.
On the client side:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:340) ~[na:na]
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[na:na]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:186) ~[na:na]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) ~[na:na]
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[na:na]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:296) ~[netty-handler-4.1.84.Final.jar:4.1.84.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1343) ~[netty-handler-4.1.84.Final.jar:4.1.84.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236) ~[netty-handler-4.1.84.Final.jar:4.1.84.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285) ~[netty-handler-4.1.84.Final.jar:4.1.84.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:519) ~[netty-codec-4.1.84.Final.jar:4.1.84.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:458) ~[netty-codec-4.1.84.Final.jar:4.1.84.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:280) ~[netty-codec-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[netty-transport-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[netty-transport-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-transport-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[netty-transport-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-transport-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.kqueue.AbstractKQueueStreamChannel$KQueueStreamUnsafe.readReady(AbstractKQueueStreamChannel.java:544) ~[netty-transport-classes-kqueue-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.kqueue.AbstractKQueueChannel$AbstractKQueueUnsafe.readReady(AbstractKQueueChannel.java:383) ~[netty-transport-classes-kqueue-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.kqueue.KQueueEventLoop.processReady(KQueueEventLoop.java:213) ~[netty-transport-classes-kqueue-4.1.84.Final.jar:4.1.84.Final]
at io.netty.channel.kqueue.KQueueEventLoop.run(KQueueEventLoop.java:291) ~[netty-transport-classes-kqueue-4.1.84.Final.jar:4.1.84.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.84.Final.jar:4.1.84.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.84.Final.jar:4.1.84.Final]
at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) ~[artemis-commons-2.19.1.jar:2.19.1]
Acceptor:
<acceptor name="artemis">tcp://0.0.0.0:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true;supportAdvisory=false;suppressInternalManagementObjects=false;sslEnabled=true;keyStorePath=/Users/subhidh/Desktop/ssl/server-keystore.jks;keyStorePassword=securepass</acceptor>
URL used in jndi.properties:
tcp://127.0.0.1:61616?sslEnabled=true&trustStorePath=/Users/subhidh/Desktop/ssl/truststore.jks&trustStorePassword=securepass
Java Version - OpenJDK 17.0.5 2022-10-18 LTS
ActiveMQ Artemis 2.28.0
I searched for this issue - most of the people are saying to use RSA instead of DSA so I checked the cer with:
openssl x509 -in my-cer.cer -text
And it said:
Signature Algorithm: sha256WithRSAEncryption
Here is the output after setting -Djavax.net.debug=ssl,handshake:
javax.net.ssl|DEBUG|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.561 IST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.563 IST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.563 IST|ServerNameExtension.java:529|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.563 IST|SSLExtensions.java:272|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.563 IST|MaxFragExtension.java:459|Ignore unavailable max_fragment_length extension
javax.net.ssl|DEBUG|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.563 IST|SSLExtensions.java:272|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.565 IST|AlpnExtension.java:383|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.565 IST|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.567 IST|EncryptedExtensions.java:137|Produced EncryptedExtensions message (
"EncryptedExtensions": [
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
}
]
)
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.568 IST|X509Authentication.java:304|No X.509 cert selected for EC
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.569 IST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.569 IST|X509Authentication.java:304|No X.509 cert selected for EC
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.571 IST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.571 IST|X509Authentication.java:304|No X.509 cert selected for EC
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.572 IST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.572 IST|X509Authentication.java:304|No X.509 cert selected for RSA
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.572 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha256
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.573 IST|X509Authentication.java:304|No X.509 cert selected for RSA
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.573 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha384
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.573 IST|X509Authentication.java:304|No X.509 cert selected for RSA
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha512
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|X509Authentication.java:304|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_pss_sha256
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|X509Authentication.java:304|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_pss_sha384
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|X509Authentication.java:304|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_pss_sha512
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|X509Authentication.java:304|No X.509 cert selected for RSA
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|X509Authentication.java:304|No X.509 cert selected for RSA
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.574 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.575 IST|X509Authentication.java:304|No X.509 cert selected for RSA
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.575 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.575 IST|X509Authentication.java:304|No X.509 cert selected for EC
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.575 IST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.576 IST|X509Authentication.java:304|No X.509 cert selected for RSA
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.576 IST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.576 IST|CertificateMessage.java:1094|No available authentication scheme
javax.net.ssl|ERROR|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.578 IST|TransportContext.java:363|Fatal (HANDSHAKE_FAILURE): No available authentication scheme (
"throwable" : {
javax.net.ssl.SSLHandshakeException: No available authentication scheme
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:305)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:972)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:961)
at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1246)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1182)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:840)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:801)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1549)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:266)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:536)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.kqueue.AbstractKQueueStreamChannel$KQueueStreamUnsafe.readReady(AbstractKQueueStreamChannel.java:544)
at io.netty.channel.kqueue.AbstractKQueueChannel$AbstractKQueueUnsafe.readReady(AbstractKQueueChannel.java:387)
at io.netty.channel.kqueue.KQueueEventLoop.processReady(KQueueEventLoop.java:213)
at io.netty.channel.kqueue.KQueueEventLoop.run(KQueueEventLoop.java:291)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)}
)
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.583 IST|SSLEngineOutputRecord.java:182|outbound has closed, ignore outbound application data
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.585 IST|SSLEngineOutputRecord.java:182|outbound has closed, ignore outbound application data
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.585 IST|SSLEngineOutputRecord.java:182|outbound has closed, ignore outbound application data
javax.net.ssl|WARNING|63|Thread-1 (activemq-netty-threads)|2023-04-21 02:19:17.588 IST|SSLEngineOutputRecord.java:182|outbound has closed, ignore outbound application data
2023-04-21 02:19:17,591 WARN [org.apache.activemq.artemis.core.server] AMQ222208: SSL handshake failed for client from /127.0.0.1:52212: javax.net.ssl.SSLHandshakeException: No available authentication scheme.
