Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL handshake failure caused by unknown certificate authority of provided client certificate does not indicate selected certificate #14169

Open
minfrin opened this issue Feb 1, 2023 · 3 comments
Open

SSL handshake failure caused by unknown certificate authority of provided client certificate does not indicate selected certificate #14169

minfrin opened this issue Feb 1, 2023 · 3 comments
Labels
enhancement help wanted webdav WebDAV Protocol Implementation

Comments

@minfrin
Copy link

minfrin commented Feb 1, 2023

Describe the bug
If any security failure exists when connecting to a server over TLS, details of certificates involved need to be made available in a sensible fashion that is practical to troubleshoot.

To Reproduce
Steps to reproduce the behavior:

  1. Connect to a server whose certificate is untrusted.
  2. See interoperability error as per the screenshot.

Expected behavior
Details of the certificate involved need to be made available in such a way that they can be screenshotted and/or downloaded and sent by a user to someone who can troubleshoot this.

In this case, the correct certificate is properly trusted, and works fine for everyone else and other services. It is very possible there is a man in the middle going on here, but it's almost impossible to troubleshoot because the certificate mountain duck is complaining about is kept hidden.

Screenshots
image

Desktop (please complete the following information):

  • OS: Windows
  • Version Unsure

Log Files

Additional context
@dkocher dkocher changed the title Mountain Duck: When CA is unknown, the error message must give details of the certificate Missing details in on certificate chain validation failure Feb 1, 2023
@dkocher
Copy link
Contributor

dkocher commented Feb 3, 2023

The expected error prompt shown on a certificate validation error would allow to display the certificate chain.

Screenshot 2023-02-03 at 09 00 03

@minfrin Please include the log file. You can reach the logging output in Preferences → Connection.

@minfrin
Copy link
Author

minfrin commented Feb 6, 2023

Requested a logfile and got this message over and over, as described in #14198

Not sure if this logged error is related, as the error does not include the URL it is complaining about, and so it's a guess.

@minfrin
Copy link
Author

minfrin commented Feb 6, 2023

Got a logfile from the end user, looks like this.

2023-02-06 15:11:49,874 [background-12] DEBUG ch.cyberduck.core.threading.DefaultFailureDiagnostics - Determine cause for failure BackgroundException{class=class ch.cyberduck.core.exception.SSLNegotiateException, file=null, message='Interoperability failure', detail='Unknown ca. A valid certificate chain or partial chain was received, but the certificate was not accepted because the certificate authority certificate could not be located or couldn't be matched with a known, trusted certificate authority.', cause='javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca'}
2023-02-06 15:11:49,874 [background-12] WARN  ch.cyberduck.core.threading.AbstractRetryCallable - No retry for failure BackgroundException{class=class ch.cyberduck.core.exception.SSLNegotiateException, file=null, message='Interoperability failure', detail='Unknown ca. A valid certificate chain or partial chain was received, but the certificate was not accepted because the certificate authority certificate could not be located or couldn't be matched with a known, trusted certificate authority.', cause='javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca'}
2023-02-06 15:11:49,874 [background-12] WARN  ch.cyberduck.core.threading.BackgroundCallable - Failure BackgroundException{class=class ch.cyberduck.core.exception.SSLNegotiateException, file=null, message='Interoperability failure', detail='Unknown ca. A valid certificate chain or partial chain was received, but the certificate was not accepted because the certificate authority certificate could not be located or couldn't be matched with a known, trusted certificate authority.', cause='javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca'} running background task
java.lang.Exception: null
	at ch.cyberduck.core.threading.BackgroundCallable.<init>(BackgroundCallable.java:37) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.DefaultBackgroundExecutor.execute(DefaultBackgroundExecutor.java:81) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.AbstractController.background(AbstractController.java:70) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at cli.ch.iterate.mountainduck.windows.Controller.MountController.connect(Unknown Source) ~[Mountain%20Duck.exe:?]
	at ch.iterate.mountainduck.fs.ConnectCallback.connect(ConnectCallback.java:18) ~[Mountainduck.Core.DLL:48279784e8892574b380539369f1363b3698c765]
	at cli.ch.iterate.mountainduck.windows.Controller.MountController.ch.iterate.mountainduck.fs.ConnectCallback.connect(Unknown Source) ~[Mountain%20Duck.exe:?]
	at cli.System.Windows.Threading.DispatcherOperation.InvokeDelegateCore(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.DispatcherOperation.InvokeImpl(Unknown Source) ~[WindowsBase.dll:?]
	at cli.MS.Internal.CulturePreservingExecutionContext.CallbackWrapper(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Threading.ExecutionContext.RunInternal(Unknown Source) ~[mscorlib.dll:?]
	at cli.System.Threading.ExecutionContext.Run(Unknown Source) ~[mscorlib.dll:?]
	at cli.System.Threading.ExecutionContext.Run(Unknown Source) ~[mscorlib.dll:?]
	at cli.MS.Internal.CulturePreservingExecutionContext.Run(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.DispatcherOperation.Invoke(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.Dispatcher.ProcessQueue(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.Dispatcher.WndProcHook(Unknown Source) ~[WindowsBase.dll:?]
	at cli.MS.Win32.HwndWrapper.WndProc(Unknown Source) ~[WindowsBase.dll:?]
	at cli.MS.Win32.HwndSubclass.DispatcherCallbackOperation(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.ExceptionWrapper.InternalRealCall(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.Dispatcher.LegacyInvokeImpl(Unknown Source) ~[WindowsBase.dll:?]
	at cli.MS.Win32.HwndSubclass.SubclassWndProc(Unknown Source) ~[WindowsBase.dll:?]
	at cli.MS.Win32.UnsafeNativeMethods.DispatchMessage(Unknown Source) ~[WindowsBase.dll:?]
	at cli.MS.Win32.UnsafeNativeMethods.DispatchMessage(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Threading.Dispatcher.PushFrameImpl(Unknown Source) ~[WindowsBase.dll:?]
	at cli.System.Windows.Application.RunDispatcher(Unknown Source) ~[PresentationFramework.dll:?]
	at cli.System.Windows.Application.RunInternal(Unknown Source) ~[PresentationFramework.dll:?]
	at cli.ch.iterate.mountainduck.windows.App.Main(Unknown Source) ~[Mountain%20Duck.exe:?]
	at cli.ch.iterate.mountainduck.windows.Program.Main(Unknown Source) ~[Mountain%20Duck.exe:?]
Caused by: ch.cyberduck.core.exception.SSLNegotiateException: Interoperability failure
	at ch.cyberduck.core.ssl.SSLExceptionMappingService.map(SSLExceptionMappingService.java:96) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.DefaultIOExceptionMappingService.map(DefaultIOExceptionMappingService.java:54) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.http.HttpExceptionMappingService.map(HttpExceptionMappingService.java:35) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.dav.DAVSession.login(DAVSession.java:229) ~[Cyberduck.Protocols.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.KeychainLoginService.authenticate(KeychainLoginService.java:193) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.LoginConnectionService.authenticate(LoginConnectionService.java:166) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.LoginConnectionService.connect(LoginConnectionService.java:157) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.LoginConnectionService.check(LoginConnectionService.java:101) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.pool.StatelessSessionPool.borrow(StatelessSessionPool.java:57) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.iterate.mountainduck.fs.DefaultFilesystemSessionPool.borrow(DefaultFilesystemSessionPool.java:93) ~[Mountainduck.Core.DLL:48279784e8892574b380539369f1363b3698c765]
	at ch.cyberduck.core.threading.SessionBackgroundAction.run(SessionBackgroundAction.java:119) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.iterate.mountainduck.fs.FilesystemMountBackgroundAction.run(FilesystemMountBackgroundAction.java:62) ~[Mountainduck.Core.DLL:48279784e8892574b380539369f1363b3698c765]
	at ch.iterate.mountainduck.fs.FilesystemMountBackgroundAction.run(FilesystemMountBackgroundAction.java:25) ~[Mountainduck.Core.DLL:48279784e8892574b380539369f1363b3698c765]
	at ch.cyberduck.core.threading.SessionBackgroundAction$1.call(SessionBackgroundAction.java:107) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.DefaultRetryCallable.call(DefaultRetryCallable.java:52) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.SessionBackgroundAction.call(SessionBackgroundAction.java:109) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.BackgroundCallable.run(BackgroundCallable.java:95) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.BackgroundCallable.call(BackgroundCallable.java:59) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:625) ~[?:1.8.0]
	at ch.cyberduck.core.threading.NamedThreadFactory$1.run(NamedThreadFactory.java:59) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at java.lang.Thread.run(Thread.java:955) ~[?:1.8.0]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
	at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0]
	at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:1.8.0]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:1.8.0]
	at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:1.8.0]
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) ~[?:1.8.0]
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:155) ~[?:1.8.0]
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0]
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1301) ~[?:1.8.0]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437) ~[Cyberduck.Core.DLL:4.5.14]
	at ch.cyberduck.core.http.HttpConnectionPoolBuilder$2.createLayeredSocket(HttpConnectionPoolBuilder.java:103) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:382) ~[Cyberduck.Core.DLL:4.5.14]
	at ch.cyberduck.core.http.HttpConnectionPoolBuilder$2.connectSocket(HttpConnectionPoolBuilder.java:111) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:378) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221) ~[Cyberduck.Core.DLL:4.5.14]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165) ~[Cyberduck.Core.DLL:4.5.14]
	at com.github.sardine.impl.SardineImpl.execute(SardineImpl.java:1091) ~[Cyberduck.Protocols.DLL:5.14]
	at com.github.sardine.impl.SardineImpl.execute(SardineImpl.java:1060) ~[Cyberduck.Protocols.DLL:5.14]
	at ch.cyberduck.core.dav.DAVClient.execute(DAVClient.java:67) ~[Cyberduck.Protocols.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.dav.DAVSession.login(DAVSession.java:175) ~[Cyberduck.Protocols.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.KeychainLoginService.authenticate(KeychainLoginService.java:193) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.LoginConnectionService.authenticate(LoginConnectionService.java:166) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.LoginConnectionService.connect(LoginConnectionService.java:157) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.LoginConnectionService.check(LoginConnectionService.java:101) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.pool.StatelessSessionPool.borrow(StatelessSessionPool.java:57) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.iterate.mountainduck.fs.DefaultFilesystemSessionPool.borrow(DefaultFilesystemSessionPool.java:93) ~[Mountainduck.Core.DLL:48279784e8892574b380539369f1363b3698c765]
	at ch.cyberduck.core.threading.SessionBackgroundAction.run(SessionBackgroundAction.java:119) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.iterate.mountainduck.fs.FilesystemMountBackgroundAction.run(FilesystemMountBackgroundAction.java:62) ~[Mountainduck.Core.DLL:48279784e8892574b380539369f1363b3698c765]
	at ch.iterate.mountainduck.fs.FilesystemMountBackgroundAction.run(FilesystemMountBackgroundAction.java:25) ~[Mountainduck.Core.DLL:48279784e8892574b380539369f1363b3698c765]
	at ch.cyberduck.core.threading.SessionBackgroundAction$1.call(SessionBackgroundAction.java:107) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.DefaultRetryCallable.call(DefaultRetryCallable.java:52) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.SessionBackgroundAction.call(SessionBackgroundAction.java:109) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.BackgroundCallable.run(BackgroundCallable.java:95) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at ch.cyberduck.core.threading.BackgroundCallable.call(BackgroundCallable.java:59) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:625) ~[?:1.8.0]
	at ch.cyberduck.core.threading.NamedThreadFactory$1.run(NamedThreadFactory.java:59) ~[Cyberduck.Core.DLL:1f62ed6384696a39a9c3b22c7d3a71054c9ba87c]
	at java.lang.Thread.run(Thread.java:955) ~[?:1.8.0]

Mountain duck is choosing a client certificate, submitting it to the server, which rejects with "unknown CA". What mountain duck isn't doing is telling us which client cert was actually used, and what chain was in place, if any.

When dealing with non technical people, this lack of detail makes troubleshooting very difficult.

@dkocher dkocher changed the title Missing details in on certificate chain validation failure SSL handshake failure caused by unknown certificate authority of provided client certificate does not indicate selected certificate Feb 6, 2023
@dkocher dkocher added the webdav WebDAV Protocol Implementation label Feb 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted webdav WebDAV Protocol Implementation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dkocher @minfrin