IBM Support

IT47752: FAILURE TO BUILD TRUST CHAIN WHEN MULTIPLE CERTS HAVE THE SAME SUBJECT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When mutual TLS (client Auth) is enabled on the HTTPSConnector
and there are 2 intermediate CA's in the trustore with the same
Subject and the connecting client only sends a leaf certificate
then it is possible that an attempt to establish trust will be
made with the wrong intermediate CA cert resulting in failure to
establish a TLS connection.
The error displayed by the cleint can vary depending on the
client implementation, however if this client is IBM App Connect
Enterprise then a typical failure would be:
Exception in thread "Thread-28" 2025-01-16 16:58:36.628     56
javax.net.ssl.SSLHandshakeException: Received fatal alert:
decrypt_error
2025-01-16 16:58:36.628     56  at com.ibm.jsse2.g.a(g.java:40)
2025-01-16 16:58:36.628     56  at com.ibm.jsse2.g.a(g.java:61)
2025-01-16 16:58:36.628     56  at
com.ibm.jsse2.bb.a(bb.java:171)
2025-01-16 16:58:36.628     56  at
com.ibm.jsse2.g$c.a(g$c.java:28)
2025-01-16 16:58:36.628     56  at
com.ibm.jsse2.bb.a(bb.java:90)
2025-01-16 16:58:36.628     56  at
com.ibm.jsse2.a0.a(a0.java:33)
2025-01-16 16:58:36.628     56  at
com.ibm.jsse2.bj.b(bj.java:79)
2025-01-16 16:58:36.628     56  at
com.ibm.jsse2.bj.f(bj.java:168)
2025-01-16 16:58:36.629     56  at
com.ibm.jsse2.bj.a(bj.java:191)
2025-01-16 16:58:36.629     56  at
com.ibm.jsse2.bj.startHandshake(bj.java:427)
2025-01-16 16:58:36.629     56  at
com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNo
Proxy(MbSslSocket.java:487)
2025-01-16 16:58:36.629     56  at
com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSock
et.java:258)
In this instance the correct intermediate CA should be selected
based on the Subject Key ID of the clients leaf certificate
which should match the Authority Id of the Intermediate CA.

Local fix

  • Configure the connecting clients to send the full certificate
chain as indicated by the TLS specification.

Problem summary

  • ****************************************************************
USERS AFFECTED:
All users of App Connect Enterprise version 12 or 13 using the
TLS with the HTTP, SOAP or REST Input Nodes.


Platforms affected:
AIX, LinuxZ64, LinuxX64, LinuxPPCLE64

****************************************************************
PROBLEM DESCRIPTION:
When mutual TLS (client Auth) is enabled on the HTTPSConnector
and there are 2 intermediate CA's in the trust store with the
same subject and the connecting client only sends a leaf
certificate, then it is possible that an attempt to establish
trust will be made with the wrong intermediate CA cert resulting
in failure to establish a TLS connection.

The error displayed
by the cleint can vary depending on the client implementation,
however if this client is IBM App Connect Enterprise then a
typical failure would be:

Exception in thread "Thread-28"
2025-01-16 16:58:36.628 56 javax.net.ssl.SSLHandshakeException:
Received fatal alert: decrypt_error
2025-01-16 16:58:36.628 56
at com.ibm.jsse2.g.a(g.java:40)
2025-01-16 16:58:36.628 56 at
com.ibm.jsse2.g.a(g.java:61)
2025-01-16 16:58:36.628 56 at
com.ibm.jsse2.bb.a(bb.java:171)
2025-01-16 16:58:36.628 56 at
com.ibm.jsse2.g$c.a(g$c.java:28)
2025-01-16 16:58:36.628 56 at
com.ibm.jsse2.bb.a(bb.java:90)
2025-01-16 16:58:36.628 56 at
com.ibm.jsse2.a0.a(a0.java:33)
2025-01-16 16:58:36.628 56 at
com.ibm.jsse2.bj.b(bj.java:79)
2025-01-16 16:58:36.628 56 at
com.ibm.jsse2.bj.f(bj.java:168)
2025-01-16 16:58:36.629 56 at
com.ibm.jsse2.bj.a(bj.java:191)
2025-01-16 16:58:36.629 56 at
com.ibm.jsse2.bj.startHandshake(bj.java:427)
2025-01-16
16:58:36.629 56 at
com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNo
Proxy(MbSslSocket.java:487)
2025-01-16 16:58:36.629 56 at
com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSock
et.java:258)

In this instance the correct intermediate CA
should be selected based on the Subject Key ID of the clients
leaf certificate which should match the Authority Id of the
Intermediate CA.

Problem conclusion

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT47752
    • 

  • Reported component name
    APP CONNECT ENT
    • 

  • Reported component ID
    5724J0560
    • 

  • Reported release
    C00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2025-02-21
    • 

  • Closed date
    2025-03-20
    • 

  • Last modified date
    2025-03-27
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    APP CONNECT ENT
    • 

  • Fixed component ID
    5724J0560
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"C00","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            27 March 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback