When the TLS trust store contains multiple CA certificates with the same subject Distinguished Name (DN) — a common scenario during CA certificate rotation — only the first certificate matching the subject DN is selected for peer certificate chain validation. If signature verification fails with that certificate, the implementation does not attempt validation with subsequent certificates sharing the same subject DN. The TLS handshake fails with certificate verify failed.
Expected Behavior:
When multiple CA certificates in the trust store share the same subject DN, the TLS implementation should iterate over all matching certificates and attempt signature verification with each until one succeeds or all are exhausted.
Actual Behavior:
The trust store lookup matches the peer certificate's issuer DN against subject DNs in the trust store, selects only the first match, and fails the handshake without trying other candidates.
Impact:
During CA certificate rotation where old and new CA certificates share the same subject DN (common practice), TLS connections to remote endpoints fail if the peer's certificate was signed by the CA that is not first in the bundle. This prevents seamless certificate rotation without service disruption.
Affected Use Case:
Logstash syslog output (logstash-output-syslog) configured with TLS towards a remote syslog receiver, where the trusted certificate bundle contains both old and new CA certificates during rotation.
Example Log Trace:
[logstash.outputs.syslog] syslog ssl-tcp output exception: closing, reconnecting and resending event {:host=>'x.x.x.x', :port=>514, :exception=>#<OpenSSL::SSL::SSLError: certificate verify failed>, :backtrace=>['org/jruby/ext/openssl/SSLSocket.java:279:in connect'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-syslog-3.1.0/lib/logstash/outputs/syslog.rb:263:in connect'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-syslog-3.1.0/lib/logstash/outputs/syslog.rb:225:in publish'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-plain-3.1.0/lib/logstash/codecs/plain.rb:59:in encode'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-syslog-3.1.0/lib/logstash/outputs/syslog.rb:194:in receive'', '/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in block in multi_receive'', 'org/jruby/RubyArray.java:2009:in each'', '/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in multi_receive'', 'org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in multi_receive'', '/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:315:in block in start_workers''], :event=>#LogStash::Event:0x43304a16}
When the TLS trust store contains multiple CA certificates with the same subject Distinguished Name (DN) — a common scenario during CA certificate rotation — only the first certificate matching the subject DN is selected for peer certificate chain validation. If signature verification fails with that certificate, the implementation does not attempt validation with subsequent certificates sharing the same subject DN. The TLS handshake fails with certificate verify failed.
Expected Behavior:
When multiple CA certificates in the trust store share the same subject DN, the TLS implementation should iterate over all matching certificates and attempt signature verification with each until one succeeds or all are exhausted.
Actual Behavior:
The trust store lookup matches the peer certificate's issuer DN against subject DNs in the trust store, selects only the first match, and fails the handshake without trying other candidates.
Impact:
During CA certificate rotation where old and new CA certificates share the same subject DN (common practice), TLS connections to remote endpoints fail if the peer's certificate was signed by the CA that is not first in the bundle. This prevents seamless certificate rotation without service disruption.
Affected Use Case:
Logstash syslog output (logstash-output-syslog) configured with TLS towards a remote syslog receiver, where the trusted certificate bundle contains both old and new CA certificates during rotation.
Example Log Trace:
[logstash.outputs.syslog] syslog ssl-tcp output exception: closing, reconnecting and resending event {:host=>'x.x.x.x', :port=>514, :exception=>#<OpenSSL::SSL::SSLError: certificate verify failed>, :backtrace=>['org/jruby/ext/openssl/SSLSocket.java:279:in
connect'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-syslog-3.1.0/lib/logstash/outputs/syslog.rb:263:inconnect'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-syslog-3.1.0/lib/logstash/outputs/syslog.rb:225:inpublish'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-plain-3.1.0/lib/logstash/codecs/plain.rb:59:inencode'', '/opt/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-syslog-3.1.0/lib/logstash/outputs/syslog.rb:194:inreceive'', '/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:104:inblock in multi_receive'', 'org/jruby/RubyArray.java:2009:ineach'', '/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:104:inmulti_receive'', 'org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:inmulti_receive'', '/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:315:inblock in start_workers''], :event=>#LogStash::Event:0x43304a16}