Bug 1330262

Summary: Candlepin can't support connecting to AMQP servers with alternate hostnames in the certificate
Product: [Community] Candlepin Reporter: Barnaby Court <bcourt>
Component: candlepinAssignee: Filip Nguyen <fnguyen>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 0.9.54CC: fnguyen, katello-qa-list, redakkan, stbenjam, vrjain
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 0.9.54.10-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1329327
: 1330263 (view as bug list) Environment:
Last Closed: 2016-11-02 10:00:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1330263    
Bug Blocks: 1252573, 1329327    

Description Barnaby Court 2016-04-25 18:30:43 UTC 
+++ This bug was initially created as a clone of Bug #1329327 +++

Description of problem:
We are moving qpid to only listen on localhost in Satellite because of BZ1252573. So we add 'localhost' as an alternate DNS name on our certificate.  

Candlepin fails with this error:

Caused by: org.apache.qpid.AMQException: Cannot connect to broker: SSL hostname verification failed. Expected : localhost Found in cert : centos7-bats.example.com


It's due to qpid's java library in 0.30 only verifying the CN:
  https://github.com/apache/qpid/blob/0.30/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L58-L62

It's fixed in later versions it seems:

https://github.com/apache/qpid-java/blob/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L141-L150



Version-Release number of selected component (if applicable):
candlepin-0.9.54.4-1.el7.noarch

How reproducible:
Always


Steps to Reproduce:
1. Create a certificate with alternate hostname and use it for qpid
2. Have candlepin configured to use alternate hostname


Actual results:
SSL verification fails

Expected results:
SSL verification succeeds
Comment 2 Barnaby Court 2016-07-22 14:51:43 UTC 
Marking as closed per Candlepin procedures as a fix has been merged or it has been determined to not be an issue.
Comment 3 Stephen Benjamin 2016-10-13 21:39:40 UTC 
Re-opened, see https://bugzilla.redhat.com/show_bug.cgi?id=1329327#c8