Bug 782070

Summary:	qpidd broker can start up without listening to a TCP port if SSL multiplexing is requested and given certificate not valid
Product:	Red Hat Enterprise MRG	Reporter:	Frantisek Reznicek <freznice>
Component:	qpid-cpp	Assignee:	Andrew Stitcher <astitcher>
Status:	CLOSED ERRATA	QA Contact:	mick <mgoulish>
Severity:	high	Docs Contact:
Priority:	high
Version:	2.1	CC:	esammons, jross, lzhaldyb, mgoulish
Target Milestone:	3.0
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	qpid-cpp-0.22-4.el6, qpid-cpp-0.22-4.el5	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-09-24 15:03:49 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Frantisek Reznicek 2012-01-16 13:03:50 UTC

Description of problem:

Bug 751845 adds posibility to multiplex TCP and SSL traffic on single port by specifying same post number to --port a --ssl-port.

Last tests showed that broker may start without listening to a port (!) when TCP port is shared and SSL certificate is not valid...


  [root@hp-xw8400-01 qpid_ptest_ssl]# qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5673 --ssl-cert-password-file /root/qpid_ptest_ssl/CA_db_A/pswdfile --ssl-cert-db /root/qpid_ptest_ssl/CA_db_A --ssl-cert-name hp-xw8400-01... --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a
  ...
  2012-01-16 07:36:05 info SASL: no config path set - using default.
  2012-01-16 07:36:05 info SASL enabled
  2012-01-16 07:36:05 info Listening to: [::]:5672
  2012-01-16 07:36:05 info Listening to: 0.0.0.0:5672
  2012-01-16 07:36:05 notice Listening on TCP/TCP6 port 5672
  2012-01-16 07:36:05 info Policy file not specified. ACL Disabled, no ACL checking being done!
  2012-01-16 07:36:05 error Failed to initialise SSL plugin: Failed to load certificate 'hp-xw8400-01...' (qpid/sys/ssl/SslSocket.cpp:184)
  2012-01-16 07:36:05 notice Broker running
  2012-01-16 07:36:10 notice Shut down
  [root@hp-xw8400-01 qpid_ptest_ssl]#
  
  [root@hp-xw8400-01 qpid_ptest_ssl]# netstat -nlp | grep qpidd
  tcp        0      0 0.0.0.0:5672                0.0.0.0:*                   LISTEN      16061/qpidd
  tcp        0      0 :::5672                     :::*                        LISTEN      16061/qpidd
  [root@hp-xw8400-01 qpid_ptest_ssl]#
  
  [root@hp-xw8400-01 qpid_ptest_ssl]#
  [root@hp-xw8400-01 qpid_ptest_ssl]# qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5672 --ssl-cert-password-file /root/qpid_ptest_ssl/CA_db_B/pswdfile --ssl-cert-db /root/qpid_ptest_ssl/CA_db_B --ssl-cert-name hp-xw8400-01... --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a
  ...
  2012-01-16 07:36:22 info SASL: no config path set - using default.
  2012-01-16 07:36:22 info SASL enabled
  2012-01-16 07:36:22 notice SSL multiplexing enabled
  2012-01-16 07:36:22 info Policy file not specified. ACL Disabled, no ACL checking being done!
  2012-01-16 07:36:22 error Failed to initialise SSL plugin: Failed to load certificate 'hp-xw8400-01...' (qpid/sys/ssl/SslSocket.cpp:184)
  2012-01-16 07:36:22 notice Broker running
  
  [root@hp-xw8400-01 qpid_ptest_ssl]# netstat -nlp | grep qpidd
  [root@hp-xw8400-01 qpid_ptest_ssl]#

  #hp-xw8400-01's FQDN shorted to hp-xw8400-01...


Above cases demonstrate that SSL traffic multiplexing feature introduced case when broker is up and running but do not listen on any port!

This behavior may easily lead to confusion and can be interpreted as malfunction state.

In following case ...
qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5672 --ssl-cert-password-file A --ssl-cert-db A --ssl-cert-name A --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a
(request to share traffic on single port and SSL database and/or certname is invalid) broker should start-up and listen on TCP port only i.e. refuse to enter multiplexing mode.


Version-Release number of selected component (if applicable):
  python-qpid-0.14-1.el5
  python-qpid-qmf-0.14-2.el5
  qpid-cpp-client-0.14-4.el5
  qpid-cpp-client-devel-0.14-4.el5
  qpid-cpp-client-devel-docs-0.14-4.el5
  qpid-cpp-client-rdma-0.14-4.el5
  qpid-cpp-client-ssl-0.14-4.el5
  qpid-cpp-mrg-debuginfo-0.14-4.el5
  qpid-cpp-server-0.14-4.el5
  qpid-cpp-server-cluster-0.14-4.el5
  qpid-cpp-server-devel-0.14-4.el5
  qpid-cpp-server-rdma-0.14-4.el5
  qpid-cpp-server-ssl-0.14-4.el5
  qpid-cpp-server-store-0.14-4.el5
  qpid-cpp-server-xml-0.14-4.el5
  qpid-java-client-0.14-1.el5
  qpid-java-common-0.14-1.el5
  qpid-java-example-0.14-1.el5
  qpid-qmf-0.14-2.el5
  qpid-qmf-debuginfo-0.14-2.el5
  qpid-qmf-devel-0.14-2.el5
  qpid-tests-0.14-1.el5
  qpid-tools-0.14-1.el5
  ruby-qpid-qmf-0.14-2.el5


How reproducible:
100%

Steps to Reproduce:
1. qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5672 --ssl-cert-password-file A --ssl-cert-db A --ssl-cert-name A --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a
2. netstat -nlp | grep qpidd
3. broker not listening on any port
  
Actual results:
There is possibility to launch broker in mode when do not listen to any ports. This is bad condition.

Expected results:
Broker should not start in mode when not listening to any port. In above described configuration broker should drop SSL multiplexing and continue with normal TCP port operation (or eventually shutdown with error message)


Additional info:

Comment 1 Andrew Stitcher 2013-05-02 20:21:53 UTC

This issue should now be fixed upstream on trunk in r1478510 this should be available in the 0.24 release.

Comment 2 mick 2013-08-29 19:19:49 UTC

observed bug behavior on latest-stable packages  (see below)

observed fix behavior on latest-and-greatest

----> verified

  packages
  {
    latest stable
    {
      cyrus-sasl-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
      python-qpid-0.18-4.el6.noarch
      python-qpid-qmf-0.18-15.el6.x86_64
      python-saslwrapper-0.18-1.el6_3.x86_64
      qpid-cpp-client-0.18-14.el6.x86_64
      qpid-cpp-client-devel-0.18-14.el6.x86_64
      qpid-cpp-client-devel-docs-0.18-14.el6.noarch
      qpid-cpp-client-rdma-0.18-14.el6.x86_64
      qpid-cpp-client-ssl-0.18-14.el6.x86_64
      qpid-cpp-debuginfo-0.14-22.el6_3.x86_64
      qpid-cpp-server-0.18-14.el6.x86_64
      qpid-cpp-server-cluster-0.18-14.el6.x86_64
      qpid-cpp-server-devel-0.18-14.el6.x86_64
      qpid-cpp-server-rdma-0.18-14.el6.x86_64
      qpid-cpp-server-ssl-0.18-14.el6.x86_64
      qpid-cpp-server-store-0.18-14.el6.x86_64
      qpid-cpp-server-xml-0.18-14.el6.x86_64
      qpid-java-client-0.18-7.el6.noarch
      qpid-java-common-0.18-7.el6.noarch
      qpid-java-example-0.18-7.el6.noarch
      qpid-jca-0.18-8.el6.noarch
      qpid-jca-xarecovery-0.18-8.el6.noarch
      qpid-proton-c-0.4-2.2.el6.x86_64
      qpid-proton-c-devel-0.4-2.2.el6.x86_64
      qpid-qmf-0.18-15.el6.x86_64
      qpid-qmf-debuginfo-0.14-14.el6_3.x86_64
      qpid-qmf-devel-0.18-15.el6.x86_64
      qpid-tests-0.18-2.el6.noarch
      qpid-tools-0.18-8.el6.noarch
      ruby-qpid-qmf-0.18-15.el6.x86_64
      saslwrapper-0.18-1.el6_3.x86_64
      saslwrapper-devel-0.18-1.el6_3.x86_64
    }


    latest-and-greatest
    {
      cyrus-sasl-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
      cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
      perl-qpid-0.22-5.el6.x86_64
      python-qpid-0.22-4.el6.noarch
      python-qpid-qmf-0.22-9.el6.x86_64
      python-saslwrapper-0.22-3.el6.x86_64
      qpid-cpp-client-0.22-11.el6.x86_64
      qpid-cpp-client-devel-0.22-11.el6.x86_64
      qpid-cpp-client-devel-docs-0.22-11.el6.noarch
      qpid-cpp-client-rdma-0.22-11.el6.x86_64
      qpid-cpp-client-ssl-0.22-11.el6.x86_64
      qpid-cpp-debuginfo-0.22-11.el6.x86_64
      qpid-cpp-server-0.22-11.el6.x86_64
      qpid-cpp-server-devel-0.22-11.el6.x86_64
      qpid-cpp-server-ha-0.22-11.el6.x86_64
      qpid-cpp-server-rdma-0.22-11.el6.x86_64
      qpid-cpp-server-ssl-0.22-11.el6.x86_64
      qpid-cpp-server-store-0.22-11.el6.x86_64
      qpid-cpp-server-xml-0.22-11.el6.x86_64
      qpid-cpp-tar-0.22-11.el6.noarch
      qpid-java-client-0.22-5.el6.noarch
      qpid-java-common-0.22-5.el6.noarch
      qpid-java-example-0.22-5.el6.noarch
      qpid-proton-c-0.4-2.2.el6.x86_64
      qpid-proton-c-devel-0.4-2.2.el6.x86_64
      qpid-proton-debuginfo-0.4-2.2.el6.x86_64
      qpid-qmf-0.22-9.el6.x86_64
      qpid-qmf-debuginfo-0.22-9.el6.x86_64
      qpid-qmf-devel-0.22-9.el6.x86_64
      qpid-snmpd-1.0.0-12.el6.x86_64
      qpid-snmpd-debuginfo-1.0.0-12.el6.x86_64
      qpid-tests-0.22-4.el6.noarch
      qpid-tools-0.22-3.el6.noarch
      rh-qpid-cpp-tests-0.22-11.el6.x86_64
      ruby-qpid-0.7.946106-2.el6.x86_64
      saslwrapper-0.22-3.el6.x86_64
      saslwrapper-devel-0.22-3.el6.x86_64
    }
  }

Comment 4 errata-xmlrpc 2014-09-24 15:03:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html