Bug 1330263 - Candlepin can't support connecting to AMQP servers with alternate hostnames in the certificate
Summary: Candlepin can't support connecting to AMQP servers with alternate hostnames i...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Candlepin
Classification: Community
Component: candlepin
Version: 2.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Filip Nguyen
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks: 1330262
TreeView+ depends on / blocked
 
Reported: 2016-04-25 18:32 UTC by Barnaby Court
Modified: 2016-10-17 12:11 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1330262
Environment:
Last Closed: 2016-07-22 14:52:14 UTC


Attachments (Terms of Use)

Description Barnaby Court 2016-04-25 18:32:11 UTC
+++ This bug was initially created as a clone of Bug #1330262 +++

+++ This bug was initially created as a clone of Bug #1329327 +++

Description of problem:
We are moving qpid to only listen on localhost in Satellite because of BZ1252573. So we add 'localhost' as an alternate DNS name on our certificate.  

Candlepin fails with this error:

Caused by: org.apache.qpid.AMQException: Cannot connect to broker: SSL hostname verification failed. Expected : localhost Found in cert : centos7-bats.example.com


It's due to qpid's java library in 0.30 only verifying the CN:
  https://github.com/apache/qpid/blob/0.30/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L58-L62

It's fixed in later versions it seems:

https://github.com/apache/qpid-java/blob/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L141-L150



Version-Release number of selected component (if applicable):
candlepin-0.9.54.4-1.el7.noarch

How reproducible:
Always


Steps to Reproduce:
1. Create a certificate with alternate hostname and use it for qpid
2. Have candlepin configured to use alternate hostname


Actual results:
SSL verification fails

Expected results:
SSL verification succeeds

Comment 2 Barnaby Court 2016-07-22 14:52:14 UTC
Marking as closed per Candlepin procedures as a fix has been merged or it has been determined to not be an issue.

Comment 3 Filip Nguyen 2016-10-17 12:11:43 UTC
The correct version of the client was not included in the builds because unsynced Buildfile and pom.xml  Commit  30d208f270d7bb961c4e11ea512d71e8522e629a fixes that.


Note You need to log in before you can comment on or make changes to this bug.