Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1330263

Summary: Candlepin can't support connecting to AMQP servers with alternate hostnames in the certificate
Product: [Community] Candlepin (Migrated to Jira) Reporter: Barnaby Court <bcourt>
Component: candlepinAssignee: Filip Nguyen <fnguyen>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 2.0CC: candlepin-bugs, fnguyen, katello-qa-list, redakkan, stbenjam, vrjain
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1330262 Environment:
Last Closed: 2016-07-22 14:52:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1330262    

Description Barnaby Court 2016-04-25 18:32:11 UTC 
+++ This bug was initially created as a clone of Bug #1330262 +++

+++ This bug was initially created as a clone of Bug #1329327 +++

Description of problem:
We are moving qpid to only listen on localhost in Satellite because of BZ1252573. So we add 'localhost' as an alternate DNS name on our certificate.  

Candlepin fails with this error:

Caused by: org.apache.qpid.AMQException: Cannot connect to broker: SSL hostname verification failed. Expected : localhost Found in cert : centos7-bats.example.com


It's due to qpid's java library in 0.30 only verifying the CN:
  https://github.com/apache/qpid/blob/0.30/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L58-L62

It's fixed in later versions it seems:

https://github.com/apache/qpid-java/blob/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L141-L150



Version-Release number of selected component (if applicable):
candlepin-0.9.54.4-1.el7.noarch

How reproducible:
Always


Steps to Reproduce:
1. Create a certificate with alternate hostname and use it for qpid
2. Have candlepin configured to use alternate hostname


Actual results:
SSL verification fails

Expected results:
SSL verification succeeds
Comment 2 Barnaby Court 2016-07-22 14:52:14 UTC 
Marking as closed per Candlepin procedures as a fix has been merged or it has been determined to not be an issue.
Comment 3 Filip Nguyen 2016-10-17 12:11:43 UTC 
The correct version of the client was not included in the builds because unsynced Buildfile and pom.xml  Commit  30d208f270d7bb961c4e11ea512d71e8522e629a fixes that.