Bug 560005
| Summary: | Broker options "--auth" and "--require-encryption" can fail when used with SSL/TLS | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Ken Giusti <kgiusti> | ||||
| Component: | qpid-cpp | Assignee: | Ken Giusti <kgiusti> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Jan Sarenik <jsarenik> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 1.2 | CC: | jsarenik, sgraf, tao | ||||
| Target Milestone: | 1.3 | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Previously, when a broker was started with the "--require-encryption" option enabled, any attempt to connect to it using SSL failed, because the connection was erroneously considered to be unencrypted. With this update, the Simple Authentication and Security Layer (SASL) has been altered to check for the presence of SSL encryption, and such connections are now accepted as expected.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-10-14 15:57:20 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Ken Giusti
2010-01-29 16:00:49 UTC
Fixed Upstream: https://issues.apache.org/jira/browse/QPID-1899 https://issues.apache.org/jira/browse/QPID-2374
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
* Cause: Using --require-encryption with SSL connections to the broker.
* Consequence: fail to connect as broker considers the SSL connection "unencrypted".
* Fix: modify the broker's sasl layer to check for the presence of SSL encryption on connections.
* Result: broker correctly recognizes SSL connections as being encrypted, thus accepting the connections.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,4 +1 @@
-* Cause: Using --require-encryption with SSL connections to the broker.
+Previously, when a broker was started with the "--require-encryption" option enabled, any attempt to connect to it using SSL failed, because the connection was erroneously considered to be unencrypted. With this update, the Simple Authentication and Security Layer (SASL) has been altered to check for the presence of SSL encryption, and such connections are now accepted as expected.-* Consequence: fail to connect as broker considers the SSL connection "unencrypted".
-* Fix: modify the broker's sasl layer to check for the presence of SSL encryption on connections.
-* Result: broker correctly recognizes SSL connections as being encrypted, thus accepting the connections.
I am able to reproduce and verify only the second combination so far. The first one is working fine even on qpidd-ssl-0.5.752581-34.el5 and also on qpid-cpp-server-ssl-0.7.946106-17.el5 I will verify the second case on RHEL4 and RHEL5 i386 and x86_64. Let me know if there is a way to reproduce the problem with first-mentioned combination of parameters. Verified on (RHEL4,RHEL5) x (i386,x86_64) qpid-cpp-server-ssl-0.7.946106-17.el4 qpid-cpp-server-ssl-0.7.946106-17.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0773.html Created attachment 489979 [details]
Testcase
|