Red Hat Bugzilla – Bug 560005
Broker options "--auth" and "--require-encryption" can fail when used with SSL/TLS
Last modified: 2012-02-06 12:52:05 EST
Description of problem: Some combinations of --auth and SSL cause connections to the broker to fail. 1. "--auth no" and "--require-encryption" - SSL connections are incorrectly rejected as being unencrypted, when in fact they are encrypted. 2. "--auth yes" and "--require-encryption" will only allow those authentication mechs that provide encryption, even if the connection is over an SSL encrypted link (e.g. cannot use PLAIN auth over SSL if encryption required). Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Start broker with SSL and "--auth no" and "--require-encryption" 2. Attempt to connect with client using SSL 3. Connection will be rejected, error message indicates connection is un-encrypted. 1. Start broker with SSL and "--require-encryption" and PLAIN auth. 2. Attempt to connect with client using SSL and correct auth parameters. 3. Connection attempt will fail. Actual results: Both connection attempts will fail. Expected results: Both connection attempts should succeed. Additional info:
Fixed Upstream: https://issues.apache.org/jira/browse/QPID-1899 https://issues.apache.org/jira/browse/QPID-2374
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: * Cause: Using --require-encryption with SSL connections to the broker. * Consequence: fail to connect as broker considers the SSL connection "unencrypted". * Fix: modify the broker's sasl layer to check for the presence of SSL encryption on connections. * Result: broker correctly recognizes SSL connections as being encrypted, thus accepting the connections.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1 @@ -* Cause: Using --require-encryption with SSL connections to the broker. +Previously, when a broker was started with the "--require-encryption" option enabled, any attempt to connect to it using SSL failed, because the connection was erroneously considered to be unencrypted. With this update, the Simple Authentication and Security Layer (SASL) has been altered to check for the presence of SSL encryption, and such connections are now accepted as expected.-* Consequence: fail to connect as broker considers the SSL connection "unencrypted". -* Fix: modify the broker's sasl layer to check for the presence of SSL encryption on connections. -* Result: broker correctly recognizes SSL connections as being encrypted, thus accepting the connections.
I am able to reproduce and verify only the second combination so far. The first one is working fine even on qpidd-ssl-0.5.752581-34.el5 and also on qpid-cpp-server-ssl-0.7.946106-17.el5 I will verify the second case on RHEL4 and RHEL5 i386 and x86_64. Let me know if there is a way to reproduce the problem with first-mentioned combination of parameters.
Verified on (RHEL4,RHEL5) x (i386,x86_64) qpid-cpp-server-ssl-0.7.946106-17.el4 qpid-cpp-server-ssl-0.7.946106-17.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0773.html
Created attachment 489979 [details] Testcase