Red Hat Bugzilla – Bug 588504
[RFE] [MRG] Messaging broker to listen only on SSL port
Last modified: 2014-11-09 17:38:00 EST
Escalated to Bugzilla from IssueTracker
Event posted on 04-16-2010 08:23am EDT by rrajaram Customer #1105962 is a government customer and he requires this feature to comply with IA policies for accreditation of the server. Needed to comply with IA policies for accreditation of the server. This event sent from IssueTracker by cww [SEG - Feature Request] issue 773053
Event posted on 04-16-2010 08:32am EDT by RFE-tool 1) Customer Name: Account #1105962 Stephen Duke 2) Nature Of Problem: Customer is implementing MRG-M. He has enabled SSL for this broker. By default the broker listen's to both SSL and non ssl port. Customer would prefer the borker to listen only on ssl port. Currently there are no options available which will prevent the broker from listening on non ssl port. Customer needs to comply with IA policies for accreditation of the server 3) Business Requirements Satisfied By Request: Customer can comply with IA policies for accreditation of the server 4) Functional Requirements That Are Not Presently Possible: Broker listens to both ssl and non ssl ports. No options to prevent the broker from listening on non ssl port 5) What Will Success Look Like: Current netstat -anp | grep qpidd tcp 0 0 0.0.0.0:5671 0.0.0.0:* LISTEN 7797/qpidd tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 7797/qpidd 5671 is the SSL port and 5672 is the non ssl port Success would like tcp 0 0 0.0.0.0:5671 0.0.0.0:* LISTEN 7797/qpidd 6) Desired Release Vehicle: MRG 1.3 7) Request Meets The Rhel Inclusion Criteria: Yes 8) Affected Packages: qpidc 9) Sales Sponsor: 10) Rh Business Opportunity With Customer: Customer is a TAM customer and seems to implementing MRG-M. Brad Maxwell is the TAM 11) Status And Risk To Contract If Not Satisfied: 12) If this request is vendor specific, has the customer engaged the partner as well?: Not Applicable RFE-tool assigned to issue for SEG - Feature Request. This event sent from IssueTracker by cww [SEG - Feature Request] issue 773053
Andrew, any thoughts?
We still have no way to turn off the tcp connection, in theory the code would allow you to not listen using plain tcp. There is some support for minimum allowable encryption strengths but I don't think it applies to plain tcp with no sasl so perhaps this would be the way to disallow unencrypted tcp (tcp sasl connections can be encrypted)
This feature is now available on the trunk of the qpid release in r1478398. You can turn tcp listening off with the option --listen-disable tcp This will be available in the upstream 0.24 release (but could be backported if necessary)
Tested on RHEL6 (both i386 and x86_64). This new feature is implemented and works as expected. Packages used for testing: python-qpid-0.22-4.el6 python-qpid-qmf-0.22-9.el6 qpid-cpp-client-0.22-11.el6 qpid-cpp-client-devel-0.22-11.el6 qpid-cpp-client-devel-docs-0.22-11.el6 qpid-cpp-client-ssl-0.22-11.el6 qpid-cpp-server-0.22-11.el6 qpid-cpp-server-devel-0.22-11.el6 qpid-cpp-server-ssl-0.22-11.el6 qpid-cpp-server-store-0.22-11.el6 qpid-cpp-server-xml-0.22-11.el6 qpid-java-client-0.22-5.el6 qpid-java-common-0.22-5.el6 qpid-java-example-0.22-5.el6 qpid-jca-0.22-1.el6 qpid-jca-xarecovery-0.22-1.el6 qpid-proton-c-0.4-2.2.el6 qpid-qmf-0.22-9.el6 qpid-tools-0.22-3.el6 -> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-1296.html