Hide Forgot
Description of problem: Bug 751845 adds posibility to multiplex TCP and SSL traffic on single port by specifying same post number to --port a --ssl-port. Last tests showed that broker may start without listening to a port (!) when TCP port is shared and SSL certificate is not valid... [root@hp-xw8400-01 qpid_ptest_ssl]# qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5673 --ssl-cert-password-file /root/qpid_ptest_ssl/CA_db_A/pswdfile --ssl-cert-db /root/qpid_ptest_ssl/CA_db_A --ssl-cert-name hp-xw8400-01... --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a ... 2012-01-16 07:36:05 info SASL: no config path set - using default. 2012-01-16 07:36:05 info SASL enabled 2012-01-16 07:36:05 info Listening to: [::]:5672 2012-01-16 07:36:05 info Listening to: 0.0.0.0:5672 2012-01-16 07:36:05 notice Listening on TCP/TCP6 port 5672 2012-01-16 07:36:05 info Policy file not specified. ACL Disabled, no ACL checking being done! 2012-01-16 07:36:05 error Failed to initialise SSL plugin: Failed to load certificate 'hp-xw8400-01...' (qpid/sys/ssl/SslSocket.cpp:184) 2012-01-16 07:36:05 notice Broker running 2012-01-16 07:36:10 notice Shut down [root@hp-xw8400-01 qpid_ptest_ssl]# [root@hp-xw8400-01 qpid_ptest_ssl]# netstat -nlp | grep qpidd tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 16061/qpidd tcp 0 0 :::5672 :::* LISTEN 16061/qpidd [root@hp-xw8400-01 qpid_ptest_ssl]# [root@hp-xw8400-01 qpid_ptest_ssl]# [root@hp-xw8400-01 qpid_ptest_ssl]# qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5672 --ssl-cert-password-file /root/qpid_ptest_ssl/CA_db_B/pswdfile --ssl-cert-db /root/qpid_ptest_ssl/CA_db_B --ssl-cert-name hp-xw8400-01... --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a ... 2012-01-16 07:36:22 info SASL: no config path set - using default. 2012-01-16 07:36:22 info SASL enabled 2012-01-16 07:36:22 notice SSL multiplexing enabled 2012-01-16 07:36:22 info Policy file not specified. ACL Disabled, no ACL checking being done! 2012-01-16 07:36:22 error Failed to initialise SSL plugin: Failed to load certificate 'hp-xw8400-01...' (qpid/sys/ssl/SslSocket.cpp:184) 2012-01-16 07:36:22 notice Broker running [root@hp-xw8400-01 qpid_ptest_ssl]# netstat -nlp | grep qpidd [root@hp-xw8400-01 qpid_ptest_ssl]# #hp-xw8400-01's FQDN shorted to hp-xw8400-01... Above cases demonstrate that SSL traffic multiplexing feature introduced case when broker is up and running but do not listen on any port! This behavior may easily lead to confusion and can be interpreted as malfunction state. In following case ... qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5672 --ssl-cert-password-file A --ssl-cert-db A --ssl-cert-name A --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a (request to share traffic on single port and SSL database and/or certname is invalid) broker should start-up and listen on TCP port only i.e. refuse to enter multiplexing mode. Version-Release number of selected component (if applicable): python-qpid-0.14-1.el5 python-qpid-qmf-0.14-2.el5 qpid-cpp-client-0.14-4.el5 qpid-cpp-client-devel-0.14-4.el5 qpid-cpp-client-devel-docs-0.14-4.el5 qpid-cpp-client-rdma-0.14-4.el5 qpid-cpp-client-ssl-0.14-4.el5 qpid-cpp-mrg-debuginfo-0.14-4.el5 qpid-cpp-server-0.14-4.el5 qpid-cpp-server-cluster-0.14-4.el5 qpid-cpp-server-devel-0.14-4.el5 qpid-cpp-server-rdma-0.14-4.el5 qpid-cpp-server-ssl-0.14-4.el5 qpid-cpp-server-store-0.14-4.el5 qpid-cpp-server-xml-0.14-4.el5 qpid-java-client-0.14-1.el5 qpid-java-common-0.14-1.el5 qpid-java-example-0.14-1.el5 qpid-qmf-0.14-2.el5 qpid-qmf-debuginfo-0.14-2.el5 qpid-qmf-devel-0.14-2.el5 qpid-tests-0.14-1.el5 qpid-tools-0.14-1.el5 ruby-qpid-qmf-0.14-2.el5 How reproducible: 100% Steps to Reproduce: 1. qpidd --auth yes --require-encryption yes --ssl-require-client-authentication yes --log-enable info+ --port 5672 --ssl-port 5672 --ssl-cert-password-file A --ssl-cert-db A --ssl-cert-name A --data-dir /root/qpid_ptest_ssl/rhts_qpidd/broker.a 2. netstat -nlp | grep qpidd 3. broker not listening on any port Actual results: There is possibility to launch broker in mode when do not listen to any ports. This is bad condition. Expected results: Broker should not start in mode when not listening to any port. In above described configuration broker should drop SSL multiplexing and continue with normal TCP port operation (or eventually shutdown with error message) Additional info:
This issue should now be fixed upstream on trunk in r1478510 this should be available in the 0.24 release.
observed bug behavior on latest-stable packages (see below) observed fix behavior on latest-and-greatest ----> verified packages { latest stable { cyrus-sasl-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64 python-qpid-0.18-4.el6.noarch python-qpid-qmf-0.18-15.el6.x86_64 python-saslwrapper-0.18-1.el6_3.x86_64 qpid-cpp-client-0.18-14.el6.x86_64 qpid-cpp-client-devel-0.18-14.el6.x86_64 qpid-cpp-client-devel-docs-0.18-14.el6.noarch qpid-cpp-client-rdma-0.18-14.el6.x86_64 qpid-cpp-client-ssl-0.18-14.el6.x86_64 qpid-cpp-debuginfo-0.14-22.el6_3.x86_64 qpid-cpp-server-0.18-14.el6.x86_64 qpid-cpp-server-cluster-0.18-14.el6.x86_64 qpid-cpp-server-devel-0.18-14.el6.x86_64 qpid-cpp-server-rdma-0.18-14.el6.x86_64 qpid-cpp-server-ssl-0.18-14.el6.x86_64 qpid-cpp-server-store-0.18-14.el6.x86_64 qpid-cpp-server-xml-0.18-14.el6.x86_64 qpid-java-client-0.18-7.el6.noarch qpid-java-common-0.18-7.el6.noarch qpid-java-example-0.18-7.el6.noarch qpid-jca-0.18-8.el6.noarch qpid-jca-xarecovery-0.18-8.el6.noarch qpid-proton-c-0.4-2.2.el6.x86_64 qpid-proton-c-devel-0.4-2.2.el6.x86_64 qpid-qmf-0.18-15.el6.x86_64 qpid-qmf-debuginfo-0.14-14.el6_3.x86_64 qpid-qmf-devel-0.18-15.el6.x86_64 qpid-tests-0.18-2.el6.noarch qpid-tools-0.18-8.el6.noarch ruby-qpid-qmf-0.18-15.el6.x86_64 saslwrapper-0.18-1.el6_3.x86_64 saslwrapper-devel-0.18-1.el6_3.x86_64 } latest-and-greatest { cyrus-sasl-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64 perl-qpid-0.22-5.el6.x86_64 python-qpid-0.22-4.el6.noarch python-qpid-qmf-0.22-9.el6.x86_64 python-saslwrapper-0.22-3.el6.x86_64 qpid-cpp-client-0.22-11.el6.x86_64 qpid-cpp-client-devel-0.22-11.el6.x86_64 qpid-cpp-client-devel-docs-0.22-11.el6.noarch qpid-cpp-client-rdma-0.22-11.el6.x86_64 qpid-cpp-client-ssl-0.22-11.el6.x86_64 qpid-cpp-debuginfo-0.22-11.el6.x86_64 qpid-cpp-server-0.22-11.el6.x86_64 qpid-cpp-server-devel-0.22-11.el6.x86_64 qpid-cpp-server-ha-0.22-11.el6.x86_64 qpid-cpp-server-rdma-0.22-11.el6.x86_64 qpid-cpp-server-ssl-0.22-11.el6.x86_64 qpid-cpp-server-store-0.22-11.el6.x86_64 qpid-cpp-server-xml-0.22-11.el6.x86_64 qpid-cpp-tar-0.22-11.el6.noarch qpid-java-client-0.22-5.el6.noarch qpid-java-common-0.22-5.el6.noarch qpid-java-example-0.22-5.el6.noarch qpid-proton-c-0.4-2.2.el6.x86_64 qpid-proton-c-devel-0.4-2.2.el6.x86_64 qpid-proton-debuginfo-0.4-2.2.el6.x86_64 qpid-qmf-0.22-9.el6.x86_64 qpid-qmf-debuginfo-0.22-9.el6.x86_64 qpid-qmf-devel-0.22-9.el6.x86_64 qpid-snmpd-1.0.0-12.el6.x86_64 qpid-snmpd-debuginfo-1.0.0-12.el6.x86_64 qpid-tests-0.22-4.el6.noarch qpid-tools-0.22-3.el6.noarch rh-qpid-cpp-tests-0.22-11.el6.x86_64 ruby-qpid-0.7.946106-2.el6.x86_64 saslwrapper-0.22-3.el6.x86_64 saslwrapper-devel-0.22-3.el6.x86_64 } }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-1296.html