Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 842791

Summary: ssl broker crash if requested domain name does not match the server's certificate
Product: Red Hat Enterprise MRG Reporter: Petr Matousek <pematous>
Component: qpid-cppAssignee: messaging-bugs <messaging-bugs>
Status: CLOSED DUPLICATE QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: DevelopmentCC: astitcher, jross, lzhaldyb, sgraf
Target Milestone: 2.2   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-25 17:37:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
broker log
none
reproducer script none

Description Petr Matousek 2012-07-24 15:39:16 UTC 
Created attachment 600059 [details]
broker log

Description of problem:

Set-up broker to support SSL encryption.

Generate the cert db and self-trusted certificate according to documentation, use host fqdn as the NICKNAME.
(i.e. certutil -S -d ${CERT_DIR} -n <host_fqdn> -s "CN=<host_fqdn>" -t "CT,," -x -f)

After the broker is started, try to connect with client using ssl.
When the fqdn is supplied to the client everything works well:
qpid-perftest -p 5671 -b <host_fqdn> --log-enable=info+ --count 100 -s -P ssl

but if localhost (or default) is used instead of fqdn the broker crashes
i.e.:
qpid-perftest -p 5671 -b localhost --log-enable=info+ --count 100 -s -P ssl
qpid-perftest -p 5671 --log-enable=info+ --count 100 -s -P ssl

It is expected that qpid-perftest execution fails, but the broker shall definitely not crash.

Please see additional info for core dump.
Broker log is attached.

Version-Release number of selected component (if applicable):
qpid-cpp-*-0.14-18.el5

How reproducible:
100%

Steps to Reproduce:
1. setup broker to support SSL encryption according doc (use fqdn as NICKNAME)
2. setup SSL Client Environment Variables according doc
2. run client use fqdn as broker host
# qpid-perftest -p 5671 -b <host_fqdn> --log-enable=info+ --count 100 -s -P ssl
2012-07-24 17:59:00 info Connection [58485 10.34.37.228:5671] connected to ssl:dhcp-37-228.lab.eng.brq.redhat.com:5671
2012-07-24 17:59:00 info Connection [58486 10.34.37.228:5671] connected to ssl:dhcp-37-228.lab.eng.brq.redhat.com:5671
2012-07-24 17:59:00 info Connection [58487 10.34.37.228:5671] connected to ssl:dhcp-37-228.lab.eng.brq.redhat.com:5671
2012-07-24 17:59:00 info Connection [58488 10.34.37.228:5671] connected to ssl:dhcp-37-228.lab.eng.brq.redhat.com:5671
546.917	260.379	755.675	0.737964
3. run client use localhost as broker host 
# qpid-perftest -p 5671 -b localhost --log-enable=info+ --count 100 -s -P ssl
Failed: Unable to communicate securely with peer: requested domain name does not match the server's certificate. [-12276] (qpid/sys/ssl/SslSocket.cpp:162)
5. broker Segmentation fault
  
Actual results:
Broker crash

Expected results:
Client is informed that requested domain name does not match the server's certificate, but broker won't crash

Additional info:

Core was generated by `qpidd --auth=no --ssl-cert-password-file /var/lib/qpidd/CA_db1/ssl_pw_file --ss'.
Program terminated with signal 11, Segmentation fault.
#0  0x000000000f438220 in ?? ()
(gdb) info thread
  3 Thread 0x2aaf45793040 (LWP 32446)  0x0000003b81ad3648 in epoll_wait () from /lib64/libc.so.6
  2 Thread 32448  0x0000003b81ad3648 in epoll_wait () from /lib64/libc.so.6
* 1 Thread 0x4192e940 (LWP 32447)  0x000000000f438220 in ?? ()
(gdb) thread apply all bt

Thread 3 (Thread 0x2aaf45793040 (LWP 32446)):
#0  0x0000003b81ad3648 in epoll_wait () from /lib64/libc.so.6
#1  0x0000003c09534931 in qpid::sys::Poller::wait (this=0xf3c6650, timeout=<value optimized out>) at qpid/sys/epoll/EpollPoller.cpp:568
#2  0x0000003c095353a7 in qpid::sys::Poller::run (this=0xf3c6650) at qpid/sys/epoll/EpollPoller.cpp:520
#3  0x0000003c09b37d76 in qpid::broker::Broker::run (this=<value optimized out>) at qpid/broker/Broker.cpp:398
#4  0x000000000040741c in QpiddBroker::execute (this=<value optimized out>, options=0xf355080) at posix/QpiddBroker.cpp:195
#5  0x00000000004058d7 in run_broker (argc=18, argv=0x7fffac99c528, hidden=<value optimized out>) at qpidd.cpp:83
#6  0x0000003b81a1d994 in __libc_start_main () from /lib64/libc.so.6
#7  0x0000000000405329 in _start ()

Thread 2 (Thread 32448):
#0  0x0000003b81ad3648 in epoll_wait () from /lib64/libc.so.6
#1  0x0000003c09534931 in qpid::sys::Poller::wait (this=0xf3c6650, timeout=<value optimized out>) at qpid/sys/epoll/EpollPoller.cpp:568
#2  0x0000003c095353a7 in qpid::sys::Poller::run (this=0xf3c6650) at qpid/sys/epoll/EpollPoller.cpp:520
#3  0x0000003c0952c4aa in qpid::sys::(anonymous namespace)::runRunnable (p=0x6) at qpid/sys/posix/Thread.cpp:35
#4  0x0000003b8220677d in start_thread () from /lib64/libpthread.so.0
#5  0x0000003b81ad325d in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x4192e940 (LWP 32447)):
#0  0x000000000f438220 in ?? ()
#1  0x00002aaf466209a5 in qpid::sys::ssl::ProtocolTimeoutTask::fire (this=0xf578500) at qpid/sys/ssl/SslHandler.cpp:59
#2  0x0000003c096109d0 in qpid::sys::Timer::fire (this=<value optimized out>, t=...) at qpid/sys/Timer.cpp:195
#3  0x0000003c09612cc9 in qpid::sys::Timer::run (this=0xf3c6a60) at qpid/sys/Timer.cpp:129
#4  0x0000003c0952c4aa in qpid::sys::(anonymous namespace)::runRunnable (p=0xf439490) at qpid/sys/posix/Thread.cpp:35
#5  0x0000003b8220677d in start_thread () from /lib64/libpthread.so.0
#6  0x0000003b81ad325d in clone () from /lib64/libc.so.6
Comment 1 Leonid Zhaldybin 2012-07-24 15:47:37 UTC 
Created attachment 600061 [details]
reproducer script
Comment 2 Leonid Zhaldybin 2012-07-24 15:53:18 UTC 
RHEL6 version (qpid-cpp-*-0.14-18.el6_3) is also affected by this bug. Running the above reproducer on RHEL5/RHEL6 (both i686 and x86_64) leads to qpidd dumping core.
Comment 3 Andrew Stitcher 2012-07-25 17:37:37 UTC 

*** This bug has been marked as a duplicate of bug 840031 ***