You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by "Guy Allard (Created) (JIRA)" <ji...@apache.org> on 2012/04/07 21:26:16 UTC
[jira] [Created] (APLO-186) Using ?client_auth=need Still Allows
SSL Connections with no Client Cert
Using ?client_auth=need Still Allows SSL Connections with no Client Cert
------------------------------------------------------------------------
Key: APLO-186
URL: https://issues.apache.org/jira/browse/APLO-186
Project: ActiveMQ Apollo
Issue Type: Bug
Components: apollo-broker
Affects Versions: 1.2
Environment: Ubuntu 11.10
java version "1.6.0_23"
OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
Apollo: apache-apollo-99-trunk-20120404.190241-13-unix-distro.tar.gz
Snips:
<authentication enabled="false"/>
<connector id="tls" bind="tls://0.0.0.0:62614?client_auth=need"
connection_limit="1000"/>
<key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
Reporter: Guy Allard
Fix For: 1.2
Using the above configuration, when an SSL client connects and does *not* provide a certificate, the connection is allowed to proceed, and succeeds.
This is either:
a) a bug
b) a configuration issue
If the above configuration is insufficient for full SSL only authorization please advise on the requirements.
Thanks, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (APLO-186) Using ?client_auth=need Still Allows
SSL Connections with no Client Cert
Posted by "Guy Allard (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13249316#comment-13249316 ]
Guy Allard commented on APLO-186:
---------------------------------
In case this is not viewable above, I am using:
apache-apollo-99-trunk-20120404.190241-13-unix-distro.tar.gz
> Using ?client_auth=need Still Allows SSL Connections with no Client Cert
> ------------------------------------------------------------------------
>
> Key: APLO-186
> URL: https://issues.apache.org/jira/browse/APLO-186
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Affects Versions: 1.2
> Environment: Ubuntu 11.10
> java version "1.6.0_23"
> OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
> OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> Apollo: apache-apollo-99-trunk-20120404.190241-13-unix-distro.tar.gz
> Snips:
> <authentication enabled="false"/>
> <connector id="tls" bind="tls://0.0.0.0:62614?client_auth=need"
> connection_limit="1000"/>
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> Reporter: Guy Allard
> Fix For: 1.2
>
>
> Using the above configuration, when an SSL client connects and does *not* provide a certificate, the connection is allowed to proceed, and succeeds.
> This is either:
> a) a bug
> b) a configuration issue
> If the above configuration is insufficient for full SSL only authorization please advise on the requirements.
> Thanks, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (APLO-186) Using ?client_auth=need Still Allows
SSL Connections with no Client Cert
Posted by "Hiram Chirino (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hiram Chirino resolved APLO-186.
--------------------------------
Resolution: Fixed
Assignee: Hiram Chirino
Yep. Seems it was only honoring the setting for the first connection to the broker. Should be fixed in tonights nighly snapshot.
> Using ?client_auth=need Still Allows SSL Connections with no Client Cert
> ------------------------------------------------------------------------
>
> Key: APLO-186
> URL: https://issues.apache.org/jira/browse/APLO-186
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Affects Versions: 1.2
> Environment: Ubuntu 11.10
> java version "1.6.0_23"
> OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
> OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> Apollo: apache-apollo-99-trunk-20120404.190241-13-unix-distro.tar.gz
> Snips:
> <authentication enabled="false"/>
> <connector id="tls" bind="tls://0.0.0.0:62614?client_auth=need"
> connection_limit="1000"/>
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> Reporter: Guy Allard
> Assignee: Hiram Chirino
> Fix For: 1.2
>
>
> Using the above configuration, when an SSL client connects and does *not* provide a certificate, the connection is allowed to proceed, and succeeds.
> This is either:
> a) a bug
> b) a configuration issue
> If the above configuration is insufficient for full SSL only authorization please advise on the requirements.
> Thanks, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (APLO-186) Using ?client_auth=need Still Allows
SSL Connections with no Client Cert
Posted by "Guy Allard (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250580#comment-13250580 ]
Guy Allard commented on APLO-186:
---------------------------------
Hiram - This works now, fails when it should, succeeds when it should. Thank you very much.
One comment: with Apollo, the exception I get out of the ruby SSL libraries has a message of:
- Connection reset by peer
If I run the failing test against AMQ, I get an exception message of:
- SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert bad certificate
I have no idea why. I believe 'reset by peer' is very ambiguous - I can see that on normal TCP connections.
Plus I am not sure how you would affect that.
In any case thanks for the effort on this problem for proper connection failures.
Regards, Guy
> Using ?client_auth=need Still Allows SSL Connections with no Client Cert
> ------------------------------------------------------------------------
>
> Key: APLO-186
> URL: https://issues.apache.org/jira/browse/APLO-186
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Affects Versions: 1.2
> Environment: Ubuntu 11.10
> java version "1.6.0_23"
> OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
> OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> Apollo: apache-apollo-99-trunk-20120404.190241-13-unix-distro.tar.gz
> Snips:
> <authentication enabled="false"/>
> <connector id="tls" bind="tls://0.0.0.0:62614?client_auth=need"
> connection_limit="1000"/>
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> Reporter: Guy Allard
> Assignee: Hiram Chirino
> Fix For: 1.2
>
>
> Using the above configuration, when an SSL client connects and does *not* provide a certificate, the connection is allowed to proceed, and succeeds.
> This is either:
> a) a bug
> b) a configuration issue
> If the above configuration is insufficient for full SSL only authorization please advise on the requirements.
> Thanks, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (APLO-186) Using ?client_auth=need Still Allows
SSL Connections with no Client Cert
Posted by "Guy Allard (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/APLO-186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250409#comment-13250409 ]
Guy Allard commented on APLO-186:
---------------------------------
Hiram - That sounds right now that I think about it.
My test bed retries failing connections a specified number of times.
With a freshly started broker I am seeing one connect fail, and the retry succeed. And no connect ever fails at all after that.
I will get the snapshot tomorrow and test.
Thanks, Guy
> Using ?client_auth=need Still Allows SSL Connections with no Client Cert
> ------------------------------------------------------------------------
>
> Key: APLO-186
> URL: https://issues.apache.org/jira/browse/APLO-186
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-broker
> Affects Versions: 1.2
> Environment: Ubuntu 11.10
> java version "1.6.0_23"
> OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
> OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> Apollo: apache-apollo-99-trunk-20120404.190241-13-unix-distro.tar.gz
> Snips:
> <authentication enabled="false"/>
> <connector id="tls" bind="tls://0.0.0.0:62614?client_auth=need"
> connection_limit="1000"/>
> <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password" key_alias="servertj" />
> Reporter: Guy Allard
> Assignee: Hiram Chirino
> Fix For: 1.2
>
>
> Using the above configuration, when an SSL client connects and does *not* provide a certificate, the connection is allowed to proceed, and succeeds.
> This is either:
> a) a bug
> b) a configuration issue
> If the above configuration is insufficient for full SSL only authorization please advise on the requirements.
> Thanks, Guy
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira