You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Dawid (JIRA)" <ji...@apache.org> on 2019/01/24 14:50:00 UTC
[jira] [Updated] (AMQNET-572) Failover crashes when AMQ Server
enforces TLS 1.2
[ https://issues.apache.org/jira/browse/AMQNET-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dawid updated AMQNET-572:
-------------------------
Attachment: failoverSslContext.patch
> Failover crashes when AMQ Server enforces TLS 1.2
> -------------------------------------------------
>
> Key: AMQNET-572
> URL: https://issues.apache.org/jira/browse/AMQNET-572
> Project: ActiveMQ .Net
> Issue Type: Bug
> Reporter: Dan Taflin
> Priority: Critical
> Attachments: Archivos-1.zip, failoverSslContext.patch
>
>
> When using the FailoverTransport with underlying SslTransports, and specifying Tls12 as the SslProtocol, the initial connection to the ActiveMQ server succeeds in establishing a TLS v1.2 session. But upon failover, when it tries to reconnect, the Tls12 specification is lost and the NMS client reverts to the default, which appears to be TLS 1.0.
> The consequence is that it is impossible to enforce TLS 1.2 on the server, because although the initial connection would succeed, subsequent ones crash the client.
> Here's a sample failover transport URL:
> {{failover:(ssl://server1.example.com:61616?transport.sslProtocol=Tls12,ssl://server2.example.com:61616?transport.sslProtocol=Tls12)}}
> I've traced the issue to the FailoverTransport.DoConnect() method, which, when obtaining the ConnectList in order to obtain a url to connect to, obtains a url without a querystring. So in the above example, transport.sslProtocol=Tls12 is gone. The source of this truncated url is the ConnectionControl command marshalled from the server.
> The solution would seem to be to create an SslContext class to keep track of the sslProtocol, similar to how the java version works. I have built a working prototype for us to use locally and would be willing to make it available.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)