You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Armin Noll (JIRA)" <qp...@incubator.apache.org> on 2010/04/20 14:29:51 UTC
[jira] Created: (QPID-2518) Qpid C++ broker can easily be blocked
by client trying to connect over SSL port
Qpid C++ broker can easily be blocked by client trying to connect over SSL port
-------------------------------------------------------------------------------
Key: QPID-2518
URL: https://issues.apache.org/jira/browse/QPID-2518
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Environment: Red Hat Enterprise MRG 1.2
Reporter: Armin Noll
We are running a C++ broker as deamon with the following configuration:
log-enable=info+
log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log
log-to-syslog=no
auth=yes
acl-file=qpidd.acl
realm=QPID0097
data-dir=/var/lib/qpidd/op_prod09/data/0097
pid-dir=/var/lib/qpidd/op_prod09/data/0097
port=20097
wait=30
num-jfiles=4
jfile-size-pgs=1
wcache-page-size=128
tpl-num-jfiles=4
tpl-jfile-size-pgs=1
tpl-wcache-page-size=128
ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097
ssl-port=10097
ssl-cert-name=RGC001
ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd
ssl-require-client-authentication=yes
cluster-name=QPID0097
cluster-url=amqp:tcp:172.16.45.198:20097
cluster-username=xxxxx
cluster-password=xxxxx
We tried to connect an application to the SSL port which does not "talk" the correct protocol. We simply used telnet:
$ telnet 172.16.45.198 10097
The result was (we waited at least 30 min, then killed the process running telnet):
The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with "qpidd -p 20097 -q".
This way anybody in the world could easily block our service provided over a Qpid broker.
Is there a way to get around this?
This issue has also been reported as Red Hat service request no. 2014266.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked
by client trying to connect over SSL port
Posted by "Gordon Sim (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859248#action_12859248 ]
Gordon Sim commented on QPID-2518:
----------------------------------
A further measure would be to have a configurable timeout for connections that do not complete the handshake and disconnect them.
> Qpid C++ broker can easily be blocked by client trying to connect over SSL port
> -------------------------------------------------------------------------------
>
> Key: QPID-2518
> URL: https://issues.apache.org/jira/browse/QPID-2518
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Environment: Red Hat Enterprise MRG 1.2
> Reporter: Armin Noll
>
> We are running a C++ broker as deamon with the following configuration:
>
> log-enable=info+
> log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log
> log-to-syslog=no
> auth=yes
> acl-file=qpidd.acl
> realm=QPID0097
> data-dir=/var/lib/qpidd/op_prod09/data/0097
> pid-dir=/var/lib/qpidd/op_prod09/data/0097
> port=20097
> wait=30
> num-jfiles=4
> jfile-size-pgs=1
> wcache-page-size=128
> tpl-num-jfiles=4
> tpl-jfile-size-pgs=1
> tpl-wcache-page-size=128
> ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097
> ssl-port=10097
> ssl-cert-name=RGC001
> ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd
> ssl-require-client-authentication=yes
> cluster-name=QPID0097
> cluster-url=amqp:tcp:172.16.45.198:20097
> cluster-username=xxxxx
> cluster-password=xxxxx
>
> We tried to connect an application to the SSL port which does not "talk" the correct protocol. We simply used telnet:
> $ telnet 172.16.45.198 10097
>
> The result was (we waited at least 30 min, then killed the process running telnet):
> The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with "qpidd -p 20097 -q".
>
> This way anybody in the world could easily block our service provided over a Qpid broker.
> Is there a way to get around this?
> This issue has also been reported as Red Hat service request no. 2014266.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked
by client trying to connect over SSL port
Posted by "Gordon Sim (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859250#action_12859250 ]
Gordon Sim commented on QPID-2518:
----------------------------------
See also https://issues.apache.org/jira/browse/QPID-2083 and note that r790291 makes the error handling less meaningful.
> Qpid C++ broker can easily be blocked by client trying to connect over SSL port
> -------------------------------------------------------------------------------
>
> Key: QPID-2518
> URL: https://issues.apache.org/jira/browse/QPID-2518
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Environment: Red Hat Enterprise MRG 1.2
> Reporter: Armin Noll
>
> We are running a C++ broker as deamon with the following configuration:
>
> log-enable=info+
> log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log
> log-to-syslog=no
> auth=yes
> acl-file=qpidd.acl
> realm=QPID0097
> data-dir=/var/lib/qpidd/op_prod09/data/0097
> pid-dir=/var/lib/qpidd/op_prod09/data/0097
> port=20097
> wait=30
> num-jfiles=4
> jfile-size-pgs=1
> wcache-page-size=128
> tpl-num-jfiles=4
> tpl-jfile-size-pgs=1
> tpl-wcache-page-size=128
> ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097
> ssl-port=10097
> ssl-cert-name=RGC001
> ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd
> ssl-require-client-authentication=yes
> cluster-name=QPID0097
> cluster-url=amqp:tcp:172.16.45.198:20097
> cluster-username=xxxxx
> cluster-password=xxxxx
>
> We tried to connect an application to the SSL port which does not "talk" the correct protocol. We simply used telnet:
> $ telnet 172.16.45.198 10097
>
> The result was (we waited at least 30 min, then killed the process running telnet):
> The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with "qpidd -p 20097 -q".
>
> This way anybody in the world could easily block our service provided over a Qpid broker.
> Is there a way to get around this?
> This issue has also been reported as Red Hat service request no. 2014266.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked
by client trying to connect over SSL port
Posted by "Gordon Sim (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859035#action_12859035 ]
Gordon Sim commented on QPID-2518:
----------------------------------
I believe this is addressed by http://svn.apache.org/viewvc?view=revision&revision=790291.
> Qpid C++ broker can easily be blocked by client trying to connect over SSL port
> -------------------------------------------------------------------------------
>
> Key: QPID-2518
> URL: https://issues.apache.org/jira/browse/QPID-2518
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Environment: Red Hat Enterprise MRG 1.2
> Reporter: Armin Noll
>
> We are running a C++ broker as deamon with the following configuration:
>
> log-enable=info+
> log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log
> log-to-syslog=no
> auth=yes
> acl-file=qpidd.acl
> realm=QPID0097
> data-dir=/var/lib/qpidd/op_prod09/data/0097
> pid-dir=/var/lib/qpidd/op_prod09/data/0097
> port=20097
> wait=30
> num-jfiles=4
> jfile-size-pgs=1
> wcache-page-size=128
> tpl-num-jfiles=4
> tpl-jfile-size-pgs=1
> tpl-wcache-page-size=128
> ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097
> ssl-port=10097
> ssl-cert-name=RGC001
> ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd
> ssl-require-client-authentication=yes
> cluster-name=QPID0097
> cluster-url=amqp:tcp:172.16.45.198:20097
> cluster-username=xxxxx
> cluster-password=xxxxx
>
> We tried to connect an application to the SSL port which does not "talk" the correct protocol. We simply used telnet:
> $ telnet 172.16.45.198 10097
>
> The result was (we waited at least 30 min, then killed the process running telnet):
> The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with "qpidd -p 20097 -q".
>
> This way anybody in the world could easily block our service provided over a Qpid broker.
> Is there a way to get around this?
> This issue has also been reported as Red Hat service request no. 2014266.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org