You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Cliff Jansen <cl...@gmail.com> on 2014/10/17 09:26:29 UTC
Review Request 26865: disable SSLV3 for proton-c with Windows SChannel
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26865/
-----------------------------------------------------------
Review request for qpid, Chug Rolke and Kenneth Giusti.
Bugs: PROTON-719
https://issues.apache.org/jira/browse/PROTON-719
Repository: qpid
Description
-------
Do not allow ssl v3 Proton connections even if user has set registry entries forcing SChannel to request/accept ssl v3.
Diffs
-----
http://svn.apache.org/repos/asf/qpid/proton/trunk/proton-c/src/windows/schannel.c 1632478
Diff: https://reviews.apache.org/r/26865/diff/
Testing
-------
Windoww XP -> Windows 8.1
32/64 bit
VS2008->VS2013
VS2008 failed first attempt for fix
Thanks,
Cliff Jansen
Re: Review Request 26865: disable SSLV3 for proton-c with Windows
SChannel
Posted by Kenneth Giusti <kg...@apache.org>.
> On Oct. 17, 2014, 1:10 p.m., Chug Rolke wrote:
> > Compiles 2008/x86 and 2013/x64 but untested to see if it actually denies connection as claimed.
Hey Chuck - do you have access to a fedora/rhel system? If so, there's a command line tool called "openssl" that you can use to check whether the broker will accept or deny an ssl connection.
It's in the openssl rpm package.
To check, stand up the qpidd broker on windows configured for ssl. Then on you rhel box, run the openssl 's_client' sub command. Something like this:
openssl s_client -connect <qpid host>:<ssl port> -ssl3
That should result in an error message being issued by the qpidd broker. The openssl s_client command will then dump some status, and the "crypto something or other" field should be zeros.
If you then try:
openssl s_client -connect <qpid host>:<ssl port> -tls1
You'll see the output will dump some strange hex numbers for session crypto etc, which indicates the negotiation was successful. More importantly, the connection to qpidd will succeed, but then time out with a 'no protocol received' error.
I'd do this, but happly I've been 100% windows free for a long time, and I'm not about to willingly be tossed of that particular wagon.
- Kenneth
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26865/#review57131
-----------------------------------------------------------
On Oct. 17, 2014, 7:26 a.m., Cliff Jansen wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26865/
> -----------------------------------------------------------
>
> (Updated Oct. 17, 2014, 7:26 a.m.)
>
>
> Review request for qpid, Chug Rolke and Kenneth Giusti.
>
>
> Bugs: PROTON-719
> https://issues.apache.org/jira/browse/PROTON-719
>
>
> Repository: qpid
>
>
> Description
> -------
>
> Do not allow ssl v3 Proton connections even if user has set registry entries forcing SChannel to request/accept ssl v3.
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/qpid/proton/trunk/proton-c/src/windows/schannel.c 1632478
>
> Diff: https://reviews.apache.org/r/26865/diff/
>
>
> Testing
> -------
>
> Windoww XP -> Windows 8.1
> 32/64 bit
> VS2008->VS2013
>
> VS2008 failed first attempt for fix
>
>
> Thanks,
>
> Cliff Jansen
>
>
Re: Review Request 26865: disable SSLV3 for proton-c with Windows
SChannel
Posted by Chug Rolke <cr...@redhat.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26865/#review57131
-----------------------------------------------------------
Ship it!
Compiles 2008/x86 and 2013/x64 but untested to see if it actually denies connection as claimed.
- Chug Rolke
On Oct. 17, 2014, 7:26 a.m., Cliff Jansen wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26865/
> -----------------------------------------------------------
>
> (Updated Oct. 17, 2014, 7:26 a.m.)
>
>
> Review request for qpid, Chug Rolke and Kenneth Giusti.
>
>
> Bugs: PROTON-719
> https://issues.apache.org/jira/browse/PROTON-719
>
>
> Repository: qpid
>
>
> Description
> -------
>
> Do not allow ssl v3 Proton connections even if user has set registry entries forcing SChannel to request/accept ssl v3.
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/qpid/proton/trunk/proton-c/src/windows/schannel.c 1632478
>
> Diff: https://reviews.apache.org/r/26865/diff/
>
>
> Testing
> -------
>
> Windoww XP -> Windows 8.1
> 32/64 bit
> VS2008->VS2013
>
> VS2008 failed first attempt for fix
>
>
> Thanks,
>
> Cliff Jansen
>
>
Re: Review Request 26865: disable SSLV3 for proton-c with Windows
SChannel
Posted by Kenneth Giusti <kg...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26865/#review57137
-----------------------------------------------------------
Ship it!
Coordinated testing with crolke - verified sslv3 rejected!
- Kenneth Giusti
On Oct. 17, 2014, 7:26 a.m., Cliff Jansen wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26865/
> -----------------------------------------------------------
>
> (Updated Oct. 17, 2014, 7:26 a.m.)
>
>
> Review request for qpid, Chug Rolke and Kenneth Giusti.
>
>
> Bugs: PROTON-719
> https://issues.apache.org/jira/browse/PROTON-719
>
>
> Repository: qpid
>
>
> Description
> -------
>
> Do not allow ssl v3 Proton connections even if user has set registry entries forcing SChannel to request/accept ssl v3.
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/qpid/proton/trunk/proton-c/src/windows/schannel.c 1632478
>
> Diff: https://reviews.apache.org/r/26865/diff/
>
>
> Testing
> -------
>
> Windoww XP -> Windows 8.1
> 32/64 bit
> VS2008->VS2013
>
> VS2008 failed first attempt for fix
>
>
> Thanks,
>
> Cliff Jansen
>
>