Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-1919

artemis-core-client TLS SNI and verifyHost operation are not independent

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.6.4, 2.7.0
    • Component/s: Broker
    • Labels:
      None
    • Environment:

      Fedora 27

      OpenJDK 1.8.0_171

      Artemis master i.e. 2.7.0-SNAPSHOT build

      OCP 3.9 running the default haproxy implementation

      Description

      In testing connecting to the broker using the core client via ./bin/artemis producer through a haproxy configured with a tls passthrough configuration that requires sni it is observed that SNI information is not passed unless verifyHost is true even if sniHost is set on the URI.

      It is noted that with sniHost specified at the haproxy waypoint the if verifyHost=false haproxy bounces the traffic to the no sni backend. If verifyHost=true then haproxy passes it to the tcp backend and the traffic reaches the broker at which point the connectivity fails.

      As a point of comparison, testing using the Qpid JMS client over AMQP with verifyHost = false this works without problem.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jbertram Justin Bertram
                Reporter:
                rkieley Roddie Kieley
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: