Qpid
  1. Qpid
  2. QPID-2518

Qpid C++ broker can easily be blocked by client trying to connect over SSL port

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.17
    • Component/s: C++ Broker
    • Labels:
      None
    • Environment:

      Red Hat Enterprise MRG 1.2

      Description

      We are running a C++ broker as deamon with the following configuration:

      log-enable=info+
      log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log
      log-to-syslog=no
      auth=yes
      acl-file=qpidd.acl
      realm=QPID0097
      data-dir=/var/lib/qpidd/op_prod09/data/0097
      pid-dir=/var/lib/qpidd/op_prod09/data/0097
      port=20097
      wait=30
      num-jfiles=4
      jfile-size-pgs=1
      wcache-page-size=128
      tpl-num-jfiles=4
      tpl-jfile-size-pgs=1
      tpl-wcache-page-size=128
      ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097
      ssl-port=10097
      ssl-cert-name=RGC001
      ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd
      ssl-require-client-authentication=yes
      cluster-name=QPID0097
      cluster-url=amqp:tcp:172.16.45.198:20097
      cluster-username=xxxxx
      cluster-password=xxxxx

      We tried to connect an application to the SSL port which does not "talk" the correct protocol. We simply used telnet:
      $ telnet 172.16.45.198 10097

      The result was (we waited at least 30 min, then killed the process running telnet):
      The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with "qpidd -p 20097 -q".

      This way anybody in the world could easily block our service provided over a Qpid broker.
      Is there a way to get around this?

      This issue has also been reported as Red Hat service request no. 2014266.

        Issue Links

          Activity

          No work has yet been logged on this issue.

            People

            • Assignee:
              Andrew Stitcher
              Reporter:
              Armin Noll
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development