Qpid
  1. Qpid
  2. QPID-2518

Qpid C++ broker can easily be blocked by client trying to connect over SSL port

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.17
    • Component/s: C++ Broker
    • Labels:
      None
    • Environment:

      Red Hat Enterprise MRG 1.2

      Description

      We are running a C++ broker as deamon with the following configuration:

      log-enable=info+
      log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log
      log-to-syslog=no
      auth=yes
      acl-file=qpidd.acl
      realm=QPID0097
      data-dir=/var/lib/qpidd/op_prod09/data/0097
      pid-dir=/var/lib/qpidd/op_prod09/data/0097
      port=20097
      wait=30
      num-jfiles=4
      jfile-size-pgs=1
      wcache-page-size=128
      tpl-num-jfiles=4
      tpl-jfile-size-pgs=1
      tpl-wcache-page-size=128
      ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097
      ssl-port=10097
      ssl-cert-name=RGC001
      ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd
      ssl-require-client-authentication=yes
      cluster-name=QPID0097
      cluster-url=amqp:tcp:172.16.45.198:20097
      cluster-username=xxxxx
      cluster-password=xxxxx

      We tried to connect an application to the SSL port which does not "talk" the correct protocol. We simply used telnet:
      $ telnet 172.16.45.198 10097

      The result was (we waited at least 30 min, then killed the process running telnet):
      The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with "qpidd -p 20097 -q".

      This way anybody in the world could easily block our service provided over a Qpid broker.
      Is there a way to get around this?

      This issue has also been reported as Red Hat service request no. 2014266.

        Issue Links

          Activity

            People

            • Assignee:
              Andrew Stitcher
              Reporter:
              Armin Noll
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development