Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-6966

C++ broker and client to support TLS1.1 and TLS1.2 by default

    XMLWordPrintableJSON

Details

    Description

      Description of problem:
      Currently, neither C++ client or broker allows TLS1.1 or TLS1.2 protocol versions. Please enable it, esp. since Java client 6.1 will disable TLS1.0 and use 1.1 and 1.2 only.

      Version-Release number of selected component (if applicable):
      qpid-cpp-server-0.34-5.el6.x86_64
      qpid-cpp-client-0.34-5.el6.x86_64

      How reproducible:
      100%

      Steps to Reproduce:
      1. Start qpid broker with SSL configured
      2. openssl s_client -tls1_1 -connect localhost:5671
      3. openssl s_client -tls1_2 -connect localhost:5671

      Actual results:
      Both 2 and 3 fails with:

      139817551390536:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

      Expected results:
      Both should return something like:

      CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
140319888385864:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1256:SSL alert number 42
140319888385864:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBoDCCAQmgAwIBAgIFAKUDcMswDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAxMJ
bG9jYWxob3N0MB4XDTE1MTIzMDExMDYwN1oXDTE2MDMzMDExMDYwN1owFDESMBAG
A1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgCq6w
o6FW7gIpAQu8y74wuREH6aGo6hc6YVfATz503o7dxqmUUKs6+DkqbEiDu43r51QL
Sb7oduLMmrvC5TfhWEZGe3PYPOuCBbpqDxXs5kKlqSCuIbvDv1ua1WXdqb27/jGr
d6Lf+DsnU+GXrGwLY1W1zchagmFU1P2dLh8JhQIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBACUauXrJB/P0za8mPj5As4uQ3kr7CHIAtFBEAd3MvVmf9RHniMU/resXeE1B
CBOZ4kXmTvVQ+/kDxYTXO/pLq0wh4HHuZC4LrmlIHG2WagEskVnYgqJiHUchKi+8
URu/CX4rW6/EdcAHhPsKX6nlHFFKYg5u9b9ZtQHYMrfryStZ
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
Acceptable client certificate CA names
/CN=dummy
---
SSL handshake has read 565 bytes and written 202 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 7D6C1CB53B37700F2BF007D0D079AB72F26A9D289BCA8D98B5B3F1E283311991
    Session-ID-ctx: 
    Master-Key: 448215BEAADBFF90B82B421D182F8AD7174426D9292835775C405A7C3AEC2763E5F2A1127E5AE210ADC6B7335EE1F6FA
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1451483784
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

      Additional info:

      Attachments

        Activity

          People

            pmoravec Pavel Moravec
            pmoravec Pavel Moravec
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: