On 01/29/2010 12:37 PM, Gordon Sim wrote:
On 01/27/2010 06:31 PM, john dunning wrote:
Hi all. While trying to test something else, I attempted to set up my
qpidd with some certs, according to the instructions in
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html
I'm losing big time; I can start qpidd ok, but when I try to connect to
it, both client and server flame, with errors like this:
2010-01-27 12:49:23 error Error reading socket: Unknown error
18446744073709551615(-1)
That error does seem to be a regression of some sort; on an earlier
version I get the following logged on the broker:
2010-jan-29 07:21:49 error Could not accept socket: Failed: SSL peer
cannot verify your certificate. [-12271] (qpid/sy/ssl/SslSocket.cpp:123)
My initial guess would be that perhaps changes around the connection
code have broken correct error handling in some way (or for some
conditions).
The cause of the broken error handling is r790291[1] which prevent the
brokers worker threads blocking on the SSL handshake. This was an issue
that was discovered due to a bug in the java clients ssl handling. If
the client doesn't complete the handshake but leaves the socket open the
servers thread was blocking previously. This meant that it was simple
for a malicious client to jam a broker.
At this point I'm not sure what the best fix is. I have raised a
JIRA[2], if anyone has time to look at this that would be greatly
appreciated, else I will get to it eventually.
--Gordon.
[1] http://svn.apache.org/viewvc?view=revision&revision=790291
[2] https://issues.apache.org/jira/browse/QPID-2377
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
