Re: SSL Support Questions

Kevin Smith Tue, 20 Feb 2007 08:52:33 -0800

Tomas Restrepo wrote:

Hi Kevin,

Color me sheepish....this is what I get for dashing code off when I don't
take the time to test it properly. Attached is a patch against current svn
which should actually work (imagine that! :) this time. I've tested it with
the Java client with SSL and non-SSL sockets.


I tried it again and it works better. SSL works great. However, with ssl=true 
and sslOnly=false, the regular port seems to expect SSL as well!

Trying to open a non-ssl connection with these options set I get:

2007-02-20 10:06:03,823 ERROR [pool-2-thread-1] 
protocol.AMQPFastProtocolHandler (AMQPFastProtocolHandler.java:175) - 
IOException caught inAMQProtocolSession(/127.0.0.1:1125), session closed 
implictly: javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:424)

It also seems to be a bug in the broker here: In such a case like this, the broker closes the protocol session internally after the exception, but it does not actively close the socket connection, which causes the client to hang (since the server never sends a response back).

Eventually the client might close the connection and stop waiting for the 
server to respond, but meanwhile valuable resources are being leaked at the 
broker which might be a vector for a DOS attack.

I can pretty reliably reproduce this stack trace when the client closes its
side of the connection:

56303 [SocketAcceptorIoProcessor-0.0] ERROR
org.apache.qpid.server.protocol.AMQPFastProtocolHandler  - IOException
caught inAMQProtocolSession(/127.0.0.1:47318), session closed implictly:
java.io.IOException: Connection reset by peer


Humm, I don't get that with the .NET client; the connection closes cleanly.


Tomas Restrepo
[EMAIL PROTECTED]
http://www.winterdom.com/weblog/

Here's another cut at this. I _think_ I've tested all the combinations ofenabling/disabling SSL and enabling/disabling sslOnly so that should work asexpected. I've also added logic to the Java broker to detect when a client isconnecting on the SSL port and do the Right Thing wrt configuring SSLContexts, etc.

I'll tackle the hanging issues you found with SSL handshake negotiation next.Its a separate issue and I'd like to track it in a separate JIRA.


--Kevin

Index: 
broker/src/main/java/org/apache/qpid/server/transport/ConnectorConfiguration.java
===================================================================
--- 
broker/src/main/java/org/apache/qpid/server/transport/ConnectorConfiguration.java
   (revision 509569)
+++ 
broker/src/main/java/org/apache/qpid/server/transport/ConnectorConfiguration.java
   (working copy)
@@ -41,11 +41,7 @@
     @Configured(path = "connector.bind",
                 defaultValue = "wildcard")
     public String bindAddress;
-
-    @Configured(path = "connector.sslport",
-                defaultValue = SSL_PORT)
-    public int sslPort;
-
+    
     @Configured(path = "connector.socketReceiveBuffer",
                 defaultValue = "32767")
     public int socketReceiveBufferSize;
@@ -74,6 +70,14 @@
                 defaultValue = "false")
     public boolean enableSSL;
     
+    @Configured(path = "connector.ssl.sslOnly",
+                   defaultValue = "true")
+    public boolean sslOnly;
+    
+    @Configured(path = "connector.ssl.port",
+            defaultValue = SSL_PORT)
+    public int sslPort;    
+    
     @Configured(path = "connector.ssl.keystorePath",
                        defaultValue = "none")
     public String keystorePath;
Index: 
broker/src/main/java/org/apache/qpid/server/protocol/AMQPFastProtocolHandler.java
===================================================================
--- 
broker/src/main/java/org/apache/qpid/server/protocol/AMQPFastProtocolHandler.java
   (revision 509569)
+++ 
broker/src/main/java/org/apache/qpid/server/protocol/AMQPFastProtocolHandler.java
   (working copy)
@@ -21,6 +21,7 @@
 package org.apache.qpid.server.protocol;
 
 import java.io.IOException;
+import java.net.InetSocketAddress;
 
 import org.apache.log4j.Logger;
 import org.apache.mina.common.ByteBuffer;
@@ -90,7 +91,7 @@
                 getConfiguredObject(ConnectorConfiguration.class);
         if (connectorConfig.enableExecutorPool)
         {
-            if (connectorConfig.enableSSL)
+            if (connectorConfig.enableSSL && isSSLClient(connectorConfig, 
protocolSession))
             {
                String keystorePath = connectorConfig.keystorePath;
                String keystorePassword = connectorConfig.keystorePassword;
@@ -104,7 +105,7 @@
         else
         {
                protocolSession.getFilterChain().addLast("protocolFilter", pcf);
-            if (connectorConfig.enableSSL)
+            if (connectorConfig.enableSSL && isSSLClient(connectorConfig, 
protocolSession))
             {
                String keystorePath = connectorConfig.keystorePath;
                String keystorePassword = connectorConfig.keystorePassword;
@@ -231,4 +232,11 @@
             _logger.debug("Message sent: " + object);
         }
     }
+    
+    protected boolean isSSLClient(ConnectorConfiguration connectionConfig,
+               IoSession protocolSession) 
+    {
+       InetSocketAddress addr = (InetSocketAddress) 
protocolSession.getLocalAddress();
+       return addr.getPort() == connectionConfig.sslPort;
+    }
 }
Index: broker/src/main/java/org/apache/qpid/server/Main.java
===================================================================
--- broker/src/main/java/org/apache/qpid/server/Main.java       (revision 
509569)
+++ broker/src/main/java/org/apache/qpid/server/Main.java       (working copy)
@@ -67,9 +67,6 @@
 
     private static final String DEFAULT_LOG_CONFIG_FILENAME = "log4j.xml";
 
-    
-    private static Main _instance;
-
     protected static class InitException extends Exception
     {
         InitException(String msg)
@@ -323,8 +320,8 @@
             {
                 sconfig.setThreadModel(ReadWriteThreadModel.getInstance());
             }
-
-            if (!connectorConfig.enableSSL)
+            
+            if (!connectorConfig.enableSSL || !connectorConfig.sslOnly)
             {
                 AMQPFastProtocolHandler handler = new 
AMQPProtocolProvider().getHandler();
                 InetSocketAddress bindAddress;
@@ -340,7 +337,7 @@
                 _logger.info("Qpid.AMQP listening on non-SSL address " + 
bindAddress);
             }
 
-            else
+            if (connectorConfig.enableSSL)
             {
                 AMQPFastProtocolHandler handler = new 
AMQPProtocolProvider().getHandler();
                 try
@@ -364,7 +361,7 @@
     public static void main(String[] args)
     {
 
-        _instance = new Main(args);
+        new Main(args);
     }
 
     private byte[] parseIP(String address) throws Exception
Index: broker/etc/config.xml
===================================================================
--- broker/etc/config.xml       (revision 509569)
+++ broker/etc/config.xml       (working copy)
@@ -28,6 +28,7 @@
              to enable SSL support
         <ssl>
             <enabled>true</enabled>
+            <sslOnly>true</sslOnly>
             <keystorePath>/path/to/keystore.ks</keystorePath>
             <keystorePassword>keystorepass</keystorePassword>
         </ssl>-->

Re: SSL Support Questions

Reply via email to