Paul Colby created QPID-4036: -------------------------------- Summary: Failed client connections permanently exhausting broker's max connections limit Key: QPID-4036 URL: https://issues.apache.org/jira/browse/QPID-4036 Project: Qpid Issue Type: Bug Components: C++ Broker Affects Versions: 0.16 Environment: CentOS release 5.5 (Final) Linux 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-48) Reporter: Paul Colby Priority: Critical
I'm running a set of Qpid 0.16 C++ brokers with configuration like: {code} cluster-name="mm-queue-cluster" cluster-cman=yes cluster-mechanism=PLAIN cluster-username=broker cluster-password=abc123 cluster-url=ssl:gateway02:5671 auth=yes ssl-cert-db=/etc/qpid/certs/broker ssl-cert-password-file=/etc/qpid/certs/pass.txt ssl-cert-name=broker.messagemedia.com.au require-encryption=yes {code} ie the broker is requiring both encryption and authentication (configured SASL mech list is CRAM-MD5 DIGEST-MD5 EXTERNAL PLAIN). Now, if a client (let's use {{qpid-stat}} for example) connects via SSL (amqps) and authenticates successfully, then everything is happy. However, if a client repeatedly fails to use SSL and/or fails to provide credentials, then the broker loses one of it's configured max connections every time! So, for example, if we start the broker using the configuration shown above, then do this: {code}for i in `seq 1 550`; do echo $i; qpid-stat -q ; done{code} The above loop will report ~ 500 {{AuthenticationFailure}} errors, then switch to {{ConnectionError}} errors. Once the {{ConnectionError}} errors begin, all further connections to the broker will be rejected - permanently (until the broker is restarted), with the broker logging: {code}error Client max connection count limit exceeded: 500 connection refused{code} >From my testing, the following loops never cause an issue (with this >configuration): {code:none} for i in `seq 1 550`; do echo $i; qpid-stat -b amqps://guest/guest@localhost -q ; done # Works as expected. for i in `seq 1 550`; do echo $i; qpid-stat -b amqps://guest/wrong@localhost -q ; done # AuthenticationFailure as expected. {code} Whereas any of the following will break the broker: {code:none} for i in `seq 1 550`; do echo $i; qpid-stat -b amqp://guest/guest@localhost -q ; done # AuthenticationFailure, then ConnectionError. for i in `seq 1 550`; do echo $i; qpid-stat -b amqp://guest/wrong@localhost -q ; done # AuthenticationFailure, then ConnectionError. for i in `seq 1 550`; do echo $i; qpid-stat -b amqp://localhost -q ; done # AuthenticationFailure, then ConnectionError. for i in `seq 1 550`; do echo $i; qpid-stat -b amqps://localhost -q ; done # AuthenticationFailure, then ConnectionError. {code} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org