[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13283567#comment-13283567 ] Andrew Stitcher commented on QPID-2518: --- Good point - that'll teach me to actually read the words in the bug report, rather than reading the words I expect to be there. Qpid C++ broker can easily be blocked by client trying to connect over SSL port --- Key: QPID-2518 URL: https://issues.apache.org/jira/browse/QPID-2518 Project: Qpid Issue Type: Bug Components: C++ Broker Environment: Red Hat Enterprise MRG 1.2 Reporter: Armin Noll Assignee: Andrew Stitcher Fix For: 0.17 We are running a C++ broker as deamon with the following configuration: log-enable=info+ log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log log-to-syslog=no auth=yes acl-file=qpidd.acl realm=QPID0097 data-dir=/var/lib/qpidd/op_prod09/data/0097 pid-dir=/var/lib/qpidd/op_prod09/data/0097 port=20097 wait=30 num-jfiles=4 jfile-size-pgs=1 wcache-page-size=128 tpl-num-jfiles=4 tpl-jfile-size-pgs=1 tpl-wcache-page-size=128 ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 ssl-port=10097 ssl-cert-name=RGC001 ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd ssl-require-client-authentication=yes cluster-name=QPID0097 cluster-url=amqp:tcp:172.16.45.198:20097 cluster-username=x cluster-password=x We tried to connect an application to the SSL port which does not talk the correct protocol. We simply used telnet: $ telnet 172.16.45.198 10097 The result was (we waited at least 30 min, then killed the process running telnet): The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with qpidd -p 20097 -q. This way anybody in the world could easily block our service provided over a Qpid broker. Is there a way to get around this? This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13280610#comment-13280610 ] Andrew Stitcher commented on QPID-2518: --- These code changes introduce a timer that gets started when a new connection is accepted. If the protocol negotiation phases isn't completed within a specified period then connection will be aborted. A new option is introduced to control the timer timeout period: --max-negotiate-time time in milliseconds The default timeout is 2000ms (2s) which gives a lot of latitude for network delays. Qpid C++ broker can easily be blocked by client trying to connect over SSL port --- Key: QPID-2518 URL: https://issues.apache.org/jira/browse/QPID-2518 Project: Qpid Issue Type: Bug Components: C++ Broker Environment: Red Hat Enterprise MRG 1.2 Reporter: Armin Noll Assignee: Andrew Stitcher Fix For: 0.17 We are running a C++ broker as deamon with the following configuration: log-enable=info+ log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log log-to-syslog=no auth=yes acl-file=qpidd.acl realm=QPID0097 data-dir=/var/lib/qpidd/op_prod09/data/0097 pid-dir=/var/lib/qpidd/op_prod09/data/0097 port=20097 wait=30 num-jfiles=4 jfile-size-pgs=1 wcache-page-size=128 tpl-num-jfiles=4 tpl-jfile-size-pgs=1 tpl-wcache-page-size=128 ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 ssl-port=10097 ssl-cert-name=RGC001 ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd ssl-require-client-authentication=yes cluster-name=QPID0097 cluster-url=amqp:tcp:172.16.45.198:20097 cluster-username=x cluster-password=x We tried to connect an application to the SSL port which does not talk the correct protocol. We simply used telnet: $ telnet 172.16.45.198 10097 The result was (we waited at least 30 min, then killed the process running telnet): The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with qpidd -p 20097 -q. This way anybody in the world could easily block our service provided over a Qpid broker. Is there a way to get around this? This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13280617#comment-13280617 ] Andrew Stitcher commented on QPID-2518: --- This change limits the impact of CVE-2012-2145. But doesn't prevent a determined DoS attack on a broker. Qpid C++ broker can easily be blocked by client trying to connect over SSL port --- Key: QPID-2518 URL: https://issues.apache.org/jira/browse/QPID-2518 Project: Qpid Issue Type: Bug Components: C++ Broker Environment: Red Hat Enterprise MRG 1.2 Reporter: Armin Noll Assignee: Andrew Stitcher Fix For: 0.17 We are running a C++ broker as deamon with the following configuration: log-enable=info+ log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log log-to-syslog=no auth=yes acl-file=qpidd.acl realm=QPID0097 data-dir=/var/lib/qpidd/op_prod09/data/0097 pid-dir=/var/lib/qpidd/op_prod09/data/0097 port=20097 wait=30 num-jfiles=4 jfile-size-pgs=1 wcache-page-size=128 tpl-num-jfiles=4 tpl-jfile-size-pgs=1 tpl-wcache-page-size=128 ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 ssl-port=10097 ssl-cert-name=RGC001 ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd ssl-require-client-authentication=yes cluster-name=QPID0097 cluster-url=amqp:tcp:172.16.45.198:20097 cluster-username=x cluster-password=x We tried to connect an application to the SSL port which does not talk the correct protocol. We simply used telnet: $ telnet 172.16.45.198 10097 The result was (we waited at least 30 min, then killed the process running telnet): The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with qpidd -p 20097 -q. This way anybody in the world could easily block our service provided over a Qpid broker. Is there a way to get around this? This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13273591#comment-13273591 ] Andrew Stitcher commented on QPID-2518: --- This bug also applies to regular TCP connections Qpid C++ broker can easily be blocked by client trying to connect over SSL port --- Key: QPID-2518 URL: https://issues.apache.org/jira/browse/QPID-2518 Project: Qpid Issue Type: Bug Components: C++ Broker Environment: Red Hat Enterprise MRG 1.2 Reporter: Armin Noll Assignee: Andrew Stitcher We are running a C++ broker as deamon with the following configuration: log-enable=info+ log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log log-to-syslog=no auth=yes acl-file=qpidd.acl realm=QPID0097 data-dir=/var/lib/qpidd/op_prod09/data/0097 pid-dir=/var/lib/qpidd/op_prod09/data/0097 port=20097 wait=30 num-jfiles=4 jfile-size-pgs=1 wcache-page-size=128 tpl-num-jfiles=4 tpl-jfile-size-pgs=1 tpl-wcache-page-size=128 ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 ssl-port=10097 ssl-cert-name=RGC001 ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd ssl-require-client-authentication=yes cluster-name=QPID0097 cluster-url=amqp:tcp:172.16.45.198:20097 cluster-username=x cluster-password=x We tried to connect an application to the SSL port which does not talk the correct protocol. We simply used telnet: $ telnet 172.16.45.198 10097 The result was (we waited at least 30 min, then killed the process running telnet): The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with qpidd -p 20097 -q. This way anybody in the world could easily block our service provided over a Qpid broker. Is there a way to get around this? This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12859248#action_12859248 ] Gordon Sim commented on QPID-2518: -- A further measure would be to have a configurable timeout for connections that do not complete the handshake and disconnect them. Qpid C++ broker can easily be blocked by client trying to connect over SSL port --- Key: QPID-2518 URL: https://issues.apache.org/jira/browse/QPID-2518 Project: Qpid Issue Type: Bug Components: C++ Broker Environment: Red Hat Enterprise MRG 1.2 Reporter: Armin Noll We are running a C++ broker as deamon with the following configuration: log-enable=info+ log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log log-to-syslog=no auth=yes acl-file=qpidd.acl realm=QPID0097 data-dir=/var/lib/qpidd/op_prod09/data/0097 pid-dir=/var/lib/qpidd/op_prod09/data/0097 port=20097 wait=30 num-jfiles=4 jfile-size-pgs=1 wcache-page-size=128 tpl-num-jfiles=4 tpl-jfile-size-pgs=1 tpl-wcache-page-size=128 ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 ssl-port=10097 ssl-cert-name=RGC001 ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd ssl-require-client-authentication=yes cluster-name=QPID0097 cluster-url=amqp:tcp:172.16.45.198:20097 cluster-username=x cluster-password=x We tried to connect an application to the SSL port which does not talk the correct protocol. We simply used telnet: $ telnet 172.16.45.198 10097 The result was (we waited at least 30 min, then killed the process running telnet): The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with qpidd -p 20097 -q. This way anybody in the world could easily block our service provided over a Qpid broker. Is there a way to get around this? This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12859250#action_12859250 ] Gordon Sim commented on QPID-2518: -- See also https://issues.apache.org/jira/browse/QPID-2083 and note that r790291 makes the error handling less meaningful. Qpid C++ broker can easily be blocked by client trying to connect over SSL port --- Key: QPID-2518 URL: https://issues.apache.org/jira/browse/QPID-2518 Project: Qpid Issue Type: Bug Components: C++ Broker Environment: Red Hat Enterprise MRG 1.2 Reporter: Armin Noll We are running a C++ broker as deamon with the following configuration: log-enable=info+ log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log log-to-syslog=no auth=yes acl-file=qpidd.acl realm=QPID0097 data-dir=/var/lib/qpidd/op_prod09/data/0097 pid-dir=/var/lib/qpidd/op_prod09/data/0097 port=20097 wait=30 num-jfiles=4 jfile-size-pgs=1 wcache-page-size=128 tpl-num-jfiles=4 tpl-jfile-size-pgs=1 tpl-wcache-page-size=128 ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 ssl-port=10097 ssl-cert-name=RGC001 ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd ssl-require-client-authentication=yes cluster-name=QPID0097 cluster-url=amqp:tcp:172.16.45.198:20097 cluster-username=x cluster-password=x We tried to connect an application to the SSL port which does not talk the correct protocol. We simply used telnet: $ telnet 172.16.45.198 10097 The result was (we waited at least 30 min, then killed the process running telnet): The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with qpidd -p 20097 -q. This way anybody in the world could easily block our service provided over a Qpid broker. Is there a way to get around this? This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12859035#action_12859035 ] Gordon Sim commented on QPID-2518: -- I believe this is addressed by http://svn.apache.org/viewvc?view=revisionrevision=790291. Qpid C++ broker can easily be blocked by client trying to connect over SSL port --- Key: QPID-2518 URL: https://issues.apache.org/jira/browse/QPID-2518 Project: Qpid Issue Type: Bug Components: C++ Broker Environment: Red Hat Enterprise MRG 1.2 Reporter: Armin Noll We are running a C++ broker as deamon with the following configuration: log-enable=info+ log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log log-to-syslog=no auth=yes acl-file=qpidd.acl realm=QPID0097 data-dir=/var/lib/qpidd/op_prod09/data/0097 pid-dir=/var/lib/qpidd/op_prod09/data/0097 port=20097 wait=30 num-jfiles=4 jfile-size-pgs=1 wcache-page-size=128 tpl-num-jfiles=4 tpl-jfile-size-pgs=1 tpl-wcache-page-size=128 ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 ssl-port=10097 ssl-cert-name=RGC001 ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd ssl-require-client-authentication=yes cluster-name=QPID0097 cluster-url=amqp:tcp:172.16.45.198:20097 cluster-username=x cluster-password=x We tried to connect an application to the SSL port which does not talk the correct protocol. We simply used telnet: $ telnet 172.16.45.198 10097 The result was (we waited at least 30 min, then killed the process running telnet): The broker doesn't react anymore, no more new client connections can be established, the broker even cannot be stopped with qpidd -p 20097 -q. This way anybody in the world could easily block our service provided over a Qpid broker. Is there a way to get around this? This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org