Hi everyone, I'm experiencing a bizarre issue where a client will not properly connect to the Qpidd broker depending on which version of Java is being used. All of these versions work: 1.8u222 - 1.8u265. Starting with 1.8u272 the problem arises, however it is inconsistent/intermittent. I've also tested 1.u282 and Java 11. It does seem like there were significant updates made to the java.security module in 1.8u272 as the logging significantly changes in this version and above. I am trying to use SSL/TLS 1.2 w/ the SASL mechanism of EXTERNAL.
The qpidd broker is being run with the following security-related options: --ssl-cert-password=<pw> --ssl-cert-db<cert dir> --ssl-port=5672 --ssl-cert-name=<name> --ssl-require-client-authentication --require-encryption --ssl-sasl-no-dict When running the qpidd broker w/ trace logging enabled, I see this with the versions of Java referenced above when things are working properly: [Network] trace Accepting connection with optional SSL wrapper. [Network] Accepted SSL connection. ... [Security] debug External ssf=256 and auth=<username> [Security] debug = min_ssf: 0, max_ssf: 0, external_ssf: 256 [Security] debug external auth detected and set to <username> [Security] info SASL: Mechanism list: EXTERNAL ... In the versions that do not work (sometimes), the broker log looks like this: [Network] trace Accepting connection with optional SSL wrapper. [Network] Accepted Plaintext connection. ... [System] debug Exception constructed: SASL layer required! [System] error SASL layer required! I noticed pouring over the Java version release notes that there was a backport of TLSv1.3 put into 1.8u272 and beyond, but I've done everything I can find to ensure my client is still using TLSv1.2 (and it is my understanding that TLSv1.2 is the default) such as running my client application with -Djdk.tls.client.protocols=TLSv1.2. I'm throwing darts at this point. Any help would be greatly appreciated. -- Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
