activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guy Allard (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (APLO-186) Using ?client_auth=need Still Allows SSL Connections with no Client Cert
Date Tue, 10 Apr 2012 11:55:19 GMT

    [ https://issues.apache.org/jira/browse/APLO-186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250580#comment-13250580
] 

Guy Allard commented on APLO-186:
---------------------------------

Hiram - This works now, fails when it should, succeeds when it should.  Thank you very much.

One comment:  with Apollo, the exception I get out of the ruby SSL libraries has a message
of:

- Connection reset by peer

If I run the failing test against AMQ, I get an exception message of:

- SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert bad certificate

I have no idea why.  I believe 'reset by peer' is very ambiguous - I can see that on normal
TCP connections.

Plus I am not sure how you would affect that.

In any case thanks for the effort on this problem for proper connection failures.

Regards, Guy


                
> Using ?client_auth=need Still Allows SSL Connections with no Client Cert
> ------------------------------------------------------------------------
>
>                 Key: APLO-186
>                 URL: https://issues.apache.org/jira/browse/APLO-186
>             Project: ActiveMQ Apollo
>          Issue Type: Bug
>          Components: apollo-broker
>    Affects Versions: 1.2
>         Environment: Ubuntu 11.10
> java version "1.6.0_23"
> OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
> OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
> Apollo: apache-apollo-99-trunk-20120404.190241-13-unix-distro.tar.gz 
> Snips:
>     <authentication enabled="false"/>
>   <connector id="tls" bind="tls://0.0.0.0:62614?client_auth=need" 
> 	connection_limit="1000"/>
>   <key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password"
key_alias="servertj" />
>            Reporter: Guy Allard
>            Assignee: Hiram Chirino
>             Fix For: 1.2
>
>
> Using the above configuration, when an SSL client connects and does *not* provide a certificate,
the connection is allowed to proceed, and succeeds.
> This is either:
> a) a bug
> b) a configuration issue
> If the above configuration is insufficient for full SSL only authorization please advise
on the requirements.
> Thanks, Guy

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message