Return-Path: X-Original-To: apmail-activemq-dev-archive@www.apache.org Delivered-To: apmail-activemq-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A9911D492 for ; Wed, 24 Oct 2012 14:01:55 +0000 (UTC) Received: (qmail 15341 invoked by uid 500); 24 Oct 2012 14:01:54 -0000 Delivered-To: apmail-activemq-dev-archive@activemq.apache.org Received: (qmail 15305 invoked by uid 500); 24 Oct 2012 14:01:54 -0000 Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list dev@activemq.apache.org Received: (qmail 15276 invoked by uid 99); 24 Oct 2012 14:01:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Oct 2012 14:01:53 +0000 X-ASF-Spam-Status: No, hits=0.5 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_REPLY,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of tabish121@gmail.com designates 209.85.220.171 as permitted sender) Received: from [209.85.220.171] (HELO mail-vc0-f171.google.com) (209.85.220.171) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Oct 2012 14:01:47 +0000 Received: by mail-vc0-f171.google.com with SMTP id m18so580120vcm.2 for ; Wed, 24 Oct 2012 07:01:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:date:in-reply-to:references:content-type :x-mailer:content-transfer-encoding:mime-version; bh=SEletbZgl+CWCL27SaVPR/rWooP4MApULO6mF5olf80=; b=Y3GrJviIshCrmvn7Z9FMCOz1h7lUu5fu93FF11l8ywQerCgej38i7fwf/aeoXIuUR8 Ql3lUQQcIFbiROTQlQfAqYDFkhQpw/vmlogq7DlfVdGh281XHdeUhbphKzTKbmmJy6GH ZwQiWGg+SBcwXuRomN/lfbHprSXt7FpP4EZ7ow78xk4Syu2Lbz2hXMT1jrZzaf+MT5Xj pOdBowss2kCaKgBNcC7Xz7prDjbCEtCtBi2QpnXtFKn3ehxDCbdjBCl9Ln3/pQIOe1/N ZEpBwCZts/c7aP0Du+SHL7aBCB4ThHbPtmiFOZfYX+rHXnjYy5tmbnU75EHiaLT33yps aNIw== Received: by 10.220.222.212 with SMTP id ih20mr8271476vcb.59.1351087285738; Wed, 24 Oct 2012 07:01:25 -0700 (PDT) Received: from [192.168.2.150] (c-98-231-181-148.hsd1.va.comcast.net. [98.231.181.148]) by mx.google.com with ESMTPS id l15sm16208275vdt.14.2012.10.24.07.01.20 (version=SSLv3 cipher=OTHER); Wed, 24 Oct 2012 07:01:20 -0700 (PDT) Message-ID: <1351087278.2821.0.camel@OfficePC> Subject: Re: [jira] [Resolved] (AMQ-4126) stomp+nio+ssl + jaasDualAuthenticationPlugin + certificate authentication fails From: Timothy Bish To: dev@activemq.apache.org Date: Wed, 24 Oct 2012 10:01:18 -0400 In-Reply-To: References: <522223122.16224.1351005432073.JavaMail.jiratomcat@arcas> <1583037954.18911.1351033693564.JavaMail.jiratomcat@arcas> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org On Wed, 2012-10-24 at 15:26 +0200, Massimo Paladin wrote: > Hi Timothy, > > I have a couple of questions. > > One is related to the unit test which I provided for this bug. > In the xml configuration file (JaasStompSSLBroker.xml) if you remove the > "transport.enabledCipherSuites" > option from the openwire+nio+ssl connector it stops working generating and > EOFException > on the client side, is this intended? > Why isn't there a default for that option? I'm sure there are more issues to be found. The best thing to do is create a test case showing the differences and issues and opening more Jira tickets. > > javax.jms.JMSException: java.io.EOFException > at > org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49) > at > org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1377) > at > org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1481) > at > org.apache.activemq.ActiveMQConnection.start(ActiveMQConnection.java:516) > at > org.apache.activemq.bugs.AMQ4126Test.openwireConnectTo(AMQ4126Test.java:136) > at > org.apache.activemq.bugs.AMQ4126Test.testOpenwireNIOSSLWithUsernameAndPassword(AMQ4126Test.java:152) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > The other question is related to the validation of the connectors URIs. > We noticed that there is no error checking on the given options in the URI. > In our brokers we were using "needClientAuth" set to true for the ssl > connectors, > with stomp+nio+ssl connector we kept "needClientAuth" which did not work > because the correct option is "transport.needClientAuth". > This resulted in a non-obvious error generating an exception in the server > side (below). > > The actual behaviour is not consistent between the stomp+ssl and the > stomp+nio+ssl connectors, > stomp+ssl seems working fine with "needClientAuth" option and for > stomp+nio+ssl > "transport.needClientAuth" is required in order to work. > > It would be nice if these kind of situations would not be made possible > doing some > sort of error checking in the provided connector's options, would this be > possible? > > java.lang.SecurityException: Unable to authenticate transport without SSL > certificate. > at > org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:74) > at > org.apache.activemq.security.JaasDualAuthenticationBroker.addConnection(JaasDualAuthenticationBroker.java:98) > at > org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:91) > at > org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:712) > at > org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:80) > at > org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139) > at > org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:294) > at > org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:152) > at > org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:45) > at > org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:256) > at > org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:84) > at > org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:164) > at > org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:678) > at > org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:219) > at > org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:73) > at > org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83) > at > org.apache.activemq.transport.nio.NIOSSLTransport.doConsume(NIOSSLTransport.java:335) > at > org.apache.activemq.transport.stomp.StompNIOSSLTransport.doConsume(StompNIOSSLTransport.java:72) > at > org.apache.activemq.transport.stomp.StompCodec.processCommand(StompCodec.java:113) > at org.apache.activemq.transport.stomp.StompCodec.parse(StompCodec.java:92) > at > org.apache.activemq.transport.stomp.StompNIOSSLTransport.processCommand(StompNIOSSLTransport.java:60) > at > org.apache.activemq.transport.nio.NIOSSLTransport.serviceRead(NIOSSLTransport.java:196) > at > org.apache.activemq.transport.nio.NIOSSLTransport$1.onSelect(NIOSSLTransport.java:148) > at > org.apache.activemq.transport.nio.SelectorSelection.onSelect(SelectorSelection.java:94) > at > org.apache.activemq.transport.nio.SelectorWorker$1.run(SelectorWorker.java:119) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > > Cheers, > --- > Massimo Paladin > > email: massimo.paladin@gmail.com > website: http://www.mpaladin.com > flickr's page: http://flickr.com/photos/massimop > > > On Wed, Oct 24, 2012 at 1:08 AM, Timothy Bish (JIRA) wrote: > > > > > [ > > https://issues.apache.org/jira/browse/AMQ-4126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel] > > > > Timothy Bish resolved AMQ-4126. > > ------------------------------- > > > > Resolution: Fixed > > > > Fixed now in trunk, test cases added so this should stay fixed now. > > > > > stomp+nio+ssl + jaasDualAuthenticationPlugin + certificate > > authentication fails > > > > > ------------------------------------------------------------------------------- > > > > > > Key: AMQ-4126 > > > URL: https://issues.apache.org/jira/browse/AMQ-4126 > > > Project: ActiveMQ > > > Issue Type: Bug > > > Components: stomp, Transport > > > Affects Versions: 5.7.0 > > > Reporter: Massimo Paladin > > > Assignee: Timothy Bish > > > Fix For: 5.8.0 > > > > > > Attachments: AMQ4126.tgz > > > > > > > > > Hello, > > > ActiveMQ's trunk currently fails for the current use case: > > > - server: stomp+nio+ssl connector + jaasDualAuthenticationPlugin > > > - client: connecting to the server and expecting private certificate > > authentication > > > Unit test reproducing the problem provided. > > > {noformat} > > > 2012-10-23 17:13:01,207 [MQ NIO Worker 4] - WARN ProtocolConverter > > - Exception occurred processing: > > > CONNECT > > > ^@: java.lang.SecurityException: User name [null] or password is invalid. > > > 2012-10-23 17:13:01,210 [MQ NIO Worker 4] - WARN Transport > > - Transport Connection to: tcp://128.141.156.34:59500 failed: > > java.io.IOException: User name [null] or password is invalid. > > > {noformat} > > > > -- > > This message is automatically generated by JIRA. > > If you think it was sent incorrectly, please contact your JIRA > > administrators > > For more information on JIRA, see: http://www.atlassian.com/software/jira > > -- Tim Bish Sr Software Engineer | RedHat Inc. tim.bish@redhat.com | www.fusesource.com | www.redhat.com skype: tabish121 | twitter: @tabish121 blog: http://timbish.blogspot.com/