qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Richardson ...@fourc.eu>
Subject qpid-route TLS connection to destination broker
Date Thu, 14 Aug 2014 10:46:28 GMT
Hi,

I have another SSL problem and potential fix, this time to the qpid-python
package. Any chance this could make it into the 0.30 release?

In summary, qpid-route is unable to connect to destination brokers with
TLS, which implies in practice that a federated topology cannot have
"require-encrypted" set.

Circumstances are:

* Configure a broker for both plain and TLS access
* Access plaintext service with eg: "qpid-route route list" - should show
an (empty) list of routes
* Access TLS service with eg: "qpid-route route list amqps://localhost" -
connection will fail with "Failed: ConnectionFailed - (None, 'connection
aborted')"

This happens because qpid/framer.py:93 reads the 8-byte AMQP protocol
header from the socket (waiting for sufficient data in a loop) with
     s = self.sock.recv(n)

This is fine in plaintext when sufficient data is present, but with TLS
enabled the header is fragmented and it reads from the socket twice,
actually reading 9 bytes (1 byte into the next part of the connection
handshake). This byte is discarded and the handshake later fails.

Replacing the read with
    s = self.sock.recv(n - len(self.rx_buf))
appears to fix the problem.

This error does not affect all python tools eg: qpid-stat, which use the
qpid::messaging::Connection instead of the qpid::connection::Connection
class.

Regards

-- 

*Chris Richardson*, System Architect
cr@fourc.eu


*FourC AS, Vestre Rosten 81, Trekanten, NO-7075 Tiller, Norwaywww.fourc.eu
<http://www.fourc.eu/>*

*Follow us on LinkedIn <http://bit.ly/fourcli>, Facebook
<http://bit.ly/fourcfb>, Google+ <http://bit.ly/fourcgp> and Twitter
<http://bit.ly/fourctw>!*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message