Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-1628

artemis-core-client TLS SNI and verifyHost operation are not independent

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • AMQ 7.1.0.GA
    • container image
    • None
    • Release Notes
    • Hide
      The AMQ Core Protocol JMS Client cannot be configured to use an haproxy with TLS passthrough, which requires SNI. This issue occurs because the SNI information is not passed by the Core Client, even when sniHost is set correctly on the URI. To work around this issue, use another method to enable external client access to AMQ Broker on OpenShift Container Platform, such as NodePort.
      Show
      The AMQ Core Protocol JMS Client cannot be configured to use an haproxy with TLS passthrough, which requires SNI. This issue occurs because the SNI information is not passed by the Core Client, even when sniHost is set correctly on the URI. To work around this issue, use another method to enable external client access to AMQ Broker on OpenShift Container Platform, such as NodePort.
    • Workaround Exists
    • Hide

      If encountering this issue in the context of OpenShift, use another method of external client access enablement with the broker on OCP such as NodePort.

      Show
      If encountering this issue in the context of OpenShift, use another method of external client access enablement with the broker on OCP such as NodePort.
    • AMQ Broker 1833, AMQ Broker 1836

      In testing connecting to the broker using the core client via ./bin/artemis producer through a haproxy configured with a tls passthrough configuration that requires sni it is observed that SNI information is not passed unless verifyHost is true even if sniHost is set on the URI.

      It is noted that with sniHost specified at the haproxy waypoint the if verifyHost=false haproxy bounces the traffic to the no sni backend. If verifyHost=true then haproxy passes it to the tcp backend and the traffic reaches the broker at which point the connectivity fails.

      As a point of comparison, testing using the Qpid JMS client over AMQP with verifyHost = false this works without problem.

              rhn-support-jbertram Justin Bertram
              rhn-support-rkieley Roderick Kieley
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Remaining Estimate - 4 hours
                  4h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified