Github user gemmellr commented on a diff in the pull request: https://github.com/apache/activemq-artemis/pull/1961#discussion_r176769932 --- Diff: artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPConnectionCallback.java --- @@ -113,7 +116,20 @@ public ServerSASL getServerSASL(final String mechanism) { result = gssapiServerSASL; break; + case ExternalServerSASL.NAME: + // validate ssl cert present + Principal principal = CertificateUtil.getPeerPrincipalFromConnection(protonConnectionDelegate); + if (principal != null) { + ExternalServerSASL externalServerSASL = new ExternalServerSASL(); + externalServerSASL.setPrincipal(principal); + result = externalServerSASL; + } else { + logger.debug("SASL EXTERNAL mechanism requires a TLS peer principal"); --- End diff -- I noticed that it fails eventually when returning null, though without indication why unless the debug logging is on, but the main thing is it shouldn't get to this bit of code without being able to succeed, except through malicious intent on a clients part. EXTERNAL can be supported by the broker but still not be used/usable by all clients, so it really shouldn't be offered to those that cant actually do it.
---