[
https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755521#action_12755521
]
Ken Giusti commented on QPID-1899:
----------------------------------
Hi Gordon,
I've setup a local kerberos server and am using GSSAPI. I've also created my
own certificate. I run qpidd in the foreground as so:
[kgiu...@localhost cpp]$ ./src/qpidd --auth yes --realm EXAMPLE.COM
--require-encryption --transport ssl --no-data-dir --no-module-dir
--load-module ./src/.libs/ssl.so --ssl-cert-db
/home/kgiusti/.test_ssl_cert_db/test_cert_db --ssl-cert-password-file
/home/kgiusti/.test_ssl_cert_db/cert.password
2009-09-15 10:44:05 notice Listening on TCP port 5672
2009-09-15 10:44:05 notice Listening for SSL connections on TCP port 5671
5671
2009-09-15 10:44:05 notice Broker running
Notice the two open ports - port 5672 appears to allow unencrypted (but
authenticated) connection:
[kgiu...@localhost cpp]$ /usr/kerberos/bin/kinit -k testuser
[kgiu...@localhost cpp]$ export QPID_NO_MODULE_DIR=1
[kgiu...@localhost cpp]$ export QPID_LOAD_MODULE=./src/.libs/sslconnector.so
[kgiu...@localhost cpp]$ export
QPID_SSL_CERT_PASSWORD_FILE=/home/kgiusti/.test_ssl_cert_db/cert.password
[kgiu...@localhost cpp]$ export
QPID_SSL_CERT_DB=/home/kgiusti/.test_ssl_cert_db/test_cert_db
[kgiu...@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain
--mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5672 --summary
377.649 23.7361 74.1992 0.0724601
Just fyi - auth is required:
[kgiu...@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain
--tx 1 --count 1 --port 5672 --summary
Please enter your password <I enter the wrong password>
2009-09-15 10:52:27 warning Broker closed connection: 320, connection-forced:
Authentication failed
connection-forced: Authentication failed
No log messages are generated by broker to stderr for the above transactions.
Another interesting point: I cannot connect over the SSL port, even w/auth:
[kgiu...@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain
--mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5671 -P ssl
--summary
2009-09-15 10:55:12 warning Connection closed
Connection closed
In this case, broker issues the following log msg:
2009-09-15 10:55:12 error internal-error: SASL decode error: SASL(-1): generic
failure: Unable to find a callback: 32775
(qpid/sys/cyrus/CyrusSecurityLayer.cpp:50)
Have I mis-configured something?
thanks,
-K
> --require-encryption doesn't work unless cyrus sasl authentication is turned
> on
> -------------------------------------------------------------------------------
>
> Key: QPID-1899
> URL: https://issues.apache.org/jira/browse/QPID-1899
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.5
> Reporter: Gordon Sim
> Assignee: Gordon Sim
> Fix For: 0.6
>
> Attachments: qpid-1899-hacky.patch
>
>
> If you specify --require-encryption and --auth no then the broker will allow
> un-encrypted conections. (If on the other hand you have authentication on, it
> will prevent you connecting with anything other than a mech that supports
> encryption and will require an encrypting sasl security layer - or of course
> an ssl connection)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
