[
https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12756217#action_12756217
]
Ken Giusti commented on QPID-1899:
----------------------------------
I've modified the OutputControl objects to export a encrypted() method, which
returns 'true' if the transport is encrypted (ie. ssl) or 'false' if not (rdma,
tcp).
I'm trying to modify the CyrusAuthenticator::init() method to turn off the need
for encryption if the transport is already encrypted. Right now, I'm setting
max_sff & min_sff to zero (see below).
What do you think?
Index: src/qpid/broker/SaslAuthenticator.cpp
===================================================================
--- src/qpid/broker/SaslAuthenticator.cpp (revision 814633)
+++ src/qpid/broker/SaslAuthenticator.cpp (working copy)
@@ -125,6 +125,8 @@
std::auto_ptr<SaslAuthenticator>
SaslAuthenticator::createAuthenticator(Connection& c)
{
static bool needWarning = true;
+
+ QPID_LOG(error, "*** KAG: createAuthenticator - connection is " <<
(c.getOutput().encrypted() ? "ENCRYPTED" : "CLEAR") );
if (c.getBroker().getOptions().auth) {
return std::auto_ptr<SaslAuthenticator>(new CyrusAuthenticator(c,
c.getBroker().getOptions().requireEncrypted));
} else {
@@ -225,8 +227,20 @@
sasl_security_properties_t secprops;
//TODO: should the actual SSF values be configurable here?
- secprops.min_ssf = encrypt ? 10: 0;
- secprops.max_ssf = 256;
+ if (connection.getOutput().encrypted()) {
+ secprops.min_ssf = 0;
+ secprops.max_ssf = 0;
+
+ // KAG
+ // sasl_ssf_t external_ssf = 256;
+ // result = sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL, &external_ssf);
+ // if (result != SASL_OK) {
+ // throw framing::InternalErrorException(QPID_MSG("SASL error: " <<
result));
+ // }
+ } else {
+ secprops.min_ssf = encrypt ? 10: 0;
+ secprops.max_ssf = 256;
+ }
secprops.maxbufsize = 65535;
QPID_LOG(debug, "min_ssf: " << secprops.min_ssf << ", max_ssf: " <<
secprops.max_ssf);
@@ -240,6 +254,8 @@
throw framing::InternalErrorException(QPID_MSG("SASL error: " <<
result));
}
+
+
}
CyrusAuthenticator::~CyrusAuthenticator()
--------------------------------------------------------------------------
There is a sasl property "SASL_EXTERNAL_SFF" which may be a better approach -
it is supposed to indicate an external SFF that is being applied to the
connection. I haven't gotten that to work yet.
> --require-encryption doesn't work unless cyrus sasl authentication is turned
> on
> -------------------------------------------------------------------------------
>
> Key: QPID-1899
> URL: https://issues.apache.org/jira/browse/QPID-1899
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.5
> Reporter: Gordon Sim
> Assignee: Gordon Sim
> Fix For: 0.6
>
> Attachments: qpid-1899-hacky.patch
>
>
> If you specify --require-encryption and --auth no then the broker will allow
> un-encrypted conections. (If on the other hand you have authentication on, it
> will prevent you connecting with anything other than a mech that supports
> encryption and will require an encrypting sasl security layer - or of course
> an ssl connection)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
