[
https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12757202#action_12757202
]
Ken Giusti commented on QPID-1899:
----------------------------------
No worries - this experience has taught me quite a bit about the sasl
authentication and security stuff, and how the broker/client use it, and that's
valuable to me :)
Did you want to go with the "hacky" solution for now?
I'll have to gain a better understanding of the clustering implementation
before I would understand what needs to be done to indicate if a shadow
connection is encrypted or not (maybe it comes for free with the Factory
change?)
I'm good with the factory approach. What I'd really like to understand is the
purpose of sasl's EXTERNAL_SSF functionality, as it seems to be designed for
just this reason. I think the proper solution would be to pass the encryption
key strength (ssf) to that create() method - zero if unencrypted. If I can
figure out the EXTERNAL_SSF usage, that key strength would be handy to have.
I've spent some time testing the EXTERNAL_SSF stuff - it's behaviour in our
server isn't straightforward - and I've zapped a question to the cyrus mailing
list to see if I can get some answers - I'll update this bug if I hear anything.
Just for posterity, this is what I've learned about external_ssf:
1) the value should be the bit length of the key used by the external security
layer.
2) has to be set on both ends of the connection - client and server.
3) it has local significance only - ie, it is not exchanged so the value set on
the peer is unknown.
4) on the client, this value is compared against the configured min-ssf - when
(min-ssf <= external-ssf) a mech is selected, otherwise the client terminates
the connection.
5) on the server - it seems to be totally ignored.
I've asked the cyrus mailing list about #5... stay tuned.
> --require-encryption doesn't work unless cyrus sasl authentication is turned
> on
> -------------------------------------------------------------------------------
>
> Key: QPID-1899
> URL: https://issues.apache.org/jira/browse/QPID-1899
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.5
> Reporter: Gordon Sim
> Assignee: Gordon Sim
> Fix For: 0.6
>
> Attachments: qpid-1899-9-17.patch, qpid-1899-hacky.patch
>
>
> If you specify --require-encryption and --auth no then the broker will allow
> un-encrypted conections. (If on the other hand you have authentication on, it
> will prevent you connecting with anything other than a mech that supports
> encryption and will require an encrypting sasl security layer - or of course
> an ssl connection)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
