[jira] Commented: (QPID-1899) --require-encryption doesn't work unless cyrus sasl authentication is turned on

Wed, 04 Nov 2009 08:41:56 -0800 

    [ 
https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773555#action_12773555
 ] 

Ken Giusti commented on QPID-1899:
----------------------------------

Hi Gordon,

I talked with Alan regarding authentication/security in a clustered broker, see 

https://issues.apache.org/jira/browse/QPID-2187

Our current approach for QPID-2187 would permit a secure/auth connection from a 
client to the connected broker in the cluster.  The data would be decrypted at 
that broker, then mirrored in the clear to the other members of the cluster.   
This avoids the overhead of having to decrypt at each broker, given that a 
cluster could be implemented in a secure site.   In the future, secure 
intra-cluster links could be provided via openAis, if needed.

In any case, if we do implement security only on the directly attached broker, 
then I would think that we would not need to propagate the SSF across the 
cluster.   

What do you think?   If you agree, I'll strip the cluster modifications from 
the last patch.   If possible, I'd like to have this patch applied so I can 
develop QPID-2187 against the GSSAPI + SSL case.

thanks. 

> --require-encryption doesn't work unless cyrus sasl authentication is turned 
> on
> -------------------------------------------------------------------------------
>
>                 Key: QPID-1899
>                 URL: https://issues.apache.org/jira/browse/QPID-1899
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.5
>            Reporter: Gordon Sim
>            Assignee: Gordon Sim
>             Fix For: 0.6
>
>         Attachments: qpid-1899-10_26.patch, qpid-1899-10_30.patch, 
> qpid-1899-9-17.patch, qpid-1899-hacky.patch, qpid-1899.patch, qpid-1899.patch
>
>
> If you specify --require-encryption and --auth no then the broker will allow 
> un-encrypted conections. (If on the other hand you have authentication on, it 
> will prevent you connecting with anything other than a mech that supports 
> encryption and will require an encrypting sasl security layer - or of course 
> an ssl connection)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:[email protected]

Reply via email to