[
https://issues.apache.org/jira/browse/QPID-7292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16087281#comment-16087281
]
Keith Wall commented on QPID-7292:
----------------------------------
This change will break compatibility with the Qpid Broker J versions
(6.0.0-6.0.3 only) for users using Authentication Providers that use the SCRAM
mechanism. Upgrading to the later 6.0 release would resolve the problem, or
workaround is possible by using a authentication provider with different
mechanism.
> Qpid clients should verify the server-final message when using SCRAM-*
> authentication
> -------------------------------------------------------------------------------------
>
> Key: QPID-7292
> URL: https://issues.apache.org/jira/browse/QPID-7292
> Project: Qpid
> Issue Type: Improvement
> Components: Java Client
> Reporter: Rob Godfrey
> Fix For: qpid-java-client-0-x-6.3.0
>
> Attachments:
> 0001-QPID-7292-AMQP-0.x-Qpid-clients-should-verify-the-se.patch
>
>
> QPID-7282 addressed the issue that the Java Broker was not sending the
> server-final message in the SCRAM-* SASL exchange, however this omission was
> not causing the clients to fail, since they blindly accept the server's
> acceptance of their credentials.
> Clients implementing SCRAM-* or similar protocols which include a client
> verification step, should perform the verification of the server and fail or
> warn (to be configured by a system property) if the verification does not
> occur or it fails.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
