[
https://issues.apache.org/jira/browse/QPIDJMS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16092981#comment-16092981
]
Keith Wall edited comment on QPIDJMS-294 at 7/19/17 12:14 PM:
--------------------------------------------------------------
For completeness, I also confirm that I tested the Qpid JMS Client, with my
patch, against a proton-c server (I used examples/cpp/broker), configured to
use Cyrus/ SCRAM-SHA-1, confirming that compatibility with existing versions of
Proton is maintained. For the record, here's what I did:
{noformat}
(prerequisite ubuntu xenial - installed {{libsasl2-modules-gssapi-mit}} in
addition to the Proton dependencies listed in {{INSTALL.md}}, built proton in
the normal way)
echo guest | saslpasswd2 -c -p -f sasldb guest
echo "sasldb_path: `pwd`" > proton-server.conf
echo "mech_list: SCRAM-SHA-1" >> proton-server.conf
export PN_TRACE_FRM=true
export PN_SASL_CONFIG_PATH=`pwd`
$ ./broker listening on 0.0.0.0
(Ran Qpid JMS Client HelloWord)
[0x1b28770]: <- SASL
[0x1b28770]: -> SASL
[0x1b28770]:0 -> @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"SCRAM-SHA-1"]]
[0x1b28770]:0 <- @sasl-init(65) [mechanism=:"SCRAM-SHA-1",
initial-response=b"n,,n=guest,r=cbaf5e39-2124-43eb-b46c-7ca6c8db4f01",
hostname="10.211.55.13"]
[0x1b28770]:0 -> @sasl-challenge(66)
[challenge=b"r=cbaf5e39-2124-43eb-b46c-7ca6c8db4f01/VQgg7MHbTss8ehqCqt+lNSr6iFhwwH0,s=znoHLkYanRPigSEs+tj6YCK2jqY=,i=4096"]
[0x1b28770]:0 <- @sasl-response(67)
[response=b"c=biws,r=cbaf5e39-2124-43eb-b46c-7ca6c8db4f01/VQgg7MHbTss8ehqCqt+lNSr6iFhwwH0,p=7j4XR8W/LOVZLMXdJAb4GxUnm8Y="]
[0x1b28770]:0 -> @sasl-challenge(66)
[challenge=b"v=IQMkgbFAtQwkcn1aNU+RlQ1zNxA="]
[0x1b28770]:0 <- @sasl-response(67) [response=b""]
[0x1b28770]:0 -> @sasl-outcome(68) [code=0]
[0x1b28770]: <- AMQP
[0x1b28770]: -> AMQP
[0x1b28770]:0 <- @open(16)
[container-id="ID:56005b9f-350f-4697-a9c4-9c0d9144f5b6:1",
hostname="10.211.55.13", max-frame-size=1048576, channel-max=32767,
idle-time-out=30000,
desired-capabilities=@PN_SYMBOL[:"sole-connection-for-container"],
properties={:product="QpidJMS", :version="0.24.0-SNAPSHOT", :platform="JVM:
1.8.0_131, 25.131-b11, Oracle Corporation, OS: Mac OS X, 10.12.5, x86_64"}]
[0x1b28770]:0 -> @open(16) [container-id="c43e0d6f-3dd1-4d71-b29e-
(snip)
{noformat}
was (Author: k-wall):
For completeness, I also confirm that I tested the Qpid JMS Client, with my
patch, against a proton-c server (I used examples/cpp/broker), configured to
use Cyrus/ SCRAM-SHA-1, confirming that compatibility with existing versions of
Proton is maintained. For the record, here's what I did:
{noformat}
(prerequisite ubuntu xenial - installed {{libsasl2-modules-gssapi-mit}} in
addition to the Proton dependencies listed in {{INSTALL.md}}, built proton in
the normal way)
echo guest | saslpasswd2 -c -p -f sasldb guest
echo "sasldb_path: `pwd`" > proton-server.conf
echo "mech_list: SCRAM-SHA-1" >> proton-server.conf
export PN_TRACE_FRM=true
$ ./broker listening on 0.0.0.0
(Ran Qpid JMS Client HelloWord)
[0x1b28770]: <- SASL
[0x1b28770]: -> SASL
[0x1b28770]:0 -> @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"SCRAM-SHA-1"]]
[0x1b28770]:0 <- @sasl-init(65) [mechanism=:"SCRAM-SHA-1",
initial-response=b"n,,n=guest,r=cbaf5e39-2124-43eb-b46c-7ca6c8db4f01",
hostname="10.211.55.13"]
[0x1b28770]:0 -> @sasl-challenge(66)
[challenge=b"r=cbaf5e39-2124-43eb-b46c-7ca6c8db4f01/VQgg7MHbTss8ehqCqt+lNSr6iFhwwH0,s=znoHLkYanRPigSEs+tj6YCK2jqY=,i=4096"]
[0x1b28770]:0 <- @sasl-response(67)
[response=b"c=biws,r=cbaf5e39-2124-43eb-b46c-7ca6c8db4f01/VQgg7MHbTss8ehqCqt+lNSr6iFhwwH0,p=7j4XR8W/LOVZLMXdJAb4GxUnm8Y="]
[0x1b28770]:0 -> @sasl-challenge(66)
[challenge=b"v=IQMkgbFAtQwkcn1aNU+RlQ1zNxA="]
[0x1b28770]:0 <- @sasl-response(67) [response=b""]
[0x1b28770]:0 -> @sasl-outcome(68) [code=0]
[0x1b28770]: <- AMQP
[0x1b28770]: -> AMQP
[0x1b28770]:0 <- @open(16)
[container-id="ID:56005b9f-350f-4697-a9c4-9c0d9144f5b6:1",
hostname="10.211.55.13", max-frame-size=1048576, channel-max=32767,
idle-time-out=30000,
desired-capabilities=@PN_SYMBOL[:"sole-connection-for-container"],
properties={:product="QpidJMS", :version="0.24.0-SNAPSHOT", :platform="JVM:
1.8.0_131, 25.131-b11, Oracle Corporation, OS: Mac OS X, 10.12.5, x86_64"}]
[0x1b28770]:0 -> @open(16) [container-id="c43e0d6f-3dd1-4d71-b29e-
(snip)
{noformat}
> The SCRAM-SHA-* SASL mechanisms should verify the server final message if it
> is sent in the additional-data field of sasl-outcome
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: QPIDJMS-294
> URL: https://issues.apache.org/jira/browse/QPIDJMS-294
> Project: Qpid JMS
> Issue Type: Bug
> Affects Versions: 0.23.0
> Reporter: Rob Godfrey
> Fix For: 0.24.0
>
>
> Currently the client will only verify the server final message if it is sent
> as an extra challenge in the sasl exchange.
> The client should also verify if the server final message is sent as
> additional-data on the sasl outcome (which is really the way this should
> always be sent).
> In order to do this PROTON-1486 will need fixing
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
