On Tue, 2012-08-14 at 16:51 -0400, Rafael Schloming wrote: > > I'm not sure we have a pressing need to support this mechanism. A > > pattern that would potentially be more interesting is to run TLS and > > non-TLS connections on the same port. > > > > I believe the C++ broker supports this. Andrew can probably comment in more > detail, but I believe it's all kind of similar. Basically you examine the > first few bytes of the connection and depending on whether it looks like an > ordinary AMQP header, an AMQP-over-TLS header, or the magic cruft at the > beginning of a TLS connection you just dispatch appropriately in each case.
The C++ broker does support this functionality. The implementation is a little crude at the moment, but I'm thinking about how to improve it such that it would be the basic mechanism going forward. That is to say switch early between Plain AMQP-1.0, AMQP-1.0-over-TLS, TLS, AMQP-0-10. In principle you initially only need to read the first few bytes (5 for TLS, I think 8 for AMQP) then if the connection was encrypted do it again to distinguish the protocol version (whilst excluding possibilities like TLS over TLS, and AMQP-1.0-over-TLS over TLS). Ideally I want to do away with having to configure this layer of the broker with ports specific to the protocol, just have the broker auto-detect anything it speaks on any ports it's connected to. > From what I understand, the tricky part is to do the initial > reading/buffering in such a manner that you don't end up reading more than > you should and buffering stuff you were supposed to dispatch to something > else, e.g. the SSL engine. This is certainly one of the significant implementation details. Andrew
