[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14703570#comment-14703570 ] ASF subversion and git services commented on PROTON-950: Commit 14956b07edc3de93f67179c753bbedcd9eba51a6 in qpid-proton's branch refs/heads/master from [~gsim] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=14956b0 ] PROTON-950: don't force sasl layer by default SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652352#comment-14652352 ] Gordon Sim commented on PROTON-950: --- I tried unsuccessfully to do this. It is awkward to get at the sasl object for a connection when using the reactor. In theory you can do so via the on_connection_bound method. However even doing so, and setting the new property to True, I was unable to connect using PLAIN over a non-ssl connection. Without making any changes, the behaviour also seems to have changed very recently. Previously when attempting to connect where only PLAIN was offered by the broker, an error would at least be logged to the effect that 'no worthy mechs' could be selected, and both sides would end up disconnected. Now there is no error at all and the reactive examples just hang. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652406#comment-14652406 ] Gordon Sim commented on PROTON-950: --- What is the intended behaviour when cyrus is not available on the platform in question? Would PLAIN be allowed over a non-SSL connection in that case? To me that seems non-intuitive from the client's perspective. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652433#comment-14652433 ] Robbie Gemmell commented on PROTON-950: --- I was about to reply questioning if that was the case, i.e. have we implemented ANONYMOUS, PLAIN, and EXTERNAL in the fallback and then disabled PLAIN by default? SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652521#comment-14652521 ] Robbie Gemmell commented on PROTON-950: --- I'm increasingly feeling that this new option should be flipped so that PLAIN works by default and those that want to restrict it to SSL only can use it to do so. As mentioned earlier, it seems inconsistent to me to allow ANONYMOUS and no-SASL by default but deny PLAIN. It should only be used for lack of a better option, and yet we know there are times it is going to be the only option right now. It also seems like none of the client code makes it particularly easy toggle it. We are going to get a lot of questions about this (once we actually get it released..). Thinking about it, I guess people already could already have prevented use of PLAIN [without SSL] if they wanted to using the previous pn_sasl_allowed_mechs config method? In which case there may not be a need for a specific toggle if we flipped the default, though I can see it would still be easier to use that than setting 'everything but PLAIN' as the allowed mechs. New side thought based on above, what happens currently if the allowed mech(s) are set to include only PLAIN (which I can see folks doing when trying to figure out why it doesnt work anymore) but its actual use is prevented by the transport defaults? Would people get the error Gordon was hunting for above, or something more specific since its detectable in advance that there are no usable mechs? SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652413#comment-14652413 ] Andrew Stitcher commented on PROTON-950: Also what are you doing when receiving PN_TRANSPORT_ERROR events? I did recently (think I'd) fix the SASL code to raise those errors correctly (at the correct time with the correct error code). SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652420#comment-14652420 ] Gordon Sim commented on PROTON-950: --- There is no special logic added for PN_TRANSPORT_ERROR events, but PN_TRANSPORT_CLOSED and PN_TRANSPORT_TAIL_CLOSED are handled. Previously this would result in the connection attempt failing and either reconnecting or exiting depending on settings (along with the error logged of course). SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652357#comment-14652357 ] Andrew Stitcher commented on PROTON-950: [~gsim] Could you bug report that last issue, because that isn't the intended behaviour - you should definitely get an error (and preferably the 'no worthy mechs' error too) if no matching mech could be found. If you can include some sort of reproducer I'll try to create a good test case from it and fix the probelm. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652394#comment-14652394 ] Gordon Sim commented on PROTON-950: --- Run eg. simple_send against direct_recv, or even just the messenger examples against a broker that only supports PLAIN. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652409#comment-14652409 ] Gordon Sim commented on PROTON-950: --- No, I didn't make any changes. I had just assumed from a comment above that the messenger code had been changed. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652425#comment-14652425 ] Gordon Sim commented on PROTON-950: --- That means that unless cyrus is available it would no longer be possible to authenticate as a given user unless SSL was used (since there would be no other mechanisms). SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14652448#comment-14652448 ] Andrew Stitcher commented on PROTON-950: To be clear: * The client mechanisms available without Cyrus are ANONYMOUS, PLAIN and EXTERNAL * The server mechanisms are ANONYMOUS and EXTERNAL (no PLAIN because we have no way to request authentication of a user/password pair) * The default PLAIN behaviour is the same bith with and without Cyrus viz: - It is intuitive that the behaviour doesn't vary depending on the library build, but - By default without SSL you cannot authenticate a user without Cyrus. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
Re: [jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
Oh, I found a solution. pn_sasl(pn_transport_t *transport); Tomas 2015-07-30 10:41 GMT+02:00 Tomáš Šoltys tomas.sol...@gmail.com: Hi, I see there is a new function pn_sasl_set_allow_insecure_mechs(pn_sasl_t *sasl, bool insecure) Is there a way how I can get an access to pn_sasl_t *sasl object? Regards, Tomas 2015-07-28 20:55 GMT+02:00 ASF subversion and git services (JIRA) j...@apache.org: [ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14644850#comment-14644850 ] ASF subversion and git services commented on PROTON-950: Commit c954cf3e4f35e79a6cd5832cc977d136c607a20b in qpid-proton's branch refs/heads/master from [~astitcher] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=c954cf3 ] PROTON-950: Allow PLAIN over clear text if you ask nicely SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332) -- Tomáš Šoltys tomas.sol...@gmail.com http://www.range-software.com (+420) 776-843-663 -- Tomáš Šoltys tomas.sol...@gmail.com http://www.range-software.com (+420) 776-843-663
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14644675#comment-14644675 ] Andrew Stitcher commented on PROTON-950: This can only be a change in behaviour for applications that are using the messenger library, as it is the only part of the Proton-c library that has the PLAIN mechanism built in before 0.10. My proposed change is to add an API to the SASL object allow_insecure_mechs(bool) which defaults to false for the underlying Proton-c library as used directly via the engine or event APIs. If this property is set true then it will allow plain to be used unencrypted. For the messenger APIs I will default to insecure mechs by default for 0.10, but note that this will be changed in 0.11 to a more secure setting in the 0.10 release notes and the messenger documentation. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14644813#comment-14644813 ] Gordon Sim commented on PROTON-950: --- This can only be a change in behaviour for applications that are using the messenger library, as it is the only part of the Proton-c library that has the PLAIN mechanism built in before 0.10. - Idon't think that is correct. The python 'reactive' api also supported plain previously but now only does so on ssl connections. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14644842#comment-14644842 ] Andrew Stitcher commented on PROTON-950: I don't understand - the previous code didn't implement any mechanisms except ANONYMOUS, how did PLAIN work? SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14644837#comment-14644837 ] Gordon Sim commented on PROTON-950: --- It set the chosen mechanism to be plain if a username and password were specified in the url (using the Sasl.plain() method). SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14644849#comment-14644849 ] Andrew Stitcher commented on PROTON-950: Given that the 0.10 version of the Python reactive API should work correctly with any other SASL mech just by setting the user and password to the API I'm not sure that the potential accidental security loss is worth it for an such a new API. You can still use the allow_insecure_mechs SASL property to allow PLAIN in this case. However if you feel this is widely used I can change it in the same way as I'm proposing for the messenger API. SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Priority: Blocker Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if the connection is encrypted (using SSL). This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14630002#comment-14630002 ] Robbie Gemmell commented on PROTON-950: --- This is marked fix-for 0.10. Is it a blocker? (I'd say yes personally) SASL PLAIN over cleartext should be supported - Key: PROTON-950 URL: https://issues.apache.org/jira/browse/PROTON-950 Project: Qpid Proton Issue Type: Bug Components: proton-c Affects Versions: 0.10 Reporter: Ted Ross Assignee: Andrew Stitcher Fix For: 0.10 In the current 0.10 alpha, if SASL PLAIN is selected, SSL is forced. This is a surprising change of behavior from earlier versions of Proton and it's arguable that a security policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)