[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14703570#comment-14703570 ] ASF subversion and git services commented on PROTON-950: Commit 14956b07edc3de93f67179c753bbedcd9eba51a6 in qpid-proton's branch refs/heads/master from [~gsim] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=14956b0 ] PROTON-950: don't force sasl layer by default > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654282#comment-14654282 ] ASF subversion and git services commented on PROTON-950: Commit 39b3dd56a38a396791ebcdba30bf4097e74c90d7 in qpid-proton's branch refs/heads/0.10.x from [~gsim] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=39b3dd5 ] PROTON-950: provide Container default for the allow_insecure_mechs property on transport > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654273#comment-14654273 ] ASF subversion and git services commented on PROTON-950: Commit 5a8c6e0b9091c1e43e585b322ea7b01d53eee288 in qpid-proton's branch refs/heads/master from [~gsim] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=5a8c6e0 ] PROTON-950: provide Container default for the allow_insecure_mechs property on transport > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654247#comment-14654247 ] Robbie Gemmell commented on PROTON-950: --- For me it was a case of sensitivity to mechanism order in certain [not entirely understood] situations, where ANONYMOUS was still being picked because it was offered before PLAIN. If other mechanisms were offered later in the list (e.g DIGEST-MD5) they were chosen instead of ANONYMOUS as would be expected. Ensuring PLAIN was offered before ANONYMOUS allowed it to be chosen if the toggle was enabled. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10, 0.11 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653938#comment-14653938 ] ASF subversion and git services commented on PROTON-950: Commit e26e5976db2d32506651deb32d85ddebd631e1f5 in qpid-proton's branch refs/heads/0.10.x from [~astitcher] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=e26e597 ] PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted connection > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10, 0.11 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653847#comment-14653847 ] Gordon Sim commented on PROTON-950: --- The transport condition at th point of error merely states 'Authentication failed'. That is certainly better than nothing, but it doesn't explain that the reason was that there was no mutually acceptable mechanism as opposed to PLAIN proceeding but the credentials being invalid. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10, 0.11 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653775#comment-14653775 ] Robbie Gemmell commented on PROTON-950: --- Have you managed to get the new option working with the Python bindings? Gordon wasn't able to either after my fruitless earlier attempt. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10, 0.11 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653763#comment-14653763 ] ASF subversion and git services commented on PROTON-950: Commit a1888591789d3db2ebd6016d7e7d112902e07598 in qpid-proton's branch refs/heads/master from [~astitcher] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a188859 ] PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted connection > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653533#comment-14653533 ] Gordon Sim commented on PROTON-950: --- I think my preferred option would also be to allow PLAIN regardless of whether SSL is in use by default, but to clearly log a warning every time PLAIN is used over an unencrypted transport (along with a brief message as to how to prevent this). That way people become very aware of the problem and how to avoid it, but it doesn't cause hard to debug issues when first trying to get an example running. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653521#comment-14653521 ] Gordon Sim commented on PROTON-950: --- I think errors like this should be visible by default without needing to set some obscure environment variable. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653389#comment-14653389 ] Gordon Sim commented on PROTON-950: --- Even modifying the code to set that property as soon as the transport is created doesn't work. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652521#comment-14652521 ] Robbie Gemmell commented on PROTON-950: --- I'm increasingly feeling that this new option should be flipped so that PLAIN works by default and those that want to restrict it to SSL only can use it to do so. As mentioned earlier, it seems inconsistent to me to allow ANONYMOUS and no-SASL by default but deny PLAIN. It should only be used for lack of a better option, and yet we know there are times it is going to be the only option right now. It also seems like none of the client code makes it particularly easy toggle it. We are going to get a lot of questions about this (once we actually get it released..). Thinking about it, I guess people already could already have prevented use of PLAIN [without SSL] if they wanted to using the previous pn_sasl_allowed_mechs config method? In which case there may not be a need for a specific toggle if we flipped the default, though I can see it would still be easier to use that than setting 'everything but PLAIN' as the allowed mechs. New side thought based on above, what happens currently if the allowed mech(s) are set to include only PLAIN (which I can see folks doing when trying to figure out why it doesnt work anymore) but its actual use is prevented by the transport defaults? Would people get the error Gordon was hunting for above, or something more specific since its detectable in advance that there are no usable mechs? > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652448#comment-14652448 ] Andrew Stitcher commented on PROTON-950: To be clear: * The client mechanisms available without Cyrus are ANONYMOUS, PLAIN and EXTERNAL * The server mechanisms are ANONYMOUS and EXTERNAL (no PLAIN because we have no way to request authentication of a user/password pair) * The default PLAIN behaviour is the same bith with and without Cyrus viz: - It is intuitive that the behaviour doesn't vary depending on the library build, but - By default without SSL you cannot authenticate a user without Cyrus. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652436#comment-14652436 ] Gordon Sim commented on PROTON-950: --- I've not debugged. The behaviour changed since about a week ago though. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652433#comment-14652433 ] Robbie Gemmell commented on PROTON-950: --- I was about to reply questioning if that was the case, i.e. have we implemented ANONYMOUS, PLAIN, and EXTERNAL in the fallback and then disabled PLAIN by default? > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652428#comment-14652428 ] Andrew Stitcher commented on PROTON-950: It should be raising .._HEAD_CLOSED, .._TAIL_CLOSED and .._CLOSED. There could be something different about the reactive code from the test code though, are you not seeing any of the CLOSED events? > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652425#comment-14652425 ] Gordon Sim commented on PROTON-950: --- That means that unless cyrus is available it would no longer be possible to authenticate as a given user unless SSL was used (since there would be no other mechanisms). > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652420#comment-14652420 ] Gordon Sim commented on PROTON-950: --- There is no special logic added for PN_TRANSPORT_ERROR events, but PN_TRANSPORT_CLOSED and PN_TRANSPORT_TAIL_CLOSED are handled. Previously this would result in the connection attempt failing and either reconnecting or exiting depending on settings (along with the error logged of course). > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652414#comment-14652414 ] Gordon Sim commented on PROTON-950: --- Yes, that does show up the error. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652415#comment-14652415 ] Andrew Stitcher commented on PROTON-950: With no Cyrus available the behaviour should be the same as with Cyrus. Just with fewer mechanisms available. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652413#comment-14652413 ] Andrew Stitcher commented on PROTON-950: Also what are you doing when receiving PN_TRANSPORT_ERROR events? I did recently (think I'd) fix the SASL code to raise those errors correctly (at the correct time with the correct error code). > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652409#comment-14652409 ] Gordon Sim commented on PROTON-950: --- No, I didn't make any changes. I had just assumed from a comment above that the messenger code had been changed. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652406#comment-14652406 ] Gordon Sim commented on PROTON-950: --- What is the intended behaviour when cyrus is not available on the platform in question? Would PLAIN be allowed over a non-SSL connection in that case? To me that seems non-intuitive from the client's perspective. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652404#comment-14652404 ] Andrew Stitcher commented on PROTON-950: There was a recent change to stop the SASL code from logging without any logging flags set. If you set PN_TRACE_DRV do you see any error output? > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652394#comment-14652394 ] Gordon Sim commented on PROTON-950: --- Run eg. simple_send against direct_recv, or even just the messenger examples against a broker that only supports PLAIN. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652380#comment-14652380 ] Andrew Stitcher commented on PROTON-950: @gsim unless you've manually set the flag somehow for the messenger code this is expected as there is no code committed yet to do this automatically for messenger (else this repoort would already have been resolved!). All that is committed currently is the sasl level code for the option itself. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652377#comment-14652377 ] Andrew Stitcher commented on PROTON-950: As to the first issue - it is possible that you didn't/can't set the property on the sasl object early enough, although this seems a little odd. The flag is examined when the SASL "Mechanisms" frame is received from the server end, at the point when the cyrus client structure is created. This should be well after the on_connection_bound event, although there may be a race going on here, if there is nothing to stop the client sending its SASL header before this setting happens. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652361#comment-14652361 ] Gordon Sim commented on PROTON-950: --- I can't seem to get the messenger examples to connect over non-ssl using PLAIN either... {noformat} ]$ PN_TRACE_FRM=1 ./examples/c/messenger/send -a amqp://guest:guest@localhost/amq.fanout [0x162a700]: -> SASL [0x162a700]: <- SASL [0x162a700]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=:PLAIN] [0x162a700]: -> EOS {noformat} > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652357#comment-14652357 ] Andrew Stitcher commented on PROTON-950: [~gsim] Could you bug report that last issue, because that isn't the intended behaviour - you should definitely get an error (and preferably the 'no worthy mechs' error too) if no matching mech could be found. If you can include some sort of reproducer I'll try to create a good test case from it and fix the probelm. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652352#comment-14652352 ] Gordon Sim commented on PROTON-950: --- I tried unsuccessfully to do this. It is awkward to get at the sasl object for a connection when using the reactor. In theory you can do so via the on_connection_bound method. However even doing so, and setting the new property to True, I was unable to connect using PLAIN over a non-ssl connection. Without making any changes, the behaviour also seems to have changed very recently. Previously when attempting to connect where only PLAIN was offered by the broker, an error would at least be logged to the effect that 'no worthy mechs' could be selected, and both sides would end up disconnected. Now there is no error at all and the reactive examples just hang. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652190#comment-14652190 ] Robbie Gemmell commented on PROTON-950: --- Can anyone clue me in on how you would enable the new transport flag client-side with the python reactive bits, to allow connecting to a server offering PLAIN without using SSL? I had a look but didn't see a way to do so. My interest is for new or existing users connecting to servers that e.g only support PLAIN (and possibly ANONYMOUS), such as ActiveMQ or some others, who are doing so without SSL. This all also makes me wonder if the default shouldn't be the other way round (particularly if there is actually no easy way to use the new transport option in some cases). I believe the engine allows ANONYMOUS and no-SASL-layer by default currently, so it seems strange that we would deny use of PLAIN in the same situtation. The argument for allowing ANONYMOUS was that it eased initial pickup by new developers, and that people will secure their production setups; it feels to me that essentially the same argument applies for PLAIN without SSL and that treating them differently is perhaps a bit inconsistent. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14648105#comment-14648105 ] Andrew Stitcher commented on PROTON-950: At this point I don't think master is blocked as you now can use PLAIN unencrypted if you need to. However I'm finding some valgrind issues with the CI tests on Ubuntu 12.04 when I add the code to default messenger to allowing PLAIN over unencrypted connections. I want to make sure the CI builds are clean before we release, so I'm investigating the valgrind issues. These issues seem to actually be in the version of cyrus SASL on the CI machine, but I want to be sure before adding in valgrind suppressions for them. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14647638#comment-14647638 ] Robbie Gemmell commented on PROTON-950: --- [~astitcher] is this done? [~tedross], [~gsim] does the change made satisfy things from your perspectives? Are there uses of the engine that also need updated to use this new API before the release, or are they being left only supporting plain over SSL? It would be good to close this out so we can proceed with the release, it appears to be the only blocker currently. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
Re: [jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
Oh, I found a solution. pn_sasl(pn_transport_t *transport); Tomas 2015-07-30 10:41 GMT+02:00 Tomáš Šoltys : > Hi, > > I see there is a new function pn_sasl_set_allow_insecure_mechs(pn_sasl_t > *sasl, bool insecure) > > Is there a way how I can get an access to "pn_sasl_t *sasl" object? > > Regards, > Tomas > > 2015-07-28 20:55 GMT+02:00 ASF subversion and git services (JIRA) < > j...@apache.org>: > >> >> [ >> https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644850#comment-14644850 >> ] >> >> ASF subversion and git services commented on PROTON-950: >> >> >> Commit c954cf3e4f35e79a6cd5832cc977d136c607a20b in qpid-proton's branch >> refs/heads/master from [~astitcher] >> [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=c954cf3 ] >> >> PROTON-950: Allow PLAIN over clear text if you ask nicely >> >> >> > SASL PLAIN over cleartext should be supported >> > - >> > >> > Key: PROTON-950 >> > URL: https://issues.apache.org/jira/browse/PROTON-950 >> > Project: Qpid Proton >> > Issue Type: Bug >> > Components: proton-c >> >Affects Versions: 0.10 >> >Reporter: Ted Ross >> >Assignee: Andrew Stitcher >> >Priority: Blocker >> > Fix For: 0.10 >> > >> > >> > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work >> if the connection is encrypted (using SSL). This is a surprising change of >> behavior from earlier versions of Proton and it's arguable that a security >> policy like that should be left to the application using the Proton library. >> >> >> >> -- >> This message was sent by Atlassian JIRA >> (v6.3.4#6332) >> > > > > -- > Tomáš Šoltys > tomas.sol...@gmail.com > http://www.range-software.com > (+420) 776-843-663 > -- Tomáš Šoltys tomas.sol...@gmail.com http://www.range-software.com (+420) 776-843-663
Re: [jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
Hi, I see there is a new function pn_sasl_set_allow_insecure_mechs(pn_sasl_t *sasl, bool insecure) Is there a way how I can get an access to "pn_sasl_t *sasl" object? Regards, Tomas 2015-07-28 20:55 GMT+02:00 ASF subversion and git services (JIRA) < j...@apache.org>: > > [ > https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644850#comment-14644850 > ] > > ASF subversion and git services commented on PROTON-950: > > > Commit c954cf3e4f35e79a6cd5832cc977d136c607a20b in qpid-proton's branch > refs/heads/master from [~astitcher] > [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=c954cf3 ] > > PROTON-950: Allow PLAIN over clear text if you ask nicely > > > > SASL PLAIN over cleartext should be supported > > - > > > > Key: PROTON-950 > > URL: https://issues.apache.org/jira/browse/PROTON-950 > > Project: Qpid Proton > > Issue Type: Bug > > Components: proton-c > >Affects Versions: 0.10 > >Reporter: Ted Ross > >Assignee: Andrew Stitcher > >Priority: Blocker > > Fix For: 0.10 > > > > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work > if the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. > > > > -- > This message was sent by Atlassian JIRA > (v6.3.4#6332) > -- Tomáš Šoltys tomas.sol...@gmail.com http://www.range-software.com (+420) 776-843-663
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644850#comment-14644850 ] ASF subversion and git services commented on PROTON-950: Commit c954cf3e4f35e79a6cd5832cc977d136c607a20b in qpid-proton's branch refs/heads/master from [~astitcher] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=c954cf3 ] PROTON-950: Allow PLAIN over clear text if you ask nicely > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644849#comment-14644849 ] Andrew Stitcher commented on PROTON-950: Given that the 0.10 version of the Python reactive API should work correctly with any other SASL mech just by setting the user and password to the API I'm not sure that the potential accidental security loss is worth it for an such a new API. You can still use the allow_insecure_mechs SASL property to allow PLAIN in this case. However if you feel this is widely used I can change it in the same way as I'm proposing for the messenger API. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644842#comment-14644842 ] Andrew Stitcher commented on PROTON-950: I don't understand - the previous code didn't implement any mechanisms except ANONYMOUS, how did PLAIN work? > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644837#comment-14644837 ] Gordon Sim commented on PROTON-950: --- It set the chosen mechanism to be plain if a username and password were specified in the url (using the Sasl.plain() method). > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644822#comment-14644822 ] Andrew Stitcher commented on PROTON-950: Did the 0.9 Python "Reactive" API code send the SASL frame manually in Python? There was no code previously in *Proton-C* which sent a PLAIN SASL init frame except in the messenger code. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644813#comment-14644813 ] Gordon Sim commented on PROTON-950: --- "This can only be a change in behaviour for applications that are using the messenger library, as it is the only part of the Proton-c library that has the PLAIN mechanism built in before 0.10." - Idon't think that is correct. The python 'reactive' api also supported plain previously but now only does so on ssl connections. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644675#comment-14644675 ] Andrew Stitcher commented on PROTON-950: This can only be a change in behaviour for applications that are using the messenger library, as it is the only part of the Proton-c library that has the PLAIN mechanism built in before 0.10. My proposed change is to add an API to the SASL object allow_insecure_mechs(bool) which defaults to false for the underlying Proton-c library as used directly via the engine or event APIs. If this property is set true then it will allow plain to be used unencrypted. For the messenger APIs I will default to insecure mechs by default for 0.10, but note that this will be changed in 0.11 to a more secure setting in the 0.10 release notes and the messenger documentation. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if > the connection is encrypted (using SSL). This is a surprising change of > behavior from earlier versions of Proton and it's arguable that a security > policy like that should be left to the application using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14630019#comment-14630019 ] Ted Ross commented on PROTON-950: - That makes two of us. I've updated it accordingly. > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher >Priority: Blocker > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, SSL is forced. This is > a surprising change of behavior from earlier versions of Proton and it's > arguable that a security policy like that should be left to the application > using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported
[ https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14630002#comment-14630002 ] Robbie Gemmell commented on PROTON-950: --- This is marked fix-for 0.10. Is it a blocker? (I'd say yes personally) > SASL PLAIN over cleartext should be supported > - > > Key: PROTON-950 > URL: https://issues.apache.org/jira/browse/PROTON-950 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c >Affects Versions: 0.10 >Reporter: Ted Ross >Assignee: Andrew Stitcher > Fix For: 0.10 > > > In the current 0.10 alpha, if SASL PLAIN is selected, SSL is forced. This is > a surprising change of behavior from earlier versions of Proton and it's > arguable that a security policy like that should be left to the application > using the Proton library. -- This message was sent by Atlassian JIRA (v6.3.4#6332)