subject:"\[jira\] \[Commented\] \(PROTON\-950\) SASL PLAIN over cleartext should be supported"

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-19 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14703570#comment-14703570
 ] 

ASF subversion and git services commented on PROTON-950:


Commit 14956b07edc3de93f67179c753bbedcd9eba51a6 in qpid-proton's branch 
refs/heads/master from [~gsim]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=14956b0 ]

PROTON-950: don't force sasl layer by default


> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654282#comment-14654282
 ] 

ASF subversion and git services commented on PROTON-950:


Commit 39b3dd56a38a396791ebcdba30bf4097e74c90d7 in qpid-proton's branch 
refs/heads/0.10.x from [~gsim]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=39b3dd5 ]

PROTON-950: provide Container default for the allow_insecure_mechs property on 
transport


> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654273#comment-14654273
 ] 

ASF subversion and git services commented on PROTON-950:


Commit 5a8c6e0b9091c1e43e585b322ea7b01d53eee288 in qpid-proton's branch 
refs/heads/master from [~gsim]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=5a8c6e0 ]

PROTON-950: provide Container default for the allow_insecure_mechs property on 
transport


> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread Robbie Gemmell (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654247#comment-14654247
 ] 

Robbie Gemmell commented on PROTON-950:
---

For me it was a case of sensitivity to mechanism order in certain [not entirely 
understood] situations, where ANONYMOUS was still being picked because it was 
offered before PLAIN. If other mechanisms were offered later in the list (e.g 
DIGEST-MD5) they were chosen instead of ANONYMOUS as would be expected. 
Ensuring PLAIN was offered before ANONYMOUS allowed it to be chosen if the 
toggle was enabled.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10, 0.11
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653938#comment-14653938
 ] 

ASF subversion and git services commented on PROTON-950:


Commit e26e5976db2d32506651deb32d85ddebd631e1f5 in qpid-proton's branch 
refs/heads/0.10.x from [~astitcher]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=e26e597 ]

PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted 
connection


> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10, 0.11
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653847#comment-14653847
 ] 

Gordon Sim commented on PROTON-950:
---

The transport condition at th point of error merely states 'Authentication 
failed'. That is certainly better than nothing, but it doesn't explain that the 
reason was that there was no mutually acceptable mechanism as opposed to PLAIN 
proceeding but the credentials being invalid. 

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10, 0.11
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread Robbie Gemmell (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653775#comment-14653775
 ] 

Robbie Gemmell commented on PROTON-950:
---

Have you managed to get the new option working with the Python bindings? Gordon 
wasn't able to either after my fruitless earlier attempt.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10, 0.11
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653763#comment-14653763
 ] 

ASF subversion and git services commented on PROTON-950:


Commit a1888591789d3db2ebd6016d7e7d112902e07598 in qpid-proton's branch 
refs/heads/master from [~astitcher]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a188859 ]

PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted 
connection


> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653533#comment-14653533
 ] 

Gordon Sim commented on PROTON-950:
---

I think my preferred option would also be to allow PLAIN regardless of whether 
SSL is in use by default, but to clearly log a warning every time PLAIN is used 
over an unencrypted transport (along with a brief message as to how to prevent 
this). That way people become very aware of the problem and how to avoid it, 
but it doesn't cause hard to debug issues when first trying to get an example 
running.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653521#comment-14653521
 ] 

Gordon Sim commented on PROTON-950:
---

I think errors like this should be visible by default without needing to set 
some obscure environment variable.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-04 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653389#comment-14653389
 ] 

Gordon Sim commented on PROTON-950:
---

Even modifying the code to set that property as soon as the transport is 
created doesn't work.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Robbie Gemmell (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652521#comment-14652521
 ] 

Robbie Gemmell commented on PROTON-950:
---

I'm increasingly feeling that this new option should be flipped so that PLAIN 
works by default and those that want to restrict it to SSL only can use it to 
do so. As mentioned earlier, it seems inconsistent to me to allow ANONYMOUS and 
no-SASL by default but deny PLAIN. It should only be used for lack of a better 
option, and yet we know there are times it is going to be the only option right 
now. It also seems like none of the client code makes it particularly easy 
toggle it. We are going to get a lot of questions about this (once we actually 
get it released..).

Thinking about it, I guess people already could already have prevented use of 
PLAIN [without SSL] if they wanted to using the previous pn_sasl_allowed_mechs 
config method? In which case there may not be a need for a specific toggle if 
we flipped the default, though I can see it would still be easier to use that 
than setting 'everything but PLAIN' as the allowed mechs.

New side thought based on above, what happens currently if the allowed mech(s) 
are set to include only PLAIN (which I can see folks doing when trying to 
figure out why it doesnt work anymore) but its actual use is prevented by the 
transport defaults? Would people get the error Gordon was hunting for above, or 
something more specific since its detectable in advance that there are no 
usable mechs?

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652448#comment-14652448
 ] 

Andrew Stitcher commented on PROTON-950:


To be clear:

* The client mechanisms available without Cyrus are ANONYMOUS, PLAIN and 
EXTERNAL
* The server mechanisms are ANONYMOUS and EXTERNAL (no PLAIN because we have no 
way to request authentication of a user/password pair)
* The default PLAIN behaviour is the same bith with and without Cyrus viz:
- It is intuitive that the behaviour doesn't vary depending on the library 
build, but
- By default without SSL you cannot authenticate a user without Cyrus.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652436#comment-14652436
 ] 

Gordon Sim commented on PROTON-950:
---

I've not debugged. The behaviour changed since about a week ago though.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Robbie Gemmell (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652433#comment-14652433
 ] 

Robbie Gemmell commented on PROTON-950:
---

I was about to reply questioning if that was the case, i.e. have we implemented 
ANONYMOUS, PLAIN, and EXTERNAL in the fallback and then disabled PLAIN by 
default?

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652428#comment-14652428
 ] 

Andrew Stitcher commented on PROTON-950:


It should be raising .._HEAD_CLOSED, .._TAIL_CLOSED and .._CLOSED.

There could be something different about the reactive code from the test code 
though, are you not seeing any of the CLOSED events?

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652425#comment-14652425
 ] 

Gordon Sim commented on PROTON-950:
---

That means that unless cyrus is available it would no longer be possible to 
authenticate as a given user unless SSL was used (since there would be no other 
mechanisms). 

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652420#comment-14652420
 ] 

Gordon Sim commented on PROTON-950:
---

There is no special logic added for PN_TRANSPORT_ERROR events, but 
PN_TRANSPORT_CLOSED and PN_TRANSPORT_TAIL_CLOSED are handled. Previously this 
would result in the connection attempt failing and either reconnecting or 
exiting depending on settings (along with the error logged of course).

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652414#comment-14652414
 ] 

Gordon Sim commented on PROTON-950:
---

Yes, that does show up the error.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652415#comment-14652415
 ] 

Andrew Stitcher commented on PROTON-950:


With no Cyrus available the behaviour should be the same as with Cyrus. Just 
with fewer mechanisms available.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652413#comment-14652413
 ] 

Andrew Stitcher commented on PROTON-950:


Also what are you doing when receiving PN_TRANSPORT_ERROR events? I did 
recently (think I'd) fix the SASL code to raise those errors correctly (at the 
correct time with the correct error code).

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652409#comment-14652409
 ] 

Gordon Sim commented on PROTON-950:
---

No, I didn't make any changes. I had just assumed from a comment above that the 
messenger code had been changed.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652406#comment-14652406
 ] 

Gordon Sim commented on PROTON-950:
---

What is the intended behaviour when cyrus is not available on the platform in 
question? Would PLAIN be allowed over a non-SSL connection in that case? To me 
that seems non-intuitive from the client's perspective.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652404#comment-14652404
 ] 

Andrew Stitcher commented on PROTON-950:


There was a recent change to stop the SASL code from logging without any 
logging flags set. If you set PN_TRACE_DRV do you see any error output?

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652394#comment-14652394
 ] 

Gordon Sim commented on PROTON-950:
---

Run eg. simple_send against direct_recv, or even just the messenger examples 
against a broker that only supports PLAIN.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652380#comment-14652380
 ] 

Andrew Stitcher commented on PROTON-950:


@gsim unless you've manually set the flag somehow for the messenger code this 
is expected as there is no code committed yet to do this automatically for 
messenger (else this repoort would already have been resolved!). All that is 
committed currently is the sasl level code for the option itself.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652377#comment-14652377
 ] 

Andrew Stitcher commented on PROTON-950:


As to the first issue - it is possible that you didn't/can't set the property 
on the sasl object early enough, although this seems a little odd.

The flag is examined when the SASL "Mechanisms" frame is received from the 
server end, at the point when the cyrus client structure is created. This 
should be well after the on_connection_bound event, although there may be a 
race going on here, if there is nothing to stop the client sending its SASL 
header before this setting happens.


> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652361#comment-14652361
 ] 

Gordon Sim commented on PROTON-950:
---

I can't seem to get the messenger examples to connect over non-ssl using PLAIN 
either... 

{noformat}
]$ PN_TRACE_FRM=1 ./examples/c/messenger/send -a 
amqp://guest:guest@localhost/amq.fanout
[0x162a700]:  -> SASL
[0x162a700]:  <- SASL
[0x162a700]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=:PLAIN]
[0x162a700]:  -> EOS
{noformat}

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652357#comment-14652357
 ] 

Andrew Stitcher commented on PROTON-950:


[~gsim] Could you bug report that last issue, because that isn't the intended 
behaviour - you should definitely get an error (and preferably the 'no worthy 
mechs' error too) if no matching mech could be found. If you can include some 
sort of reproducer I'll try to create a good test case from it and fix the 
probelm.



> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652352#comment-14652352
 ] 

Gordon Sim commented on PROTON-950:
---

I tried unsuccessfully to do this. It is awkward to get at the sasl object for 
a connection when using the reactor. In theory you can do so via the 
on_connection_bound method. However even doing so, and setting the new property 
to True, I was unable to connect using PLAIN over a non-ssl connection.

Without making any changes, the behaviour also seems to have changed very 
recently. Previously when attempting to connect where only PLAIN was offered by 
the broker, an error would at least be logged to the effect that 'no worthy 
mechs' could be selected, and both sides would end up disconnected. Now there 
is no error at all and the reactive examples just hang.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-08-03 Thread Robbie Gemmell (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14652190#comment-14652190
 ] 

Robbie Gemmell commented on PROTON-950:
---

Can anyone clue me in on how you would enable the new transport flag 
client-side with the python reactive bits, to allow connecting to a server 
offering PLAIN without using SSL? I had a look but didn't see a way to do so. 
My interest is for new or existing users connecting to servers that e.g only 
support PLAIN (and possibly ANONYMOUS), such as ActiveMQ or some others, who 
are doing so without SSL.

This all also makes me wonder if the default shouldn't be the other way round 
(particularly if there is actually no easy way to use the new transport option 
in some cases). I believe the engine allows ANONYMOUS and no-SASL-layer by 
default currently, so it seems strange that we would deny use of PLAIN in the 
same situtation. The argument for allowing ANONYMOUS was that it eased initial 
pickup by new developers, and that people will secure their production setups; 
it feels to me that essentially the same argument applies for PLAIN without SSL 
and that treating them differently is perhaps a bit inconsistent.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-30 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14648105#comment-14648105
 ] 

Andrew Stitcher commented on PROTON-950:


At this point I don't think master is blocked as you now can use PLAIN 
unencrypted if you need to.

However I'm finding some valgrind issues with the CI tests on Ubuntu 12.04 when 
I add the code to default messenger to allowing PLAIN over unencrypted 
connections. I want to make sure the CI builds are clean before we release, so 
I'm investigating the valgrind issues.

These issues seem to actually be in the version of cyrus SASL on the CI 
machine, but I want to be sure before adding in valgrind suppressions for them.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-30 Thread Robbie Gemmell (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14647638#comment-14647638
 ] 

Robbie Gemmell commented on PROTON-950:
---

[~astitcher] is this done? [~tedross], [~gsim] does the change made satisfy 
things from your perspectives?

Are there uses of the engine that also need updated to use this new API before 
the release, or are they being left only supporting plain over SSL?

It would be good to close this out so we can proceed with the release, it 
appears to be the only blocker currently.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Re: [jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-30 Thread Tomáš Šoltys

Oh, I found a solution.

pn_sasl(pn_transport_t *transport);

Tomas

2015-07-30 10:41 GMT+02:00 Tomáš Šoltys :

> Hi,
>
> I see there is a new function pn_sasl_set_allow_insecure_mechs(pn_sasl_t
> *sasl, bool insecure)
>
> Is there a way how I can get an access to "pn_sasl_t *sasl" object?
>
> Regards,
> Tomas
>
> 2015-07-28 20:55 GMT+02:00 ASF subversion and git services (JIRA) <
> j...@apache.org>:
>
>>
>> [
>> https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644850#comment-14644850
>> ]
>>
>> ASF subversion and git services commented on PROTON-950:
>> 
>>
>> Commit c954cf3e4f35e79a6cd5832cc977d136c607a20b in qpid-proton's branch
>> refs/heads/master from [~astitcher]
>> [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=c954cf3 ]
>>
>> PROTON-950: Allow PLAIN over clear text if you ask nicely
>>
>>
>> > SASL PLAIN over cleartext should be supported
>> > -
>> >
>> > Key: PROTON-950
>> > URL: https://issues.apache.org/jira/browse/PROTON-950
>> > Project: Qpid Proton
>> >  Issue Type: Bug
>> >  Components: proton-c
>> >Affects Versions: 0.10
>> >Reporter: Ted Ross
>> >Assignee: Andrew Stitcher
>> >Priority: Blocker
>> > Fix For: 0.10
>> >
>> >
>> > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work
>> if the connection is encrypted (using SSL).  This is a surprising change of
>> behavior from earlier versions of Proton and it's arguable that a security
>> policy like that should be left to the application using the Proton library.
>>
>>
>>
>> --
>> This message was sent by Atlassian JIRA
>> (v6.3.4#6332)
>>
>
>
>
> --
> Tomáš Šoltys
> tomas.sol...@gmail.com
> http://www.range-software.com
> (+420) 776-843-663
>



-- 
Tomáš Šoltys
tomas.sol...@gmail.com
http://www.range-software.com
(+420) 776-843-663

Re: [jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-30 Thread Tomáš Šoltys

Hi,

I see there is a new function pn_sasl_set_allow_insecure_mechs(pn_sasl_t
*sasl, bool insecure)

Is there a way how I can get an access to "pn_sasl_t *sasl" object?

Regards,
Tomas

2015-07-28 20:55 GMT+02:00 ASF subversion and git services (JIRA) <
j...@apache.org>:

>
> [
> https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644850#comment-14644850
> ]
>
> ASF subversion and git services commented on PROTON-950:
> 
>
> Commit c954cf3e4f35e79a6cd5832cc977d136c607a20b in qpid-proton's branch
> refs/heads/master from [~astitcher]
> [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=c954cf3 ]
>
> PROTON-950: Allow PLAIN over clear text if you ask nicely
>
>
> > SASL PLAIN over cleartext should be supported
> > -
> >
> > Key: PROTON-950
> > URL: https://issues.apache.org/jira/browse/PROTON-950
> > Project: Qpid Proton
> >  Issue Type: Bug
> >  Components: proton-c
> >Affects Versions: 0.10
> >Reporter: Ted Ross
> >Assignee: Andrew Stitcher
> >Priority: Blocker
> > Fix For: 0.10
> >
> >
> > In the current 0.10 alpha, if SASL PLAIN is selected, it will only work
> if the connection is encrypted (using SSL).  This is a surprising change of
> behavior from earlier versions of Proton and it's arguable that a security
> policy like that should be left to the application using the Proton library.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.3.4#6332)
>



-- 
Tomáš Šoltys
tomas.sol...@gmail.com
http://www.range-software.com
(+420) 776-843-663

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-28 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644850#comment-14644850
 ] 

ASF subversion and git services commented on PROTON-950:


Commit c954cf3e4f35e79a6cd5832cc977d136c607a20b in qpid-proton's branch 
refs/heads/master from [~astitcher]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=c954cf3 ]

PROTON-950: Allow PLAIN over clear text if you ask nicely


> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-28 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644849#comment-14644849
 ] 

Andrew Stitcher commented on PROTON-950:


Given that the 0.10 version of the Python reactive API should work correctly 
with any other SASL mech just by setting the user and password to the API I'm 
not sure that the potential accidental security loss is worth it for an such a 
new API. 

You can still use the allow_insecure_mechs SASL property to allow PLAIN in this 
case.

However if you feel this is widely used I can change it in the same way as I'm 
proposing for the messenger API.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-28 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644842#comment-14644842
 ] 

Andrew Stitcher commented on PROTON-950:


I don't understand - the previous code didn't implement any mechanisms except 
ANONYMOUS, how did PLAIN work?

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-28 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644837#comment-14644837
 ] 

Gordon Sim commented on PROTON-950:
---

It set the chosen mechanism to be plain if a username and password were 
specified in the url (using the Sasl.plain() method).

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-28 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644822#comment-14644822
 ] 

Andrew Stitcher commented on PROTON-950:


Did the 0.9 Python "Reactive" API code send the SASL frame manually in Python?

There was no code previously in *Proton-C* which sent a PLAIN SASL init frame 
except in the messenger code.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-28 Thread Gordon Sim (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644813#comment-14644813
 ] 

Gordon Sim commented on PROTON-950:
---

"This can only be a change in behaviour for applications that are using the 
messenger library, as it is the only part of the Proton-c library that has the 
PLAIN mechanism built in before 0.10." - Idon't think that is correct. The 
python 'reactive' api also supported plain previously but now only does so on 
ssl connections.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-28 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644675#comment-14644675
 ] 

Andrew Stitcher commented on PROTON-950:


This can only be a change in behaviour for applications that are using the 
messenger library, as it is the only part of the Proton-c library that has the 
PLAIN mechanism built in before 0.10.

My proposed change is to add an API to the SASL object 
allow_insecure_mechs(bool) which defaults to false for the underlying Proton-c 
library as used directly via the engine or event APIs. If this property is set 
true then it will allow plain to be used unencrypted.

For the messenger APIs I will default to insecure mechs by default for 0.10, 
but note that this will be changed in 0.11 to a more secure setting in the 0.10 
release notes and the messenger documentation.



> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if 
> the connection is encrypted (using SSL).  This is a surprising change of 
> behavior from earlier versions of Proton and it's arguable that a security 
> policy like that should be left to the application using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-16 Thread Ted Ross (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14630019#comment-14630019
 ] 

Ted Ross commented on PROTON-950:
-

That makes two of us.  I've updated it accordingly.

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
>Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, SSL is forced.  This is 
> a surprising change of behavior from earlier versions of Proton and it's 
> arguable that a security policy like that should be left to the application 
> using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (PROTON-950) SASL PLAIN over cleartext should be supported

2015-07-16 Thread Robbie Gemmell (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14630002#comment-14630002
 ] 

Robbie Gemmell commented on PROTON-950:
---

This is marked fix-for 0.10. Is it a blocker?

(I'd say yes personally)

> SASL PLAIN over cleartext should be supported
> -
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: 0.10
>Reporter: Ted Ross
>Assignee: Andrew Stitcher
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, SSL is forced.  This is 
> a surprising change of behavior from earlier versions of Proton and it's 
> arguable that a security policy like that should be left to the application 
> using the Proton library.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

44 matches

Mail list logo