Hi,
I've just found a problem configuring a 0.30 broker with TLS but without
SASL - the broker rejects connections as unencrypted while a packet trace
shows that the connection is, in fact, decidedly encrypted (as with a
working system, certificate transfer can be seen in packet 6 after inital
TCP connection and handshake; thereafter no plain text packets are
transfered).
The error message from the security system is "Rejected un-encrypted
connection."
The problem came about after I inadvertently built the broker without the
dependent SASL libararies available; rebuilding with SASL fixed the problem
with no adjustments to my configuration or SSL database.
The assumption appears to be that SSL is not possible without SASL, which
I'm not sure is correct...?
The only place I found this error in the code was
src/qpid/broker/SaslAuthenticator.cpp:203:
if (encrypt) {
#if HAVE_SASL
// encryption required - check to see if we are running over an
// encrypted SSL connection.
SecuritySettings external = connection.getExternalSecuritySettings();
sasl_ssf_t external_ssf = (sasl_ssf_t) external.ssf;
if (external_ssf < 1) // < 1 == unencrypted
#endif
{
QPID_LOG(error, "Rejected un-encrypted connection.");
throw ConnectionForcedException("Connection must be encrypted.");
}
}
I think this may be related to
https://issues.apache.org/jira/browse/QPID-1899 - I couldn't see any other
related issues.
Regards
--
*Chris Richardson*, System Architect
[email protected]
*FourC AS, Vestre Rosten 81, Trekanten, NO-7075 Tiller, Norwaywww.fourc.eu
<http://www.fourc.eu/>*
*Follow us on LinkedIn <http://bit.ly/fourcli>, Facebook
<http://bit.ly/fourcfb>, Google+ <http://bit.ly/fourcgp> and Twitter
<http://bit.ly/fourctw>!*
