Re: TLS without SASL in C++ broker

Thu, 23 Oct 2014 08:41:27 -0700 

On 10/23/2014 03:58 PM, Chris Richardson wrote:

Hi,

I've just found a problem configuring a 0.30 broker with TLS but without
SASL - the broker rejects connections as unencrypted while a packet trace
shows that the connection is, in fact, decidedly encrypted (as with a
working system, certificate transfer can be seen in packet 6 after inital
TCP connection and handshake; thereafter no plain text packets are
transfered).

The error message from the security system is "Rejected un-encrypted
connection."

The problem came about after I inadvertently built the broker without the
dependent SASL libararies available; rebuilding with SASL fixed the problem
with no adjustments to my configuration or SSL database.

The assumption appears to be that SSL is not possible without SASL, which
I'm not sure is correct...?
I think it is less an explicit assumption, and more just a matter of forgetting the case where the sasl support libraries aren't there.
There was a fix for a similar issue[1] but it assumed sasl support libraries were available, but that sasl was not turned on.
There isn't any real need for the conditional includes - they are only there because of the cast to a cyrus sasl type, but that cast is not needed. 

I think the attached patch should fix it.

[1] https://issues.apache.org/jira/browse/QPID-2374

diff --git a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
index f68bda0..55a1006 100644
--- a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
+++ b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
@@ -192,13 +192,10 @@ void NullAuthenticator::getMechanisms(Array& mechanisms)
 void NullAuthenticator::start(const string& mechanism, const string* response)
 {
     if (encrypt) {
-#if HAVE_SASL
         // encryption required - check to see if we are running over an
         // encrypted SSL connection.
         SecuritySettings external = connection.getExternalSecuritySettings();
-        sasl_ssf_t external_ssf = (sasl_ssf_t) external.ssf;
-        if (external_ssf < 1)    // < 1 == unencrypted
-#endif
+        if (external.ssf < 1)    // < 1 == unencrypted
         {
             QPID_LOG(error, "Rejected un-encrypted connection.");
             throw ConnectionForcedException("Connection must be encrypted.");


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to