On Wed, 2015-02-25 at 10:27 +0100, Jakub Scholz wrote: > ... > But I find this part a bit dangerous: > "Classically in protocols where SASL was not optional the way to avoid > double authentication was to use the EXTERNAL SASL mechanism. With AMQP, > SASL is optional, so if SSL is used for client authentication the SASL > layer could be entirely omitted and so using EXTERNAL is not necessary." >
This is really just a statement about how AMQP 1.0 works - if you like - it is an aside praising the good protocol design sense of the standard's authors (you know who you are!). > I understand the idea and I would even agree that this is the proper way > how to do it in the long term. But I'm not sure whether all brokers support > this concept. For example, I'm not sure whether you can configure the Qpid > C++ broker in a way to accept AMQP 1.0 connections with SSL Client > Authentication without SASL EXTERNAL while at the same time accepting AMQP > 0-10 connections only with SASL EXTERNAL. Therefore I would be afraid that > allowing SSL Client Authentication only without SASL could cause some > serious incompatibilities - I think both should be possible / supported. And both are supported. The qpidd 0-10 support is not going to change. The qpidd 1.0 support is on a different code path so there is little bleed over in functionality. The proton server code can auto detect which protocol layers the client is using, and subject to it being an allowed protocol configuration, authenticate it. Other AMQP 1.0 implementations may not support leaving out the SASL layer and so you can certainly always tell the client to use it (even if it adds no useful functionality as in the ANONYMOUS and EXTERNAL cases). So as far as the current plans for proton go if you require SSL client authentication it will happen whether or not a SASL layer is there. As EXTERNAL and better SSL integration with the transport code is not yet implemented there may be something significant I've missed in this analysis, in which case it's all subject to change! I hope that helps. Andrew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
