On 06/12/2015 10:48 AM, Rob Godfrey wrote:
The documentation doesn't tend to go into the detail of the SASL mechanisms available from each provider (and how they may differ between TLS and non-TLS)... and from a general user perspective I'm not sure that would be useful.
I think it is useful to know that certain mechanisms are excluded unless using an encrypted (TLS) connection. I do now recall I hit this when testing the 0.32 release, but had forgotten.
Some kind of warning on the console (or even in the logs) might help perhaps.
The issue here is interop between clients and brokers... and in general I think all clients should support some way of sending password information in non-plaintext if they are not using an encrypted channel.
As of 0.10 proton-c on linux will support different mechanisms if built against cyrus-sasl. (If dev packages for cyrus-sasl are not installed I believe you just get PLAIN and ANONYMOUS, which is the same for qpid:messaging). (CRAM-MD5 is officialy deprecated in favour of DIGEST-MD5. Cyrus-sasl supports both, but in some installations the former may conceivably be disabled).
SSL/TLS is also supported however, so that can be used. The key is just understanding what the issue is. None of the error handling (client side or server side) is great with a lot of these issues, which is another area we can improve in.
More interop testing is certainly key. Now we are movingto separate releases, hopefully we can get more focus on each individual component as it releases, to ensure that other things which might conceivably used along side it can in fact do so.
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
