On 13/08/16 03:35, Jeff Donner wrote:
# client
ssl-best$ qpid-config --broker=amqps://jgd/donner@localhost:5671
--ssl-certificate=ssl_certs/client/tclient-certificate.pem
--ssl-key=ssl_certs/tclient-unencrypted-private.key
Failed: ConnectionError: connection-forced: Authentication failed(320)
# qpidd response:
2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
2016-08-12 17:01:38 [Network] info Set TCP_NODELAY on connection to [::1]:59398
2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
2016-08-12 17:01:38 [System] debug RECV [qpid.[::1]:5671-[::1]:59398]:
INIT(0-10)
2016-08-12 17:01:38 [Security] debug External ssf=128 and auth=test_client
2016-08-12 17:01:38 [Security] debug min_ssf: 0, max_ssf: 0, external_ssf: 128
2016-08-12 17:01:38 [Security] debug external auth detected and set to
test_client
2016-08-12 17:01:38 [Security] info SASL: Mechanism list: EXTERNAL
2016-08-12 17:01:38 [Broker] debug LinkRegistry::notifyConnection();
key=qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Security] trace ACL ConnectionCounter new connection:
qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Model] trace Mgmt create connection.
id:qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]:
INIT(0-10)
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]:
Frame[BEbe; channel=0; {ConnectionStartBody:
server-properties={host:V2:7:str16(sidecar),platform:V2:5:str16(Linux),product:V2:8:str16(qpid-cpp),qpid.federation_tag:V2:36:str16(f390a428-3c91-4255-a327-55b4a3fb7570),version:V2:4:str16(0.34)};
mechanisms=str16{V2:8:str16(EXTERNAL)}; locales=str16{V2:5:str16(en_US)}; }]
2016-08-12 17:01:38 [Protocol] trace RECV [qpid.[::1]:5671-[::1]:59398]:
Frame[BEbe; channel=0; {ConnectionStartOkBody:
client-properties={platform:V2:5:str16(posix),product:V2:18:str16(qpid python
client),qpid.client_pid:F8:int64(4067),qpid.client_ppid:F8:int64(2058),qpid.client_process:V2:11:str16(qpid-config),version:V2:11:str16(development)};
mechanism=EXTERNAL; response=xxxxxx; }]
2016-08-12 17:01:38 [Security] info SASL: Starting authentication with
mechanism: EXTERNAL
2016-08-12 17:01:38 [Security] info SASL: Authentication failed for
jgd@QPID:SASL(-13): authentication failure: Requested identity not
authenticated identity
Ok, I think what you need to do is put the CN from your certificate as
the username in the url.
EXTERNAL is being selected (in fact no other mechanism is being
offered), but the client is requesting an identity that doesn't match
the certificate it has been authenticated with.
The client library really should set that itself (it does for c++) but
if I recall correctly, in python it doesn't.
2016-08-12 17:01:38 [System] debug Exception constructed: Authentication failed
2016-08-12 17:01:38 [Model] debug Failed connection.
rhost:qpid.[::1]:5671-[::1]:59398 user:jgd@QPID reason:SASL(-13):
authentication failure: Requested identity not authenticated identity
2016-08-12 17:01:38 [Protocol] error Connection qpid.[::1]:5671-[::1]:59398
closed by error: connection-forced: Authentication failed(320)
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]:
Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320;
reply-text=connection-forced: Authentication failed; }]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org
