You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Chris Richardson <cr...@fourc.eu> on 2014/10/23 16:58:23 UTC
TLS without SASL in C++ broker
Hi,
I've just found a problem configuring a 0.30 broker with TLS but without
SASL - the broker rejects connections as unencrypted while a packet trace
shows that the connection is, in fact, decidedly encrypted (as with a
working system, certificate transfer can be seen in packet 6 after inital
TCP connection and handshake; thereafter no plain text packets are
transfered).
The error message from the security system is "Rejected un-encrypted
connection."
The problem came about after I inadvertently built the broker without the
dependent SASL libararies available; rebuilding with SASL fixed the problem
with no adjustments to my configuration or SSL database.
The assumption appears to be that SSL is not possible without SASL, which
I'm not sure is correct...?
The only place I found this error in the code was
src/qpid/broker/SaslAuthenticator.cpp:203:
if (encrypt) {
#if HAVE_SASL
// encryption required - check to see if we are running over an
// encrypted SSL connection.
SecuritySettings external = connection.getExternalSecuritySettings();
sasl_ssf_t external_ssf = (sasl_ssf_t) external.ssf;
if (external_ssf < 1) // < 1 == unencrypted
#endif
{
QPID_LOG(error, "Rejected un-encrypted connection.");
throw ConnectionForcedException("Connection must be encrypted.");
}
}
I think this may be related to
https://issues.apache.org/jira/browse/QPID-1899 - I couldn't see any other
related issues.
Regards
--
*Chris Richardson*, System Architect
cr@fourc.eu
*FourC AS, Vestre Rosten 81, Trekanten, NO-7075 Tiller, Norwaywww.fourc.eu
<http://www.fourc.eu/>*
*Follow us on LinkedIn <http://bit.ly/fourcli>, Facebook
<http://bit.ly/fourcfb>, Google+ <http://bit.ly/fourcgp> and Twitter
<http://bit.ly/fourctw>!*
Re: TLS without SASL in C++ broker
Posted by Gordon Sim <gs...@redhat.com>.
On 10/23/2014 03:58 PM, Chris Richardson wrote:
> Hi,
>
> I've just found a problem configuring a 0.30 broker with TLS but without
> SASL - the broker rejects connections as unencrypted while a packet trace
> shows that the connection is, in fact, decidedly encrypted (as with a
> working system, certificate transfer can be seen in packet 6 after inital
> TCP connection and handshake; thereafter no plain text packets are
> transfered).
>
> The error message from the security system is "Rejected un-encrypted
> connection."
>
> The problem came about after I inadvertently built the broker without the
> dependent SASL libararies available; rebuilding with SASL fixed the problem
> with no adjustments to my configuration or SSL database.
>
> The assumption appears to be that SSL is not possible without SASL, which
> I'm not sure is correct...?
I think it is less an explicit assumption, and more just a matter of
forgetting the case where the sasl support libraries aren't there.
There was a fix for a similar issue[1] but it assumed sasl support
libraries were available, but that sasl was not turned on.
There isn't any real need for the conditional includes - they are only
there because of the cast to a cyrus sasl type, but that cast is not needed.
I think the attached patch should fix it.
[1] https://issues.apache.org/jira/browse/QPID-2374