You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Ken Giusti (JIRA)" <qp...@incubator.apache.org> on 2009/11/04 17:41:32 UTC

[jira] Commented: (QPID-1899) --require-encryption doesn't work unless cyrus sasl authentication is turned on

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773555#action_12773555 ] 

Ken Giusti commented on QPID-1899:
----------------------------------

Hi Gordon,

I talked with Alan regarding authentication/security in a clustered broker, see 

https://issues.apache.org/jira/browse/QPID-2187

Our current approach for QPID-2187 would permit a secure/auth connection from a client to the connected broker in the cluster.  The data would be decrypted at that broker, then mirrored in the clear to the other members of the cluster.   This avoids the overhead of having to decrypt at each broker, given that a cluster could be implemented in a secure site.   In the future, secure intra-cluster links could be provided via openAis, if needed.

In any case, if we do implement security only on the directly attached broker, then I would think that we would not need to propagate the SSF across the cluster.   

What do you think?   If you agree, I'll strip the cluster modifications from the last patch.   If possible, I'd like to have this patch applied so I can develop QPID-2187 against the GSSAPI + SSL case.

thanks. 

> --require-encryption doesn't work unless cyrus sasl authentication is turned on
> -------------------------------------------------------------------------------
>
>                 Key: QPID-1899
>                 URL: https://issues.apache.org/jira/browse/QPID-1899
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.5
>            Reporter: Gordon Sim
>            Assignee: Gordon Sim
>             Fix For: 0.6
>
>         Attachments: qpid-1899-10_26.patch, qpid-1899-10_30.patch, qpid-1899-9-17.patch, qpid-1899-hacky.patch, qpid-1899.patch, qpid-1899.patch
>
>
> If you specify --require-encryption and --auth no then the broker will allow un-encrypted conections. (If on the other hand you have authentication on, it will prevent you connecting with anything other than a mech that supports encryption and will require an encrypting sasl security layer - or of course an ssl connection)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org