Support for EXTERNAL authentication with AMQP 1.0

[Jakub Scholz <ja...@scholz.cz>]

Hi,

I was trying to connect to my broker with a C++ client based on
qpid.messaging / AMQP 1.0 using the SSL Client Authentication (SASL
EXTERNAL). But the client seems to complain about no available mechanism:

2013-08-08 20:07:01 [Messaging] debug Driver started
2013-08-08 20:07:01 [Messaging] debug localhost:10000 Connecting ...
2013-08-08 20:07:01 [System] info Connecting: 127.0.0.1:10000
2013-08-08 20:07:01 [Security] debug Failed to connect: Connection refused
2013-08-08 20:07:01 [Messaging] debug localhost:10000 Failed to connect
Exception: Could not connect to amqp:ssl:localhost:10000
(/home/jakub/qpid/qpid-0.24-rc1/cpp/src/qpid/messaging/amqp/ConnectionContext.cpp:117)
2013-08-08 20:07:01 [Messaging] debug Driver stopped
[jakub@localhost Messaging-Sandbox]$ ./ReqRespClient
2013-08-08 20:07:50 [Messaging] debug Driver started
2013-08-08 20:07:50 [Messaging] debug localhost:10000 Connecting ...
2013-08-08 20:07:50 [System] info Connecting: 127.0.0.1:10000
2013-08-08 20:07:50 [Messaging] debug localhost:10000 Connected
2013-08-08 20:07:50 [Messaging] debug wakeupDriver()
2013-08-08 20:07:50 [Messaging] debug localhost:10000 Waiting to be
authenticated...
2013-08-08 20:07:50 [Security] trace localhost:10000 Sasl::canEncode(): 1
|| 0
2013-08-08 20:07:50 [Security] trace localhost:10000 Sasl::canEncode(): 1
|| 0
2013-08-08 20:07:50 [Protocol] debug localhost:10000 writing protocol
header: 1-0
2013-08-08 20:07:50 [Security] trace localhost:10000 Sasl::encode(65535): 8
2013-08-08 20:07:50 [Security] trace localhost:10000 Sasl::canEncode(): 0
|| 0
2013-08-08 20:07:50 [Protocol] debug localhost:10000 read protocol header:
1-0
2013-08-08 20:07:50 [Security] trace Reading SASL frame of size 30
2013-08-08 20:07:50 [Security] trace Reading SASL-MECHANISMS
2013-08-08 20:07:50 [Protocol] debug localhost:10000 Received
SASL-MECHANISMS(EXTERNAL)
2013-08-08 20:07:50 [Security] debug CyrusSasl::start(EXTERNAL )
2013-08-08 20:07:50 [Security] debug min_ssf: 0, max_ssf: 256
2013-08-08 20:07:50 [System] debug Exception constructed: Sasl error:
SASL(-4): no mechanism available:
 (/home/jakub/qpid/qpid-0.24-rc1/cpp/src/qpid/SaslFactory.cpp:309)
2013-08-08 20:07:50 [System] error Caught exception in state: 3 with event:
1: internal-error: Sasl error: SASL(-4): no mechanism available:
 (/home/jakub/qpid/qpid-0.24-rc1/cpp/src/qpid/SaslFactory.cpp:309)
2013-08-08 20:07:55 [Security] debug [127.0.0.1:34905-localhost:10000]
SslTransport closing...
2013-08-08 20:07:55 [Security] debug [127.0.0.1:34905-localhost:10000]
Socket closed
Exception: Disconnected
2013-08-08 20:07:55 [Messaging] debug Driver stopped

Is the EXTERNAL authentication already supported for AMQP 1.0 in 0.24 RC1?
I know there are some open issues with the Proton Messenger (for example
PROTON-333), but I'm not entirely sure how much is this part common between
Proton Messenger and qpid.messaging.

With AMQP 0.10, it seems to work fine.

Thanks & Regards
Jakub

Re: Support for EXTERNAL authentication with AMQP 1.0

[Jakub Scholz <ja...@scholz.cz>]

Entered as QPID-5062 ...

Re: Support for EXTERNAL authentication with AMQP 1.0

[Jakub Scholz <ja...@scholz.cz>]

No problem ... I'm always happy to raise the issues ... especially when I
see that someone takes cares of them and fixes them.

Thanks & Regards
Jakub


On Tue, Aug 13, 2013 at 11:28 AM, Gordon Sim <gs...@redhat.com> wrote:

> On 08/08/2013 05:43 PM, Gordon Sim wrote:
>
>> I'm sorry you hit so many issues in such a short time, but I'll get
>> them fixed shortly.
>>
>
> Just fyi, the issues raised should now all fixed and thanks to Justin,
> Mick, Chuck and Ken the fixes will all be included in the upcoming 0.24
> release.
>
> Thanks again for taking the time to test and raise JIRAs, Jakub!
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<us...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Re: Support for EXTERNAL authentication with AMQP 1.0

[Gordon Sim <gs...@redhat.com>]

On 08/08/2013 05:43 PM, Gordon Sim wrote:
> I'm sorry you hit so many issues in such a short time, but I'll get
> them fixed shortly.

Just fyi, the issues raised should now all fixed and thanks to Justin, 
Mick, Chuck and Ken the fixes will all be included in the upcoming 0.24 
release.

Thanks again for taking the time to test and raise JIRAs, Jakub!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: Support for EXTERNAL authentication with AMQP 1.0

[Gordon Sim <gs...@redhat.com>]

On 08/08/2013 05:33 PM, Jakub Scholz wrote:
> Thanks again Gordon ... I guess you spent half of the day with my issues,
> I'm sorry for that.

Please don't be sorry! I'm really very grateful for you taking the time 
to try it out, report back and raise JIRAs. I'm sorry you hit so many 
issues in such a short time, but I'll get them fixed shortly.

> Do you want another JIRA for that?

That would be greatly appreciated!


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: Support for EXTERNAL authentication with AMQP 1.0

[Jakub Scholz <ja...@scholz.cz>]

Thanks again Gordon ... I guess you spent half of the day with my issues,
I'm sorry for that. Do you want another JIRA for that?

Thanks & Regards
Jakub


On Thu, Aug 8, 2013 at 6:27 PM, Gordon Sim <gs...@redhat.com> wrote:

> On 08/08/2013 05:11 PM, Jakub Scholz wrote:
>
>> I was trying to connect to my broker with a C++ client based on
>> qpid.messaging / AMQP 1.0 using the SSL Client Authentication (SASL
>> EXTERNAL). But the client seems to complain about no available mechanism:
>>
>
> Sorry, that looks like another bug (I believe in the 1.0 client, which
> seems not to be passing through the security details of the underlying SSL
> transport). I'll get that fixed.
>
> [...]
>
>
>  Is the EXTERNAL authentication already supported for AMQP 1.0 in 0.24 RC1?
>> I know there are some open issues with the Proton Messenger (for example
>> PROTON-333), but I'm not entirely sure how much is this part common
>> between
>> Proton Messenger and qpid.messaging.
>>
>
> Both the broker and the qpid::messaging impl use proton, but they only use
> the engine API, not messenger. They also use their own SASL implementation
> as the one in the engine doesn't allow for encrypted (or signed) security
> layers.
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<us...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Re: Support for EXTERNAL authentication with AMQP 1.0

[Gordon Sim <gs...@redhat.com>]

On 08/08/2013 05:11 PM, Jakub Scholz wrote:
> I was trying to connect to my broker with a C++ client based on
> qpid.messaging / AMQP 1.0 using the SSL Client Authentication (SASL
> EXTERNAL). But the client seems to complain about no available mechanism:

Sorry, that looks like another bug (I believe in the 1.0 client, which 
seems not to be passing through the security details of the underlying 
SSL transport). I'll get that fixed.

[...]

> Is the EXTERNAL authentication already supported for AMQP 1.0 in 0.24 RC1?
> I know there are some open issues with the Proton Messenger (for example
> PROTON-333), but I'm not entirely sure how much is this part common between
> Proton Messenger and qpid.messaging.

Both the broker and the qpid::messaging impl use proton, but they only 
use the engine API, not messenger. They also use their own SASL 
implementation as the one in the engine doesn't allow for encrypted (or 
signed) security layers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org