You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "JAkub Scholz (JIRA)" <ji...@apache.org> on 2011/03/31 17:31:06 UTC

[jira] [Commented] (QPID-3175) SSL support in Python client libraries

    [ https://issues.apache.org/jira/browse/QPID-3175?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13014018#comment-13014018 ] 

JAkub Scholz commented on QPID-3175:
------------------------------------

I tried to solve this issue and got to the following:

1) Added support for EXTERNAL authentication into sasl.py
2) Added new attributes to the Connection class in messaging/endpoints.py
3) Modified the connect method of class Driver in messaging/driver.py
4) Modifies the TLS class - added certificates as parameters and used them wrap_socket call in messaginf/transports.py

In general, I added 3 new attributes:
a) keyfile - client's private key in PEM format
b) certfile - client's public key (eventually both, public and private keys - in such case the keyfile can be omitted) in PEM format
c) trustfile - public key of the broker, to verify brokers identity (CRT file is working for me)

The user uses them when creating new Connection object together with specifiyng the transport (ssl) and the sasl_mechanism (PLAIN or EXTERNAL).

With these changes I managed to get this to work for unencrypted+PLAIN, ssl+PLAIN and ssl+EXTERNAL.

However, there are some smaller issues with my solution:
I) The certificate in trustfile is not verified against the broker - you don't even need to pass the brokers public key to the Connection object and it still works. This seems to be a problem of the Python SSL library. However, I still left the trustfile attribute there, since it may be fixed in the future.
II) With EXTERNAL authentication, there doesn't seem to be any easy way how to get the username (CN=xxxx in certificates subject) from the certificate. The only option seems to be reading the file and searching for the CN, which I'm not sure is a good idea. Therefore, my current implementation expect the user to enter the username as a normal username attribute when creating the Connection object.
III) The the PEM certificates are encrypted, the Python asks for password. so it is kinda working. I didn't found any way how to enter the password inside the script.
IV) The broker URL supports SSL by using the "ampqs://" protocol specification. However, I'm not aware of any existing parameters in the URL string to pass the certificates. Therefore my modifications are working only when passing the specific parameters manually when creating the Connection object instead of using the URL.

Despite of these problems, I believe it would be worth to commit my changes (or some changes based on this), because the resulting functionality would be better then the existing is.

> SSL support in Python client libraries
> --------------------------------------
>
>                 Key: QPID-3175
>                 URL: https://issues.apache.org/jira/browse/QPID-3175
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>    Affects Versions: 0.8
>         Environment: Windows XP, Python 2.7.1, (broker Red Hat MRG 1.3 on RHEL 5.5)
>            Reporter: JAkub Scholz
>
> I was trying to connect to my broker with SSL encrypted connection (both PLAIN and EXTERNAL authentication methods). However, it seems to be not working. I get following error messages:
> Traceback (most recent call last):
>   File "ssl-external.py", line 20, in <module>
>     connection.open()
>   File "<string>", line 6, in open
>   File "c:\opt\!_EUREX14\tests\qpid.python-0.8\python\qpid\messaging\endpoints.py", line 244, in open
>     self.attach()
>   File "<string>", line 6, in attach
>   File "c:\opt\!_EUREX14\tests\qpid.python-0.8\python\qpid\messaging\endpoints.py", line 262, in attach
>     self._ewait(lambda: self._transport_connected and not self._unlinked())
>   File "c:\opt\!_EUREX14\tests\qpid.python-0.8\python\qpid\messaging\endpoints.py", line 197, in _ewait
>     self.check_error()
>   File "c:\opt\!_EUREX14\tests\qpid.python-0.8\python\qpid\messaging\endpoints.py", line 190, in check_error
>     raise self.error
> qpid.messaging.exceptions.ConnectError: [Errno 1] _ssl.c:499: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> In the source codes (messaging/transports.py), the SSL seems to be supported and implemented, but it is not working. I didn't found any possibilities how to pass the certificates to the SSL libraries and the wrap_socket call in transports.py is calling the wrap_socket without any additional attributes except the original socket.
> I didn't had the chance to test other platforms or Python versions, except Python 2.4.3 on RHEL 5.5, where the SSL is not supported at all (the SSL support in Python changed significantly with 2.6)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org