You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by drasil <pa...@gmail.com> on 2017/01/05 08:39:41 UTC
Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Hello,
I believe that I found a bug in the Qpid C++ broker (I tried versions 1.35
and 1.36 and both are affected). When the broker is configured to use the
DIGEST-MD5 SASL mechanism, the authentication passes successfully, but just
after that the broker issues a completely invalid AMQP 1.0 frame. As a
result, the client complains about a framing error and disconnects. I am
using a client based on python-qpid-proton 0.16.0 but that should not be
important I guess. When I change the SASL mechanism to CRAM-MD5, PLAIN or
ANONYMOUS, everything works well.
Attached is a tcpdump file with four subsequent connection attempts, showing
the described behavior: amqp.dmp
<http://qpid.2158936.n2.nabble.com/file/n7657354/amqp.dmp>
Regards, Pavel
--
View this message in context: http://qpid.2158936.n2.nabble.com/Qpid-C-1-36-issues-an-invalid-AMQP-1-0-frame-after-successful-DIGEST-MD5-authentication-tp7657354.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by Gordon Sim <gs...@redhat.com>.
On 05/01/17 08:39, drasil wrote:
> I believe that I found a bug in the Qpid C++ broker (I tried versions 1.35
> and 1.36 and both are affected). When the broker is configured to use the
> DIGEST-MD5 SASL mechanism, the authentication passes successfully, but just
> after that the broker issues a completely invalid AMQP 1.0 frame. As a
> result, the client complains about a framing error and disconnects. I am
> using a client based on python-qpid-proton 0.16.0 but that should not be
> important I guess. When I change the SASL mechanism to CRAM-MD5, PLAIN or
> ANONYMOUS, everything works well.
This was a proton-c bug, tracked by
https://issues.apache.org/jira/browse/PROTON-1388 and now fixed. Thanks
Andrew!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
bug in proton-c sasl (was Re: Qpid C++ 1.36 issues an invalid AMQP
1.0 frame after successful DIGEST-MD5 authentication)
Posted by Gordon Sim <gs...@redhat.com>.
On 09/01/17 22:43, Gordon Sim wrote:
> I have a 'fix' for this - i.e. a change that appears to prevent it
> occurring. If the broker waits after sending the sasl outcome for the
> client to send a protocol header, then I see no failures even running in
> a loop for an hour.
>
> I wonder whether the proton client's sasl layer is somehow getting
> (intermittently) upset if the last unencrypted frame and the first
> encrypted frame arrive together...
After some digging into the sasl implementation in proton-c, I *think*
it is indeed a bug there.
In pn_input_read_sasl, when a successful outcome frame is read, it will
set the desired_state to SASL_RECVED_OUTCOME_SUCCEED. This means that
pni_sasl_is_final_input_state() will return true. However from what I
can tell, the last_state, which is what is checked by
pni_sasl_is_final_output_state(), is only set to this same value when
pni_post_sasl_frame() is called, and the client will never need to call
that after receiving an outcome (as the sasl exchange is then over).
So if we get two calls to pn_input_read_sasl(), one to read the outcome,
the next to read the first encrypted data, *without* a
pn_output_write_sasl() between them, pni_sasl_is_final_input_state()
will return true but pni_sasl_is_final_output_state() will return false
on the second read, which results in the second recv call passing it to
the passthru layer even though it may be encrypted.
The attached patch seems to eliminate the problem. I don't really
understand why the bit it removes was in there though so not sure if
this is the 'right' fix.
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by Gordon Sim <gs...@redhat.com>.
On 09/01/17 21:27, Gordon Sim wrote:
> On 09/01/17 07:52, drasil wrote:
>> I am sorry, but I have to revoke my previous post. I just realized
>> that the
>> working setup is not really working. Without any other changes, the
>> client
>> either succeeds or not.
>
> Yes, I confirm I also see occasional failures (less frequently than you,
> but the frequency seems to decrease with broker logging, so likely a
> timing thing).
>
> I've verified that what proton gets is what is returned from cyrus sasl,
> and I can't as yet see any other obvious clue as to whats going wrong
> (failed case looks much the same as succeeding case), but there is
> clearly a big somewhere.
I have a 'fix' for this - i.e. a change that appears to prevent it
occurring. If the broker waits after sending the sasl outcome for the
client to send a protocol header, then I see no failures even running in
a loop for an hour.
I wonder whether the proton client's sasl layer is somehow getting
(intermittently) upset if the last unencrypted frame and the first
encrypted frame arrive together...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by Gordon Sim <gs...@redhat.com>.
On 09/01/17 07:52, drasil wrote:
> I am sorry, but I have to revoke my previous post. I just realized that the
> working setup is not really working. Without any other changes, the client
> either succeeds or not.
Yes, I confirm I also see occasional failures (less frequently than you,
but the frequency seems to decrease with broker logging, so likely a
timing thing).
I've verified that what proton gets is what is returned from cyrus sasl,
and I can't as yet see any other obvious clue as to whats going wrong
(failed case looks much the same as succeeding case), but there is
clearly a big somewhere.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by drasil <pa...@gmail.com>.
I am sorry, but I have to revoke my previous post. I just realized that the
working setup is not really working. Without any other changes, the client
either succeeds or not. Here you can see that a message is published
successfully after four unsuccessful attempts:
*$ PN_TRACE_FRM=1 ./sender.py*
Sending to {u'target': u'myFanoutExchange', u'context':
u'amqp://10.0.2.4:5672'}
[0x867efe0]: -> SASL
[0x867efe0]: <- SASL
[0x867efe0]:0 <- @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"DIGEST-MD5", :"CRAM-MD5", :PLAIN]]
[0x867efe0]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5"]
[0x867efe0]:0 <- @sasl-challenge(66)
[challenge=b"nonce="8V2Yscqg4cxIaNeybj4Hj/cvq6xqzzeYRNwRzSfRW8E=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
[0x867efe0]:0 -> @sasl-response(67)
[response=b"username="myUser",realm="QPID",nonce="8V2Yscqg4cxIaNeybj4Hj/cvq6xqzzeYRNwRzSfRW8E=",cnonce="1Xxbko95rQkLQA8BUQe6hwpq/IO2O5vjG8eriaAhqSw=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=2aa794113af45550f23569fa7cd1acb2"]
[0x867efe0]:0 <- @sasl-challenge(66)
[challenge=b"rspauth=2e539c68e8b599f690cfbf21b4b0851e"]
[0x867efe0]:0 -> @sasl-response(67) [response=b""]
[0x867efe0]:0 <- @sasl-outcome(68) [code=0]
[0x867efe0]: <- EOS
[0x867efe0]: -> EOS
*ERROR:root:amqp:connection:framing-error: AMQP header mismatch: Unknown
protocol
['\x00\x00\x00\x18\xd4}\xe0\x07J%.\xe5\x0a:/\x9e\x91\x11G0e\x94\x00\x01\x00\x00\x00\x00']*
[0x8697058]: -> SASL
[0x8697058]: <- SASL
[0x8697058]:0 <- @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"DIGEST-MD5", :"CRAM-MD5", :PLAIN]]
[0x8697058]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5",
initial-response=b"username="myUser",realm="QPID",nonce="8V2Yscqg4cxIaNeybj4Hj/cvq6xqzzeYRNwRzSfRW8E=",cnonce="1Xxbko95rQkLQA8BUQe6hwpq/IO2O5vjG8eriaAhqSw=",nc=00000002,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=69a35346236bb4036d7144f9aa68d427"]
[0x8697058]:0 <- @sasl-challenge(66)
[challenge=b"nonce="Mhex/w3+KdqPCVwI0SPlsanyZas9LchwvREzVaJMPQw=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
[0x8697058]:0 -> @sasl-response(67)
[response=b"username="myUser",realm="QPID",nonce="Mhex/w3+KdqPCVwI0SPlsanyZas9LchwvREzVaJMPQw=",cnonce="DXbw3O5HjbM+lN+0WwjGjHdpvBtIC6Y3GQa4orS0eME=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=08cdfa52654b46f9615a70574e4b5db4"]
[0x8697058]:0 <- @sasl-challenge(66)
[challenge=b"rspauth=32345aa4535686b2187039d072c56b6f"]
[0x8697058]:0 -> @sasl-response(67) [response=b""]
[0x8697058]:0 <- @sasl-outcome(68) [code=0]
[0x8697058]: <- EOS
[0x8697058]: -> EOS
*ERROR:root:amqp:connection:framing-error: AMQP header mismatch: Unknown
protocol
['\x00\x00\x00\x18m\xdfO;y\x0c\xfa]\xb7\x81\xf3{\xe4?\xc5\xecc\xac\x00\x01\x00\x00\x00\x00']*
[0x869c498]: -> SASL
[0x869c498]: <- SASL
[0x869c498]:0 <- @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"DIGEST-MD5", :"CRAM-MD5", :PLAIN]]
[0x869c498]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5",
initial-response=b"username="myUser",realm="QPID",nonce="Mhex/w3+KdqPCVwI0SPlsanyZas9LchwvREzVaJMPQw=",cnonce="DXbw3O5HjbM+lN+0WwjGjHdpvBtIC6Y3GQa4orS0eME=",nc=00000002,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=06aae08e406fb4fede24ee27755c2ce6"]
[0x869c498]:0 <- @sasl-challenge(66)
[challenge=b"nonce="tTsv2bhBpIQ+1hzBziv/iQMe9eaJQ1FPel5kBl2G8DY=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
[0x869c498]:0 -> @sasl-response(67)
[response=b"username="myUser",realm="QPID",nonce="tTsv2bhBpIQ+1hzBziv/iQMe9eaJQ1FPel5kBl2G8DY=",cnonce="BWuORcLvHBjZi4iC0aDNvRcTS2lHQ5hvSv4Vfi6PunE=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=3ebe110bbdae3058ffa6da3c440d1f16"]
[0x869c498]:0 <- @sasl-challenge(66)
[challenge=b"rspauth=90ae37b6a23158ff70f0b91089514645"]
[0x869c498]:0 -> @sasl-response(67) [response=b""]
[0x869c498]:0 <- @sasl-outcome(68) [code=0]
[0x869c498]: <- EOS
[0x869c498]: -> EOS
*ERROR:root:amqp:connection:framing-error: AMQP header mismatch: Unknown
protocol
['\x00\x00\x00\x18\xa3g\x08\xb0\xe8^\x87\x1a\x01\x86i\x1f\xde~\xa4\xf0\xd1\x02\x00\x01\x00\x00\x00\x00']*
[0x867f298]: -> SASL
[0x867f298]: <- SASL
[0x867f298]:0 <- @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"DIGEST-MD5", :"CRAM-MD5", :PLAIN]]
[0x867f298]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5",
initial-response=b"username="myUser",realm="QPID",nonce="tTsv2bhBpIQ+1hzBziv/iQMe9eaJQ1FPel5kBl2G8DY=",cnonce="BWuORcLvHBjZi4iC0aDNvRcTS2lHQ5hvSv4Vfi6PunE=",nc=00000002,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=07cfa04e48ae113304a93fc5c0b65ee0"]
[0x867f298]:0 <- @sasl-challenge(66)
[challenge=b"nonce="dHDa2spxiS8OxrXVCNj+RxatXL2bt63Mf6Qm2vcuhHs=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
[0x867f298]:0 -> @sasl-response(67)
[response=b"username="myUser",realm="QPID",nonce="dHDa2spxiS8OxrXVCNj+RxatXL2bt63Mf6Qm2vcuhHs=",cnonce="zaRwWUrr30oHtnZJGTZ0OVhhj7IN6jhKwkNkEx/VboQ=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=4e810108bd4c8d39b3dd11813e87d482"]
[0x867f298]:0 <- @sasl-challenge(66)
[challenge=b"rspauth=972e1ddd3de8cbab59f2978f9a4345d9"]
[0x867f298]:0 -> @sasl-response(67) [response=b""]
[0x867f298]:0 <- @sasl-outcome(68) [code=0]
[0x867f298]: <- EOS
[0x867f298]: -> EOS
*ERROR:root:amqp:connection:framing-error: AMQP header mismatch: Unknown
protocol
['\x00\x00\x00\x18;gSoh\x00\xef\xc5\xd5\xd3\x91|y\x06|^<\xde\x00\x01\x00\x00\x00\x00']*
[0x867ff70]: -> SASL
[0x867ff70]: <- SASL
[0x867ff70]:0 <- @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"DIGEST-MD5", :"CRAM-MD5", :PLAIN]]
[0x867ff70]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5",
initial-response=b"username="myUser",realm="QPID",nonce="dHDa2spxiS8OxrXVCNj+RxatXL2bt63Mf6Qm2vcuhHs=",cnonce="zaRwWUrr30oHtnZJGTZ0OVhhj7IN6jhKwkNkEx/VboQ=",nc=00000002,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=c0b068aba5676e05e397a76d6979c3ac"]
[0x867ff70]:0 <- @sasl-challenge(66)
[challenge=b"nonce="Wfeti/jpbdg9NVRKv4vO+RnqwmDBarDzm4utWnTjwrY=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
[0x867ff70]:0 -> @sasl-response(67)
[response=b"username="myUser",realm="QPID",nonce="Wfeti/jpbdg9NVRKv4vO+RnqwmDBarDzm4utWnTjwrY=",cnonce="Xcwij45kisdpO6dWSTXYkVmTIm7nleXKpCvZrc2aYw8=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/10.0.2.4",response=2a2530760ea7a40396947e7140ad3e55"]
[0x867ff70]:0 <- @sasl-challenge(66)
[challenge=b"rspauth=fffe977f3e3601efdf90a6825c45891f"]
[0x867ff70]:0 -> @sasl-response(67) [response=b""]
[0x867ff70]:0 <- @sasl-outcome(68) [code=0]
*[0x867ff70]: -> AMQP
[0x867ff70]:0 -> @open(16)
[container-id="a8255dea-c258-40da-9ee8-993c225f3ffe", hostname="10.0.2.4",
channel-max=32767]
[0x867ff70]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647,
outgoing-window=2147483647]
[0x867ff70]:0 -> @attach(18)
[name="a8255dea-c258-40da-9ee8-993c225f3ffe-myFanoutExchange", handle=0,
role=false, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40)
[durable=0, timeout=0, dynamic=false], target=@target(41)
[address="myFanoutExchange", durable=0, timeout=0, dynamic=false],
initial-delivery-count=0, max-message-size=0]
[0x867ff70]: <- AMQP
[0x867ff70]:0 <- @open(16)
[container-id="92b7d083-5c67-4ad5-b8c5-c8e252ed621c", channel-max=32767,
offered-capabilities=@PN_SYMBOL[:"ANONYMOUS-RELAY"],
properties={:product="qpid-cpp", :version="1.36.0", :platform="Linux",
:host="debian"}]
[0x867ff70]:0 <- @begin(17) [remote-channel=0, next-outgoing-id=0,
incoming-window=2147483647, outgoing-window=2147483647]
[0x867ff70]:0 <- @attach(18)
[name="a8255dea-c258-40da-9ee8-993c225f3ffe-myFanoutExchange", handle=0,
role=true, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40)
[durable=0, timeout=0, dynamic=false], target=@target(41)
[address="myFanoutExchange", durable=0, timeout=0, dynamic=false],
initial-delivery-count=0, max-message-size=0]
[0x867ff70]:0 <- @flow(19) [next-incoming-id=0, incoming-window=2147483647,
next-outgoing-id=0, outgoing-window=2147483647, handle=0, delivery-count=0,
link-credit=500, drain=false]
sending 1. message
[0x867ff70]:0 -> @transfer(20) [handle=0, delivery-id=0, delivery-tag=b"1",
message-format=0, settled=false, more=false] (90)
"\x00Sp\xd0\x00\x00\x00\x0b\x00\x00\x00\x05AP\x04@BR\x00\x00Ss\xd0\x00\x00\x00'\x00\x00\x00\x0dS\x01@@\xa1\x03key@@@@\x83\x00\x00\x00\x00\x00\x00\x00\x00\x83\x00\x00\x00\x00\x00\x00\x00\x00@R\x00@\x00Sw\xd1\x00\x00\x00\x10\x00\x00\x00\x02\xa1\x08sequenceT\x01"
[0x867ff70]:0 <- @flow(19) [next-incoming-id=1, incoming-window=2147483647,
next-outgoing-id=0, outgoing-window=2147483647, handle=0, delivery-count=1,
link-credit=500, drain=false]
[0x867ff70]:0 <- @disposition(21) [role=true, first=0, last=0, settled=true,
state=@accepted(36) []]*
all messages confirmed
[0x867ff70]:0 -> @close(24) []
[0x867ff70]: -> EOS
[0x867ff70]:0 <- @close(24) []
[0x867ff70]: <- EOS
--
View this message in context: http://qpid.2158936.n2.nabble.com/Qpid-C-1-36-issues-an-invalid-AMQP-1-0-frame-after-successful-DIGEST-MD5-authentication-tp7657354p7657521.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by drasil <pa...@gmail.com>.
I can confirm what you wrote. I just tried and "pip install
python-qpid-proton" on a clean system (Debian 8) results in a working setup
for me as well.
The only difference between the two systems is that on the broken one I
first built and installed the qpid-proton-0.16.0, qpid-cpp-1.36.0 and
qpid-python-1.35.0 packages. For some reson, this breaks the DIGEST-MD5
support in python-qpid-proton.
--
View this message in context: http://qpid.2158936.n2.nabble.com/Qpid-C-1-36-issues-an-invalid-AMQP-1-0-frame-after-successful-DIGEST-MD5-authentication-tp7657354p7657519.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by Gordon Sim <gs...@redhat.com>.
On 05/01/17 11:15, drasil wrote:
> Oh, I see. I thought that SASL mechanisms influence just the authentication
> phase. Thank you very much for clarification. So there is probably something
> wrong with my proton client because the problem occurs with the standard
> example as well:
>
> $ PN_TRACE_FRM=1 python
> /usr/local/share/proton-0.16.0/examples/python/simple_send.py -a
> myUser:myPassword@localhost/amq.fanout -m 1
> [0x9839880]: -> SASL
> [0x9839880]: <- SASL
> [0x9839880]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=:"DIGEST-MD5"]
> [0x9839880]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5"]
> [0x9839880]:0 <- @sasl-challenge(66)
> [challenge=b"nonce="Cq5chKnatfwEV28lxxdQw5bD3vxywxUSRnTJ2tLD5ro=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
> [0x9839880]:0 -> @sasl-response(67)
> [response=b"username="myUser",realm="QPID",nonce="Cq5chKnatfwEV28lxxdQw5bD3vxywxUSRnTJ2tLD5ro=",cnonce="MZV40TRDnt4gzIFENyrdc40fgSNpWXY5jv3v4bOC2vE=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/localhost",response=2dfde3790620d0aede423b17f8edb4a1"]
> [0x9839880]:0 <- @sasl-challenge(66)
> [challenge=b"rspauth=cf464b4a887edbb1392fc95e5f9f972c"]
> [0x9839880]:0 -> @sasl-response(67) [response=b""]
> [0x9839880]:0 <- @sasl-outcome(68) [code=0]
> [0x9839880]: <- EOS
> [0x9839880]: -> EOS
> ERROR:root:amqp:connection:framing-error: AMQP header mismatch: Unknown
> protocol
> ['\x00\x00\x00\x18S\xd8\xf6\xd6q\xde\xbd\xd3\x06\xb8X\xb53g\xd0\xba\xe4\x8b\x00\x01\x00\x00\x00\x00']
>
> Is it possible that I inadvertently compiled my proton binaries without
> support for DIGEST-MD5?
No, I don't think so, because then the client would fail before trying
the DIGEST-MD5 authentication.
> Just to explain what I did - I first compiled and
> installed the proton 0.16 binaries and then used pip to download and install
> the python-qpid-proton 0.16 package.
I did a pip install (without having proton-c installed in standard
location) in a virtual env and with that, that same example works for me
(against a 1.36 broker).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by drasil <pa...@gmail.com>.
Oh, I see. I thought that SASL mechanisms influence just the authentication
phase. Thank you very much for clarification. So there is probably something
wrong with my proton client because the problem occurs with the standard
example as well:
$ PN_TRACE_FRM=1 python
/usr/local/share/proton-0.16.0/examples/python/simple_send.py -a
myUser:myPassword@localhost/amq.fanout -m 1
[0x9839880]: -> SASL
[0x9839880]: <- SASL
[0x9839880]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=:"DIGEST-MD5"]
[0x9839880]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5"]
[0x9839880]:0 <- @sasl-challenge(66)
[challenge=b"nonce="Cq5chKnatfwEV28lxxdQw5bD3vxywxUSRnTJ2tLD5ro=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
[0x9839880]:0 -> @sasl-response(67)
[response=b"username="myUser",realm="QPID",nonce="Cq5chKnatfwEV28lxxdQw5bD3vxywxUSRnTJ2tLD5ro=",cnonce="MZV40TRDnt4gzIFENyrdc40fgSNpWXY5jv3v4bOC2vE=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/localhost",response=2dfde3790620d0aede423b17f8edb4a1"]
[0x9839880]:0 <- @sasl-challenge(66)
[challenge=b"rspauth=cf464b4a887edbb1392fc95e5f9f972c"]
[0x9839880]:0 -> @sasl-response(67) [response=b""]
[0x9839880]:0 <- @sasl-outcome(68) [code=0]
[0x9839880]: <- EOS
[0x9839880]: -> EOS
ERROR:root:amqp:connection:framing-error: AMQP header mismatch: Unknown
protocol
['\x00\x00\x00\x18S\xd8\xf6\xd6q\xde\xbd\xd3\x06\xb8X\xb53g\xd0\xba\xe4\x8b\x00\x01\x00\x00\x00\x00']
Is it possible that I inadvertently compiled my proton binaries without
support for DIGEST-MD5? Just to explain what I did - I first compiled and
installed the proton 0.16 binaries and then used pip to download and install
the python-qpid-proton 0.16 package.
--
View this message in context: http://qpid.2158936.n2.nabble.com/Qpid-C-1-36-issues-an-invalid-AMQP-1-0-frame-after-successful-DIGEST-MD5-authentication-tp7657354p7657361.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ 1.36 issues an invalid AMQP 1.0 frame after successful
DIGEST-MD5 authentication
Posted by Gordon Sim <gs...@redhat.com>.
On 05/01/17 08:39, drasil wrote:
> Hello,
>
> I believe that I found a bug in the Qpid C++ broker (I tried versions 1.35
> and 1.36 and both are affected). When the broker is configured to use the
> DIGEST-MD5 SASL mechanism, the authentication passes successfully, but just
> after that the broker issues a completely invalid AMQP 1.0 frame.
By default, DIGEST-MD5 installs an encryption layer after successful
authentication. So from wireshark's perspective, subsequent frames will
not be decodable.
> As a
> result, the client complains about a framing error and disconnects.
That shouldn't happen if the client and server are aligned on the
establishment of the encryption layer.
> I am
> using a client based on python-qpid-proton 0.16.0 but that should not be
> important I guess.
The client (and version) is I think relevant here. Were you using one of
the standard examples in testing?
I've tried connecting using DIGEST-MD5 and the 0.16 proton python client
and it works for me (viewing with wireshark, all the frames after the
sasl layer is established are reported as invalid due to the encryption):
> $ PN_TRACE_FRM=1 python ./share/proton-0.16.0/examples/python/simple_send.py -a guest:guest@localhost/amq.fanout -m 1
> [0x5634d72a2c50]: -> SASL
> [0x5634d72a2c50]: <- SASL
> [0x5634d72a2c50]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:"DIGEST-MD5", :PLAIN]]
> [0x5634d72a2c50]:0 -> @sasl-init(65) [mechanism=:"DIGEST-MD5"]
> [0x5634d72a2c50]:0 <- @sasl-challenge(66) [challenge=b"nonce="XiDROFG5dWVBVyih71+KSuBvSNawZr3g9SrnjRj3LLY=",realm="QPID",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65535,charset=utf-8,algorithm=md5-sess"]
> [0x5634d72a2c50]:0 -> @sasl-response(67) [response=b"username="guest",realm="QPID",nonce="XiDROFG5dWVBVyih71+KSuBvSNawZr3g9SrnjRj3LLY=",cnonce="LwH1PutrtfaR5kzmXy3MnO6VDAsApszmkvcbCQek9vk=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=32768,digest-uri="amqp/localhost",response=3488392792124469fa3e1acfdb2cbc85"]
> [0x5634d72a2c50]:0 <- @sasl-challenge(66) [challenge=b"rspauth=e79db70777debb33d3b179272f13e462"]
> [0x5634d72a2c50]:0 -> @sasl-response(67) [response=b""]
> [0x5634d72a2c50]:0 <- @sasl-outcome(68) [code=0]
> [0x5634d72a2c50]: -> AMQP
> [0x5634d72a2c50]:0 -> @open(16) [container-id="8bb0482d-2eb2-4f97-a749-22e8ea2dec4f", hostname="localhost", channel-max=32767]
> [0x5634d72a2c50]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647, outgoing-window=2147483647]
> [0x5634d72a2c50]:0 -> @attach(18) [name="8bb0482d-2eb2-4f97-a749-22e8ea2dec4f-amq.fanout", handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41) [address="amq.fanout", durable=0, timeout=0, dynamic=false], initial-delivery-count=0, max-message-size=0]
> [0x5634d72a2c50]: <- AMQP
> [0x5634d72a2c50]:0 <- @open(16) [container-id="a6022696-2483-49f5-8ea6-a6f50db0e7ae", channel-max=32767, offered-capabilities=@PN_SYMBOL[:"ANONYMOUS-RELAY"], properties={:product="qpid-cpp", :version="1.36.0", :platform="Linux", :host="localhost.localdomain"}]
> [0x5634d72a2c50]:0 <- @begin(17) [remote-channel=0, next-outgoing-id=0, incoming-window=2147483647, outgoing-window=2147483647]
> [0x5634d72a2c50]:0 <- @attach(18) [name="8bb0482d-2eb2-4f97-a749-22e8ea2dec4f-amq.fanout", handle=0, role=true, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41) [address="amq.fanout", durable=0, timeout=0, dynamic=false], initial-delivery-count=0]
> [0x5634d72a2c50]:0 <- @flow(19) [next-incoming-id=0, incoming-window=2147483647, next-outgoing-id=0, outgoing-window=2147483647, handle=0, delivery-count=0, link-credit=500, drain=false]
> [0x5634d72a2c50]:0 -> @transfer(20) [handle=0, delivery-id=0, delivery-tag=b"1", message-format=0, settled=false, more=false] (86) "\x00Sp\xd0\x00\x00\x00\x0b\x00\x00\x00\x05BP\x04@BR\x00\x00Ss\xd0\x00\x00\x00#\x00\x00\x00\x0dS\x01@@@@@@@\x83\x00\x00\x00\x00\x00\x00\x00\x00\x83\x00\x00\x00\x00\x00\x00\x00\x00@R\x00@\x00Sw\xd1\x00\x00\x00\x10\x00\x00\x00\x02\xa1\x08sequenceT\x01"
> [0x5634d72a2c50]:0 <- @flow(19) [next-incoming-id=1, incoming-window=2147483647, next-outgoing-id=0, outgoing-window=2147483647, handle=0, delivery-count=1, link-credit=500, drain=false]
> [0x5634d72a2c50]:0 <- @disposition(21) [role=true, first=0, last=0, settled=true, state=@accepted(36) []]
> all messages confirmed
> [0x5634d72a2c50]:0 -> @close(24) []
> [0x5634d72a2c50]: -> EOS
> [0x5634d72a2c50]:0 <- @close(24) []
> [0x5634d72a2c50]: <- EOS
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org