[ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12753021#action_12753021 ]
Gordon Sim commented on QPID-1899: ---------------------------------- I think the ideal behaviour would be to reject all plain TCP connections if authentication is turned off (as in that case no security layer is negotiated and therefore no encryption takes place). I _think_ this could be fixed by a simple (though 'hacky') check before registering the TCP protocol factory (i.e. around line 69 in qpid/sys/TCPIOPlugin.cpp); if the broker options indicate that encryption is required and auth is off don't register the protocol. That would at least 'plug the hole' for now, (and would be very safe as the broker would not even be listening for non-ssl connections). A 'cleaner' solution be to add a method to qpid::sys::OutputControl through which the various 'protocol' implementations (tcp, rdma, ssl) could indicate whether traffic would be encrypted or not. This could then be used in the SaslAuthenticator impls to (a) determine whether to accept the connection during the AMQP handshake and (b) whether to force a security layer or not. > --require-encryption doesn't work unless cyrus sasl authentication is turned > on > ------------------------------------------------------------------------------- > > Key: QPID-1899 > URL: https://issues.apache.org/jira/browse/QPID-1899 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Affects Versions: 0.5 > Reporter: Gordon Sim > Assignee: Gordon Sim > Fix For: 0.6 > > > If you specify --require-encryption and --auth no then the broker will allow > un-encrypted conections. (If on the other hand you have authentication on, it > will prevent you connecting with anything other than a mech that supports > encryption and will require an encrypting sasl security layer - or of course > an ssl connection) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org