[jira] Commented: (QPID-1899) --require-encryption doesn't work unless cyrus sasl authentication is turned on

Wed, 09 Sep 2009 03:46:24 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12753021#action_12753021
 ] 

Gordon Sim commented on QPID-1899:
----------------------------------

I think the ideal behaviour would be to reject all plain TCP connections if 
authentication is turned off (as in that case no security layer is negotiated 
and therefore no encryption takes place). 

I _think_ this could be fixed by a simple (though 'hacky') check before 
registering the TCP protocol factory (i.e. around line 69 in 
qpid/sys/TCPIOPlugin.cpp); if the broker options indicate that encryption is 
required and auth is off don't register the protocol. That would at least 'plug 
the hole' for now, (and would be very safe as the broker would not even be 
listening for non-ssl connections).

A 'cleaner' solution be to add a method to qpid::sys::OutputControl through 
which the various 'protocol' implementations (tcp, rdma, ssl) could indicate 
whether traffic would be encrypted or not. This could then be used in the 
SaslAuthenticator impls to (a) determine whether to accept the connection 
during the AMQP handshake and (b) whether to force a security layer or not.

> --require-encryption doesn't work unless cyrus sasl authentication is turned 
> on
> -------------------------------------------------------------------------------
>
>                 Key: QPID-1899
>                 URL: https://issues.apache.org/jira/browse/QPID-1899
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.5
>            Reporter: Gordon Sim
>            Assignee: Gordon Sim
>             Fix For: 0.6
>
>
> If you specify --require-encryption and --auth no then the broker will allow 
> un-encrypted conections. (If on the other hand you have authentication on, it 
> will prevent you connecting with anything other than a mech that supports 
> encryption and will require an encrypting sasl security layer - or of course 
> an ssl connection)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org

Reply via email to