[ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755521#action_12755521 ]
Ken Giusti commented on QPID-1899: ---------------------------------- Hi Gordon, I've setup a local kerberos server and am using GSSAPI. I've also created my own certificate. I run qpidd in the foreground as so: [kgiu...@localhost cpp]$ ./src/qpidd --auth yes --realm EXAMPLE.COM --require-encryption --transport ssl --no-data-dir --no-module-dir --load-module ./src/.libs/ssl.so --ssl-cert-db /home/kgiusti/.test_ssl_cert_db/test_cert_db --ssl-cert-password-file /home/kgiusti/.test_ssl_cert_db/cert.password 2009-09-15 10:44:05 notice Listening on TCP port 5672 2009-09-15 10:44:05 notice Listening for SSL connections on TCP port 5671 5671 2009-09-15 10:44:05 notice Broker running Notice the two open ports - port 5672 appears to allow unencrypted (but authenticated) connection: [kgiu...@localhost cpp]$ /usr/kerberos/bin/kinit -k testuser [kgiu...@localhost cpp]$ export QPID_NO_MODULE_DIR=1 [kgiu...@localhost cpp]$ export QPID_LOAD_MODULE=./src/.libs/sslconnector.so [kgiu...@localhost cpp]$ export QPID_SSL_CERT_PASSWORD_FILE=/home/kgiusti/.test_ssl_cert_db/cert.password [kgiu...@localhost cpp]$ export QPID_SSL_CERT_DB=/home/kgiusti/.test_ssl_cert_db/test_cert_db [kgiu...@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5672 --summary 377.649 23.7361 74.1992 0.0724601 Just fyi - auth is required: [kgiu...@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --tx 1 --count 1 --port 5672 --summary Please enter your password <I enter the wrong password> 2009-09-15 10:52:27 warning Broker closed connection: 320, connection-forced: Authentication failed connection-forced: Authentication failed No log messages are generated by broker to stderr for the above transactions. Another interesting point: I cannot connect over the SSL port, even w/auth: [kgiu...@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5671 -P ssl --summary 2009-09-15 10:55:12 warning Connection closed Connection closed In this case, broker issues the following log msg: 2009-09-15 10:55:12 error internal-error: SASL decode error: SASL(-1): generic failure: Unable to find a callback: 32775 (qpid/sys/cyrus/CyrusSecurityLayer.cpp:50) Have I mis-configured something? thanks, -K > --require-encryption doesn't work unless cyrus sasl authentication is turned > on > ------------------------------------------------------------------------------- > > Key: QPID-1899 > URL: https://issues.apache.org/jira/browse/QPID-1899 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Affects Versions: 0.5 > Reporter: Gordon Sim > Assignee: Gordon Sim > Fix For: 0.6 > > Attachments: qpid-1899-hacky.patch > > > If you specify --require-encryption and --auth no then the broker will allow > un-encrypted conections. (If on the other hand you have authentication on, it > will prevent you connecting with anything other than a mech that supports > encryption and will require an encrypting sasl security layer - or of course > an ssl connection) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org