[
https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12770486#action_12770486
]
Alan Conway commented on QPID-1899:
-----------------------------------
On 10/26/2009 11:52 AM, Ken Giusti wrote:
> Hi,
>
>I'm trying to fix QPID-1899, and I am trying to determine the best approach to
implement for the cluster case. Opinions requested!
>
> The way I'm trying to fix this bug is by indicating to the broker when a
> connection is on a secure link. Specifically, if a connection uses SSL, then
> I want the SASL authenticator to be aware of this. In SASL, this is done by
> by setting the "external security strength factor" for a connection. This
> prevents SASL from trying to encrypt over an already encrypted connection.
>
> The patch I've posted for QPID-1899 seems to work in the non-cluster case. I
> can determine the security strength (key length) for an SSL connection
> trivially, since the connection is local.
>
> The problem I've hit is with shadow connections on clustered brokers: since
> the SSL link doesn't exist locally, I can't get the key length.
>
> I noticed that the cluster code creates the shadow connection on receipt of
> an "announce" message. One approach to solving this problem would be to put
> the security strength factor into the announce message when a link that is
> encrypted is shadowed. This would require me to add the security strength
> factor to the cluster announce message.
>
> I'm not sure of the ramifications of this, since it will change the existing
> protocol.
>
> Is this a reasonable approach? Is there a better alternative?
That's the way to go, add the data you need to the announce control in XML and
update 2 functions in Cluster.cpp: addLocalConnection (to send the data in the
announce) and getConnection (to set the data on the shadow connection)
Also you need to modify this line in Cluster.cpp:
const uint32_t Cluster::CLUSTER_VERSION = 820783;
Change it to whatever is the latest SVN revision before you submit the patch.
Its there to detect accidentally starting brokers with different versions of
the cluster protocol in the same cluster.
> --require-encryption doesn't work unless cyrus sasl authentication is turned
> on
> -------------------------------------------------------------------------------
>
> Key: QPID-1899
> URL: https://issues.apache.org/jira/browse/QPID-1899
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.5
> Reporter: Gordon Sim
> Assignee: Gordon Sim
> Fix For: 0.6
>
> Attachments: qpid-1899-10_26.patch, qpid-1899-9-17.patch,
> qpid-1899-hacky.patch, qpid-1899.patch, qpid-1899.patch
>
>
> If you specify --require-encryption and --auth no then the broker will allow
> un-encrypted conections. (If on the other hand you have authentication on, it
> will prevent you connecting with anything other than a mech that supports
> encryption and will require an encrypting sasl security layer - or of course
> an ssl connection)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
