[
https://issues.apache.org/jira/browse/PROTON-950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644675#comment-14644675
]
Andrew Stitcher commented on PROTON-950:
----------------------------------------
This can only be a change in behaviour for applications that are using the
messenger library, as it is the only part of the Proton-c library that has the
PLAIN mechanism built in before 0.10.
My proposed change is to add an API to the SASL object
allow_insecure_mechs(bool) which defaults to false for the underlying Proton-c
library as used directly via the engine or event APIs. If this property is set
true then it will allow plain to be used unencrypted.
For the messenger APIs I will default to insecure mechs by default for 0.10,
but note that this will be changed in 0.11 to a more secure setting in the 0.10
release notes and the messenger documentation.
> SASL PLAIN over cleartext should be supported
> ---------------------------------------------
>
> Key: PROTON-950
> URL: https://issues.apache.org/jira/browse/PROTON-950
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: 0.10
> Reporter: Ted Ross
> Assignee: Andrew Stitcher
> Priority: Blocker
> Fix For: 0.10
>
>
> In the current 0.10 alpha, if SASL PLAIN is selected, it will only work if
> the connection is encrypted (using SSL). This is a surprising change of
> behavior from earlier versions of Proton and it's arguable that a security
> policy like that should be left to the application using the Proton library.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
