[ https://issues.apache.org/jira/browse/PROTON-1008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935164#comment-14935164 ]
Gordon Sim commented on PROTON-1008: ------------------------------------ The commit referenced above was made to revert to pre 0.10 behaviour, where a SASL layer was not used unless a username was specified (even if that was 'anonymous'). All it does is avoids making a call to pn_sasl_allowed_mechs if no mechanisms have been specified. I believe that is actually sensible behaviour. There does need to be a way to avoid using SASL, though whether it needs to be off unless requested as it was prior to the 0.10 release is certainly debatable. > Using a blank mech_list disables authentication > ----------------------------------------------- > > Key: PROTON-1008 > URL: https://issues.apache.org/jira/browse/PROTON-1008 > Project: Qpid Proton > Issue Type: Bug > Components: python-binding > Affects Versions: 0.11 > Reporter: Ted Ross > Assignee: Gordon Sim > Fix For: 0.11 > > > This bug was introduced in commit > > https://github.com/apache/qpid-proton/commit/14956b07edc3de93f67179c753bbedcd9eba51a6 > If the client leaves allowed_mechs as None, the SASL protocol is not even > executed. I claim that allowed_mechs is used to restrict the set of > acceptable mechanisms. If it is None, then all available mechanisms may be > used. > This bug causes a failure in the Qpid Dispatch test suite > (system_tests_qdstat). The failure is when the server requires > authentication and will accept EXTERNAL and the client has a valid > client-certificate but doesn't use the sasl protocol because qdstat doesn't > (and can't) set the allowed_mechs. -- This message was sent by Atlassian JIRA (v6.3.4#6332)