I have deployed Qpid Dispatch 1.19.0 and have successfully configured an
SSL profile where the Proton-j2 client (1.0.0-M22) is
authenticated/authorized using the EXTERNAL SASL mechanism so that the
Common Name in the client certificate must match the userId of the AMQP
message. So I have a listener like this:
listener {
port: 5671
role: normal
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
}
and a sslProfile like this:
sslProfile {
name: mesh-clients
certFile: /vault/secrets/oi-amqp-mesh-certs-external.crt
privateKeyFile: /vault/secrets/oi-amqp-mesh-certs-external.key
caCertFile: /vault/secrets/client.crt
uidFormat: n
}
So far everything is good. However I now wish to expose the service through
a proxy using websockets. To this end I have amended the config to add a
second identical listener but with http: true, knowing that the websockets
parameter will then default to true.
listener {
port: 8080
role: normal
http: true
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
}
In the Proton-2j client I similarly enable websockets:
options.transportOptions().useWebSockets(true);
When I try to send messages over websockets on port 8080 the Proton client
say that Qpid Dispatch did not offer any SASL Mechanisms:
Caused by: javax.security.sasl.SaslException:
> *Could not find a suitable SASL Mechanism. No supported mechanism, or none
> usable with the available credentials. Server offered: []* at
> org.apache.qpid.protonj2.engine.sasl.client.SaslAuthenticator.handleSaslMechanisms(SaslAuthenticator.java:97)
The Qpid Dispatch logs shows that it has upgraded from HTTP to AMQPWS but
the connection was then aborted:
2024-12-02 15:07:46.141919 +0000 SERVER (debug) [187] upgraded HTTP
> connection from 127.0.0.1 to AMQPWS
> 2024-12-02 15:07:46.142165 +0000 SERVER (trace) [C187] Configuring SSL on
> :8080
> 2024-12-02 15:07:46.154025 +0000 SERVER (info) [C187] Accepted connection
> to :8080 from 127.0.0.1
> 2024-12-02 15:07:46.361440 +0000 SERVER (info) [C187] Connection from
> 127.0.0.1 (to :8080) failed: amqp:connection:framing-error connection
> aborted
I'm guessing that the client certificate isn't being passed from
websocks layer to the SASL layer so Qpid Dispatch has no reason to offer
EXTERNAL and so the Proton client aborts the connection.
I would be very grateful if you could confirm whether Qpid Proton/Dispatch
support client certificates over websockets. And if so what
additional config is required other than enabling the websockets feature?
Many Thanks
Mike
This email (including any attachments) may contain confidential and/or
privileged information or information otherwise protected from disclosure. If
you are not the intended recipient, please notify the sender immediately, do
not copy this message or any attachments and do not use it for any purpose or
disclose its content to any person, but delete this message and any attachments
from your system. Airbus Defence and Space Limited disclaims any and all
liability if this email transmission was virus corrupted, altered or falsified.
-o-
Emails to Airbus Defence and Space Limited may be processed, recorded and
monitored outside the UK.
-o-
Airbus Defence and Space Limited, Registered in England and Wales No. 2449259
Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England
