qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: Is it normal to have to turn SASL off to get qpid-config and qpid-stat to work with SSL?
Date Mon, 15 Aug 2016 08:39:06 GMT
On 13/08/16 03:35, Jeff Donner wrote:
> # client
> ssl-best$ qpid-config --broker=amqps://jgd/donner@localhost:5671 --ssl-certificate=ssl_certs/client/tclient-certificate.pem
--ssl-key=ssl_certs/tclient-unencrypted-private.key
> Failed: ConnectionError: connection-forced: Authentication failed(320)
>
> # qpidd response:
> 2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
> 2016-08-12 17:01:38 [Network] info Set TCP_NODELAY on connection to [::1]:59398
> 2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
> 2016-08-12 17:01:38 [System] debug RECV [qpid.[::1]:5671-[::1]:59398]: INIT(0-10)
> 2016-08-12 17:01:38 [Security] debug External ssf=128 and auth=test_client
> 2016-08-12 17:01:38 [Security] debug min_ssf: 0, max_ssf: 0, external_ssf: 128
> 2016-08-12 17:01:38 [Security] debug external auth detected and set to test_client
> 2016-08-12 17:01:38 [Security] info SASL: Mechanism list: EXTERNAL
> 2016-08-12 17:01:38 [Broker] debug LinkRegistry::notifyConnection(); key=qpid.[::1]:5671-[::1]:59398
> 2016-08-12 17:01:38 [Security] trace ACL ConnectionCounter new connection: qpid.[::1]:5671-[::1]:59398
> 2016-08-12 17:01:38 [Model] trace Mgmt create connection. id:qpid.[::1]:5671-[::1]:59398
> 2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: INIT(0-10)
> 2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: Frame[BEbe;
channel=0; {ConnectionStartBody: server-properties={host:V2:7:str16(sidecar),platform:V2:5:str16(Linux),product:V2:8:str16(qpid-cpp),qpid.federation_tag:V2:36:str16(f390a428-3c91-4255-a327-55b4a3fb7570),version:V2:4:str16(0.34)};
mechanisms=str16{V2:8:str16(EXTERNAL)}; locales=str16{V2:5:str16(en_US)}; }]
> 2016-08-12 17:01:38 [Protocol] trace RECV [qpid.[::1]:5671-[::1]:59398]: Frame[BEbe;
channel=0; {ConnectionStartOkBody: client-properties={platform:V2:5:str16(posix),product:V2:18:str16(qpid
python client),qpid.client_pid:F8:int64(4067),qpid.client_ppid:F8:int64(2058),qpid.client_process:V2:11:str16(qpid-config),version:V2:11:str16(development)};
mechanism=EXTERNAL; response=xxxxxx; }]
> 2016-08-12 17:01:38 [Security] info SASL: Starting authentication with mechanism: EXTERNAL
> 2016-08-12 17:01:38 [Security] info SASL: Authentication failed for jgd@QPID:SASL(-13):
authentication failure: Requested identity not authenticated identity

Ok, I think what you need to do is put the CN from your certificate as 
the username in the url.

EXTERNAL is being selected (in fact no other mechanism is being 
offered), but the client is requesting an identity that doesn't match 
the certificate it has been authenticated with.

The client library really should set that itself (it does for c++) but 
if I recall correctly, in python it doesn't.

> 2016-08-12 17:01:38 [System] debug Exception constructed: Authentication failed
> 2016-08-12 17:01:38 [Model] debug Failed connection. rhost:qpid.[::1]:5671-[::1]:59398
user:jgd@QPID reason:SASL(-13): authentication failure: Requested identity not authenticated
identity
> 2016-08-12 17:01:38 [Protocol] error Connection qpid.[::1]:5671-[::1]:59398 closed by
error: connection-forced: Authentication failed(320)
> 2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: Frame[BEbe;
channel=0; {ConnectionCloseBody: reply-code=320; reply-text=connection-forced: Authentication
failed; }]


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message