qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Godfrey <rob.j.godf...@gmail.com>
Subject Re: Proposal to unify qpid and AMQP URL formats.
Date Thu, 12 Feb 2009 10:28:14 GMT
2009/2/12 John O'Hara <john.r.ohara@gmail.com>:
> TLS doesn't have to be TCP/IP.  From the RFC:"At the lowest level, layered
> on top of some reliable transport protocol (e.g., TCP[TCP]), is the TLS
> Record Protocol."
>
> For example I could theoretically used TLS over Socket Direct Protocol
> over IB.  What is needs is reliability and order underneath.
>
> Also, the AMQP1 negotiation as currently in discussion asserts a
> demand for TLS very early on - in fact during the AMQP header
> exchange.  So its an option added to AMQP; the current draft header
> has a bit for it (talk to Rafi, long discussion).
>
> This would lead to amqp+tls since the ordered connection is already
> open and we're asking the TLS + AMQP handshake to begin.
>
> Just my logic, and just 1.0 draft.

My point is that the absence of TLS on the URL does not mean "no TLS"
since the TLS will be negotiated at connection opening.  Adding TLS on
the URL would only be necessary on a connection where the client
requires TLS but the server also provides non-TLS.  Since this is a
decision of the client (not the server), it wouldn't be something that
the server would be storing in it's "list of alternative connection
URLs" for failover in a cluster.  If the server insists on TLS must do
this in the connection negotiation phase.

So - again going back to use-cases for these URLs - I think the only
time you would need to store "tls" in a URL of this form is in client
configuration data.

-- Rob



>
> Objections I'd be interested in.
>
> Cheers
>
> John
>
>
>
>
>
>
> 2009/2/11 Carl Trieloff <cctrieloff@redhat.com>
>
>> Alan Conway wrote:
>>
>>> John O'Hara wrote:
>>>
>>>> Very well considered, and highly flexible.Compatible with where AMQP1.0
>>>> is
>>>> heading (wrt TLS handling -- balance of opinion is that TLS will be on
>>>> the
>>>> same port, as it would be for Kerberos based encryption).
>>>>
>>>> Missed out a TLS example:
>>>>
>>>> amqp+tls://foo:bar@tcp:host1:1234/vhost?clientid=baz
>>>>
>>>>
>>> I think it's cleaner to put modifiers like TLS into the protocol
>>> identifier rather than the URL scheme:
>>>
>>> amqp://foo:bar@tcp+tls: host:...
>>>
>>> That gives greater flexibility over protocols used in the host list and
>>> avoids the problem of mis-matching modifiers and protocols, e.g. if we have
>>> an infiniband protocol then what would amqp+tls://ib:inifinibandstuff/...
>>> mean?
>>>
>>> What do you think?
>>>
>>
>> tls is tcp,
>>
>> so tls/tcp/ib is enough... don't even need ib, as that is just the IP for
>> the IB port, everything else is transparent.
>>
>> to that tls is just another tcp port for that matter
>>
>> Carl.
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> Apache Qpid - AMQP Messaging Implementation
>> Project:      http://qpid.apache.org
>> Use/Interact: mailto:dev-subscribe@qpid.apache.org
>>
>>
>

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message