qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ken Giusti (JIRA)" <qpid-...@incubator.apache.org>
Subject [jira] Commented: (QPID-1899) --require-encryption doesn't work unless cyrus sasl authentication is turned on
Date Wed, 04 Nov 2009 16:41:32 GMT

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773555#action_12773555

Ken Giusti commented on QPID-1899:

Hi Gordon,

I talked with Alan regarding authentication/security in a clustered broker, see 


Our current approach for QPID-2187 would permit a secure/auth connection from a client to
the connected broker in the cluster.  The data would be decrypted at that broker, then mirrored
in the clear to the other members of the cluster.   This avoids the overhead of having to
decrypt at each broker, given that a cluster could be implemented in a secure site.   In the
future, secure intra-cluster links could be provided via openAis, if needed.

In any case, if we do implement security only on the directly attached broker, then I would
think that we would not need to propagate the SSF across the cluster.   

What do you think?   If you agree, I'll strip the cluster modifications from the last patch.
  If possible, I'd like to have this patch applied so I can develop QPID-2187 against the
GSSAPI + SSL case.


> --require-encryption doesn't work unless cyrus sasl authentication is turned on
> -------------------------------------------------------------------------------
>                 Key: QPID-1899
>                 URL: https://issues.apache.org/jira/browse/QPID-1899
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.5
>            Reporter: Gordon Sim
>            Assignee: Gordon Sim
>             Fix For: 0.6
>         Attachments: qpid-1899-10_26.patch, qpid-1899-10_30.patch, qpid-1899-9-17.patch,
qpid-1899-hacky.patch, qpid-1899.patch, qpid-1899.patch
> If you specify --require-encryption and --auth no then the broker will allow un-encrypted
conections. (If on the other hand you have authentication on, it will prevent you connecting
with anything other than a mech that supports encryption and will require an encrypting sasl
security layer - or of course an ssl connection)

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org

View raw message