qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-116) Qpid dispatch management tools do not use SSL and SASL correctly.
Date Wed, 18 Feb 2015 21:40:12 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14326596#comment-14326596
] 

ASF subversion and git services commented on DISPATCH-116:
----------------------------------------------------------

Commit 1660733 from [~aconway] in branch 'dispatch/trunk'
[ https://svn.apache.org/r1660733 ]

DISPATCH-116: Qpid dispatch management tools do not use SSL and SASL correctly.

Added support for SSL connections from qdmanage and qdstat tools.

Common command line option handling and SSL config code in qpid_dispatch_internal.tools.command
for existing and future tools.

Common options are:

  Connection Options:
    -b URL, --bus=URL   URL of the messaging bus to connect to (default 0.0.0.0)
    -r ROUTER-ID, --router=ROUTER-ID
                        Router to be queried
    -t SECS, --timeout=SECS
                        Maximum time to wait for connection in seconds (default 5)
    --ssl-certificate=CERT
                        Client SSL certificate (PEM Format)
    --ssl-key=KEY       Client SSL private key (PEM Format)
    --ssl-trustfile=TRUSTED-CA-DB
                        Trusted Certificate Authority Database file (PEM Format)
    --ssl-password=TRUSTED-CA-DB
                        Certificate password, will be prompted if not specifed.

NOTE: If --ssl options are present the tools will automatically assume the
amqps: scheme for the URL.

NOTE: --sasl-mechanism option was removed. Presently proton only supports
ANONYMOUS and PLAIN and will auto-detect the SASL mechanism from the URL as
follows:

amqp://host - no SASL at all
amqp://anonymous@host - ANONYMOUS mechanism
amqp://user:password@host - PLAIN mechanism

The tools will add anonymous@ if no user is present to force the use of SASL as this
is most compatible with dispatch. Dispatch can allow no-SASL connections but requires
explicit configuration, and SASL connections will always work.

Additional SASL support is in progress, we will update the tools when it is clear how
additional mechanisms are specified.

> Qpid dispatch management tools do not use SSL and SASL correctly.
> -----------------------------------------------------------------
>
>                 Key: DISPATCH-116
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-116
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Management Agent
>    Affects Versions: 0.4
>            Reporter: Alan Conway
>            Assignee: Alan Conway
>             Fix For: 0.4
>
>
> Recent changes in proton mean that proton clients do not do a SASL handshake by default
unless there is a username in the connection URL.
> Since dispatch requires SASL the dispatch management tools need to add anonymous@ to
connection URLs if there is not aleady a username specified, this enables SASL.
> The tools also do not appear to be applying SSL connectoin options correctly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message