[rabbitmq-discuss] rabbitmq-c and SimpleAmqpClient SSL authentication

Dushin Fred fred at dushin.net
Fri Apr 4 01:19:28 BST 2014


And I suppose we would want to plumb this through as a parameter to the SimpleAmqpClient API, as well, no?  I can try that.

-Fred

On Mar 31, 2014, at 1:31 AM, Alan Antonuk <alan.antonuk at gmail.com> wrote:

> I haven't tried it out yet, but here's a PR adding the EXTERNAL SASL mechanism to rabbitmq-c.
> 
> https://github.com/alanxz/rabbitmq-c/pull/179
> 
> Feel free to try it out and let me know how it works.
> 
> -Alan
> 
> 
> On Sun, Mar 30, 2014 at 5:46 PM, Alan Antonuk <alan.antonuk at gmail.com> wrote:
> Fred;
> 
> 
> On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <fred at dushin.net> wrote:
> Hi Folks,
> 
> I have run into two issues with the (admittedly unsupported) rabbitmq-c and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ mailing list for this topic, but I am guessing the Pivotal folks don't mind, because this should result in an improvement of the overall RabbitMQ ecosystem.)
> 
> Currently this mailing list is the best place to have discussions concerning these two libraries. 
> 
> The first issue is with the SimpleAmqpClient library.  It appears that there is no knob in the Channel::CreateSecureChannel operation to disable hostname verification of the RabbitMQ server.  There is a knob in the rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call it, and the only reasonable place to do that is in the Channel constructor.  I am including a patch off the github 2.3 tag for doing just that, though for some reason I did not track down, I could not get boost::make_shared take my new constructor signature, so I just used the shared_ptr constructor in the raw.  That may not fit the current model, but it seems harmless for testing.
> 
> This is probably what you want: https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel free to open a pull-request against the library on github. The error you were seeing with boost::make_shared most likely had to do its limit of 10 arguments.
> 
> 
> If I look at the rabbitmq-c code, I see that the C client library and API only seems to support the PLAIN SASL method.
> 
> That is correct. I'm open to adding support for additional SASL mechanisms to rabbitmq-c. If the implementation of the SASL mechanism is anything more than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c should probably link in a thoroughly tested external library (like cyrus-SASL). Given use of these alternate SASL mechanisms appears to be very low, any external library dependancies should remain optional. I can provide some other hints to get started adding this to rabbitmq-c if you so desire.
>  
>  Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client auth) or existing code would be greatly appreciated.
> 
> The RFC for SASL includes a pretty good description of how the SASL EXTERNAL method should operate: http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty simple to implement).
> 
> 
> -Alan
> 
> 
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140403/9427c9e6/attachment.html>


More information about the rabbitmq-discuss mailing list