[rabbitmq-discuss] rabbitmq-c and SimpleAmqpClient SSL authentication

Alan Antonuk alan.antonuk at gmail.com
Sat Apr 5 16:28:08 BST 2014


Yes, that should be done at some point. Feel free to open a PR on
SimpleAmqpClient when you've got something.

-Alan

On Thu, Apr 3, 2014 at 5:19 PM, Dushin Fred <fred at dushin.net> wrote:

> And I suppose we would want to plumb this through as a parameter to the
> SimpleAmqpClient API, as well, no?  I can try that.
>
> -Fred
>
> On Mar 31, 2014, at 1:31 AM, Alan Antonuk <alan.antonuk at gmail.com> wrote:
>
> I haven't tried it out yet, but here's a PR adding the EXTERNAL SASL
> mechanism to rabbitmq-c.
>
> https://github.com/alanxz/rabbitmq-c/pull/179
>
> Feel free to try it out and let me know how it works.
>
> -Alan
>
>
> On Sun, Mar 30, 2014 at 5:46 PM, Alan Antonuk <alan.antonuk at gmail.com>wrote:
>
>> Fred;
>>
>>
>> On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <fred at dushin.net> wrote:
>>
>>> Hi Folks,
>>>
>>> I have run into two issues with the (admittedly unsupported) rabbitmq-c
>>> and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ
>>> mailing list for this topic, but I am guessing the Pivotal folks don't
>>> mind, because this should result in an improvement of the overall RabbitMQ
>>> ecosystem.)
>>>
>>
>> Currently this mailing list is the best place to have discussions
>> concerning these two libraries.
>>
>>>
>>> The first issue is with the SimpleAmqpClient library.  It appears that
>>> there is no knob in the Channel::CreateSecureChannel operation to disable
>>> hostname verification of the RabbitMQ server.  There is a knob in the
>>> rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call
>>> it, and the only reasonable place to do that is in the Channel constructor.
>>>  I am including a patch off the github 2.3 tag for doing just that, though
>>> for some reason I did not track down, I could not get boost::make_shared
>>> take my new constructor signature, so I just used the shared_ptr
>>> constructor in the raw.  That may not fit the current model, but it seems
>>> harmless for testing.
>>>
>>
>> This is probably what you want:
>> https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel
>> free to open a pull-request against the library on github. The error you
>> were seeing with boost::make_shared most likely had to do its limit of 10
>> arguments.
>>
>>>
>>>
>>> If I look at the rabbitmq-c code, I see that the C client library and
>>> API only seems to support the PLAIN SASL method.
>>
>>
>> That is correct. I'm open to adding support for additional SASL
>> mechanisms to rabbitmq-c. If the implementation of the SASL mechanism is
>> anything more than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c
>> should probably link in a thoroughly tested external library (like
>> cyrus-SASL). Given use of these alternate SASL mechanisms appears to be
>> very low, any external library dependancies should remain optional. I can
>> provide some other hints to get started adding this to rabbitmq-c if you so
>> desire.
>>
>>
>>>  Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client
>>> auth) or existing code would be greatly appreciated.
>>>
>>
>> The RFC for SASL includes a pretty good description of how the SASL
>> EXTERNAL method should operate:
>> http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty
>> simple to implement).
>>
>>
>> -Alan
>>
>>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
>
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140405/e926328c/attachment.html>


More information about the rabbitmq-discuss mailing list