[rabbitmq-discuss] rabbitmq-c and SimpleAmqpClient SSL authentication

Mon Mar 31 01:46:14 BST 2014

Fred;

On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <fred at dushin.net> wrote:

> Hi Folks,
>
> I have run into two issues with the (admittedly unsupported) rabbitmq-c
> and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ
> mailing list for this topic, but I am guessing the Pivotal folks don't
> mind, because this should result in an improvement of the overall RabbitMQ
> ecosystem.)
>

Currently this mailing list is the best place to have discussions
concerning these two libraries.

>
> The first issue is with the SimpleAmqpClient library.  It appears that
> there is no knob in the Channel::CreateSecureChannel operation to disable
> hostname verification of the RabbitMQ server.  There is a knob in the
> rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call
> it, and the only reasonable place to do that is in the Channel constructor.
>  I am including a patch off the github 2.3 tag for doing just that, though
> for some reason I did not track down, I could not get boost::make_shared
> take my new constructor signature, so I just used the shared_ptr
> constructor in the raw.  That may not fit the current model, but it seems
> harmless for testing.
>

This is probably what you want:
https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel free
to open a pull-request against the library on github. The error you were
seeing with boost::make_shared most likely had to do its limit of 10
arguments.

>
>
> If I look at the rabbitmq-c code, I see that the C client library and API
> only seems to support the PLAIN SASL method.

That is correct. I'm open to adding support for additional SASL mechanisms
to rabbitmq-c. If the implementation of the SASL mechanism is anything more
than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c should
probably link in a thoroughly tested external library (like cyrus-SASL).
Given use of these alternate SASL mechanisms appears to be very low, any
external library dependancies should remain optional. I can provide some
other hints to get started adding this to rabbitmq-c if you so desire.

>  Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client
> auth) or existing code would be greatly appreciated.
>

The RFC for SASL includes a pretty good description of how the SASL
EXTERNAL method should operate:
http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty
simple to implement).

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140330/00673981/attachment.html>