[rabbitmq-discuss] rabbitmq-c and SimpleAmqpClient SSL authentication

Alan Antonuk alan.antonuk at gmail.com
Mon Mar 31 06:31:31 BST 2014

I haven't tried it out yet, but here's a PR adding the EXTERNAL SASL
mechanism to rabbitmq-c.


Feel free to try it out and let me know how it works.


On Sun, Mar 30, 2014 at 5:46 PM, Alan Antonuk <alan.antonuk at gmail.com>wrote:

> Fred;
> On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <fred at dushin.net> wrote:
>> Hi Folks,
>> I have run into two issues with the (admittedly unsupported) rabbitmq-c
>> and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ
>> mailing list for this topic, but I am guessing the Pivotal folks don't
>> mind, because this should result in an improvement of the overall RabbitMQ
>> ecosystem.)
> Currently this mailing list is the best place to have discussions
> concerning these two libraries.
>> The first issue is with the SimpleAmqpClient library.  It appears that
>> there is no knob in the Channel::CreateSecureChannel operation to disable
>> hostname verification of the RabbitMQ server.  There is a knob in the
>> rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call
>> it, and the only reasonable place to do that is in the Channel constructor.
>>  I am including a patch off the github 2.3 tag for doing just that, though
>> for some reason I did not track down, I could not get boost::make_shared
>> take my new constructor signature, so I just used the shared_ptr
>> constructor in the raw.  That may not fit the current model, but it seems
>> harmless for testing.
> This is probably what you want:
> https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel
> free to open a pull-request against the library on github. The error you
> were seeing with boost::make_shared most likely had to do its limit of 10
> arguments.
>> If I look at the rabbitmq-c code, I see that the C client library and API
>> only seems to support the PLAIN SASL method.
> That is correct. I'm open to adding support for additional SASL mechanisms
> to rabbitmq-c. If the implementation of the SASL mechanism is anything more
> than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c should
> probably link in a thoroughly tested external library (like cyrus-SASL).
> Given use of these alternate SASL mechanisms appears to be very low, any
> external library dependancies should remain optional. I can provide some
> other hints to get started adding this to rabbitmq-c if you so desire.
>>  Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client
>> auth) or existing code would be greatly appreciated.
> The RFC for SASL includes a pretty good description of how the SASL
> EXTERNAL method should operate:
> http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty
> simple to implement).
> -Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140330/3824c76b/attachment.html>

More information about the rabbitmq-discuss mailing list