<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>To make a long story short: Should RabbitMQ be offering SASL EXTERNAL when the client connects using TCP (without SSL)? Or is it doing this because I’ve made a configuration mistake?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’ve been trying out the new rabbitmq-auth-mechanism-ssl plugin in RabbitMQ 2.3.1 (with erlang R14B01). I seem to have it working ok – clients connecting over SSL present a certificate and the CN is used as the RabbitMQ username.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When I use the RabbitMQ 2.3.1 Java client with just TCP and the default user/pass, it doesn’t work out of the box. I get an exception:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Exception in thread "main" com.rabbitmq.client.PossibleAuthenticationFailureException: Possibly caused by authentication failure<o:p></o:p></p><p class=MsoNormal> at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:289)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The error in the rabbitmq log is:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>=ERROR REPORT==== 10-Feb-2011::15:02:27 ===<o:p></o:p></p><p class=MsoNormal>exception on TCP connection <0.209.0> from xxx.xxx.xxx.xxx:33669<o:p></o:p></p><p class=MsoNormal>{channel0_error,starting,<o:p></o:p></p><p class=MsoNormal> {amqp_error,access_refused,<o:p></o:p></p><p class=MsoNormal> "EXTERNAL login refused: not SSL connection",<o:p></o:p></p><p class=MsoNormal> 'connection.start_ok'}}<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The rabbitmq.config has:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> [<o:p></o:p></p><p class=MsoNormal> {rabbit, [<o:p></o:p></p><p class=MsoNormal> {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},<o:p></o:p></p><p class=MsoNormal> {ssl_listeners, [{"0.0.0.0",5671}]},<o:p></o:p></p><p class=MsoNormal> {ssl_options, [{cacertfile,"…/cacert.pem"},<o:p></o:p></p><p class=MsoNormal> {certfile,"…/cert.pem"},<o:p></o:p></p><p class=MsoNormal> {keyfile,"…/key.pem"},<o:p></o:p></p><p class=MsoNormal> {verify,verify_peer},<o:p></o:p></p><p class=MsoNormal> {fail_if_no_peer_cert,true}]}<o:p></o:p></p><p class=MsoNormal> ]}<o:p></o:p></p><p class=MsoNormal> ].<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I believe I need the ‘EXTERNAL’ so that the rabbitmq-auth-mechanism-ssl plugin gets used. However, that plugin won’t work with a TCP connection and the Java client tries to use EXTERNAL, causing the error. I worked around this when using the Java client by creating a class that implements SaslConfig that only specifies PLAIN and setSaslConfig() to this on the ConnectionFactory.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It seems like RabbitMQ shouldn’t be offering EXTERNAL in this situation when the available EXTERNAL mechanism doesn’t work with TCP, but I’m not sure if it is doing this because that is how RabbitMQ works or because I made a mistake in my configuration…<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Warren<o:p></o:p></p></div></body></html>