[rabbitmq-discuss] rabbitmq-auth-mechanism-ssl plugin, TCP, SASL EXTERNAL

Warren Smith wsmith at tacc.utexas.edu
Thu Feb 10 23:45:44 GMT 2011


To make a long story short: Should RabbitMQ be offering SASL EXTERNAL when the client connects using TCP (without SSL)? Or is it doing this because I've made a configuration mistake?


I've been trying out the new rabbitmq-auth-mechanism-ssl plugin in RabbitMQ 2.3.1 (with erlang R14B01). I seem to have it working ok - clients connecting over SSL present a certificate and the CN is used as the RabbitMQ username.

When I use the RabbitMQ 2.3.1 Java client with just TCP and the default user/pass, it doesn't work out of the box. I get an exception:

Exception in thread "main" com.rabbitmq.client.PossibleAuthenticationFailureException: Possibly caused by authentication failure
                at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:289)

The error in the rabbitmq log is:

=ERROR REPORT==== 10-Feb-2011::15:02:27 ===
exception on TCP connection <0.209.0> from xxx.xxx.xxx.xxx:33669
{channel0_error,starting,
                {amqp_error,access_refused,
                            "EXTERNAL login refused: not SSL connection",
                            'connection.start_ok'}}

The rabbitmq.config has:

  [
    {rabbit, [
      {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
      {ssl_listeners, [{"0.0.0.0",5671}]},
      {ssl_options, [{cacertfile,".../cacert.pem"},
                     {certfile,".../cert.pem"},
                     {keyfile,".../key.pem"},
                     {verify,verify_peer},
                     {fail_if_no_peer_cert,true}]}
    ]}
  ].

I believe I need the 'EXTERNAL' so that the rabbitmq-auth-mechanism-ssl plugin gets used. However, that plugin won't work with a TCP connection and the Java client tries to use EXTERNAL, causing the error. I worked around this when using the Java client by creating a class that implements SaslConfig that only specifies PLAIN and setSaslConfig() to this on the ConnectionFactory.

It seems like RabbitMQ shouldn't be offering EXTERNAL in this situation when the available EXTERNAL mechanism doesn't work with TCP, but I'm not sure if it is doing this because that is how RabbitMQ works or because I made a mistake in my configuration...

Thanks,


Warren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110210/1351eecf/attachment.htm>


More information about the rabbitmq-discuss mailing list