Bug 895539

Summary: Client's identity shall be taken from the SSL certificate when EXTERNAL sasl mechanism is used
Product: Red Hat Enterprise MRG Reporter: Petr Matousek <pematous>
Component: python-qpidAssignee: Ken Giusti <kgiusti>
Status: NEW --- QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: unspecified Docs Contact:
Priority: low    
Version: DevelopmentCC: jross, kgiusti, zkraus
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Matousek 2013-01-15 13:41:57 UTC 
Description of problem:

According to documentation (MRG/M ICG), when EXTERNAL sasl mechanism is used for authentication, the client's identity is taken from the validated SSL certificate  (using the CN, and appending any DC's to create the domain).

This is valid for C++ client, ie.:
# qpid-perftest -b dhcp-37-228.lab.eng.brq.redhat.com --log-enable=info+ --count 100 -s --mechanism EXTERNAL

The client's identity is NOT taken from the SSL certificate when python client is used:
# qpid-stat -b amqps://$(hostname):5671 -q --ssl-certificate=/var/lib/qpidd/qpid_nss_db/client.pem --sasl-mechanism EXTERNAL
Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: 

To get this working user have to provide the client's identity manually, ie.:
qpid-stat -b amqps://client@$(hostname):5671 -q --ssl-certificate=/var/lib/qpidd/qpid_nss_db/client.pem --sasl-mechanism EXTERNAL

Version-Release number of selected component (if applicable):
python-qpid-0.18-4.el5
qpid-tools-0.18-7.el5

How reproducible:
100%

Steps to Reproduce:
1. Setup SSL broker requiring client authentication
2. use EXTERNAL sasl mechanism to connect to the broker with python client
3. AuthenticationFailure
4. Provide client's identity in the broker url string
5. Success
  
Actual results:
Client's identity is not taken from the SSL certificate when EXTERNAL sasl mechanism is used for authentication

Expected results:
Client's identity is taken from the SSL certificate when EXTERNAL sasl mechanism is used for authentication