At least the formulation "It does not support client authentication with SSL" is no longer valid and shall be updated. Connection options 'ssl_certfile' and 'ssl_key' needs to be documented.

(see http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2.0/html/Messaging_User_Guide/sect-Messaging_User_Guide-Security-Encryption_using_SSL.html, "Enabling SSL in clients").

I've incorrectly placed 2.3.x release flag for this bug, my apologies, changing to 2.3.0.

https://issues.apache.org/jira/browse/QPID-3175

I believe that the bug 895602 shall be solved together with this bug. Maybe It will be sufficient to describe the python ssl client limitations at the place where the feature is described and don't create a release note. 

Please feel free to decide the right place where to describe the bug 895602.

Ken, please provide a summary of the current limitations (or reference another doc if you already have it).

This is what I remember hitting when I tested the python ssl implementation:

The QPID Python client accepts the following three SSL-related configuration parameters:

ssl_certfile - the path to a file that contains the PEM-formatted certificate used to identify the local side of the connection (the client).  This is needed if the server requires client-side authentication.

ssl_keyfile - In some cases the client's private key is stored in the same file as the certificate (i.e. ssl_certfile).  If the ssl_certfile does not contain the client's private key, this parameter must be set to the path to a file containing the private key in PEM file format.

ssl_trustfile - This parameter contains a path to a PEM-formatted file containing a chain of trusted Certificate Authority (CA) certificates.  These certificates are used to authenticat the remote server.

These parameters are passed as arguments to the qpid.Connection() object when it is constructed.  E.g.:

Connection( "127.0.0.1:5672", ssl_certfile="/path/to/certfile", ssl_keyfile="/path/to/keyfile", ssl_trustfile="/path/to/trustfile")

Known limitations:

On RHEL5, server authentication is not supported. Therefore, the ssl_trustfile parameter is ignored by the client.  The ssl_certfile/ssl_keyfile parameters are supported.

On RHEL6, all three parameters are supported.

On both platforms:

When using client authentication, if the certificate or keyfile is encrypted, the python client will prompt for the encryption password via stdout.  This causes the client to pause waiting for user input.

(In reply to comment #5)
> Known limitations:
> 

For additional known limitations identified by QE, please see bug 895602:

bug 885167 - missing ssl server's certificate validation on client side

Maybe this can be forced by passing the brokers public key as ssl_trustfile connection argument on rhel6, I'll recheck. Anyway by default this check is ignored (you don't even need to pass the argument to the Connection object and it still works), also there is no way how to pass the ssl_trustfile to qpid-tools.

bug 885173 - missing validation of connection hostname against server's certificate CN

bug 895535 - Unable to provide the client's private key separately from the client's certificate

bug 895539 - Client's identity is not taken from the SSL certificate (when EXTERNAL sasl mechanism is used)

(In reply to comment #6)
> (In reply to comment #5)
> > Known limitations:
> > 
> 
> For additional known limitations identified by QE, please see bug 895602:
> 
> bug 885167 - missing ssl server's certificate validation on client side
> 
> Maybe this can be forced by passing the brokers public key as ssl_trustfile
> connection argument on rhel6, I'll recheck. 

Setting the 'ssl_trustfile' connection option probably do not take any effect even on rhel6. Please see bug 885167, comment 4 for details.

Please also refer to 'Exporting a Certificate from NSS into PEM Format' section of Appendix B in the python section of paragraph "8.2.4. Enable SSL on the Clients"

please see Bug 846302, comment 7 for more details.

Moved Python Client SSL information to its own section:

http://deathstar1.usersys.redhat.com/MCIG/index.html#Enable_SSL_in_Python_Clients

(I am having trouble with brew at the moment, so please check it out this URL)

Hi Joshua, the documentation seems to be correct, I have only minor suggestions:

1.) I would only recommend to install the package, however the intern python implementation of ssl on rhel5 may offer weaker functionality in some cases, I actually didn't notice any lack of ssl functionality when the package was not installed. 

- To connect over SSL using the Python client on Red Hat Enterprise Linux 5, install the python-ssl package from the Extra Packages for Enterprise Linux (EPEL) repository.
+ For proper SSL functionality on Red Hat Enterprise Linux 5, it is recommended to install the python-ssl package from the Extra Packages for Enterprise Linux  (EPEL) repository.

2.) I would propose to not name the caveats in "MRG 2.0 - 2.2" because all of them listed bellow in "MRG 2.3" applies here as well. It is sufficient to mention the lack of client authentication support which was added in 2.3

- In MRG versions up to 2.2 the Python client has limitations with respect to SSL. It does not support client authentication with SSL, and does not validate the connection hostname against the server certificate hostname.
+ In MRG versions up to 2.2 the Python client has serious limitations with respect to SSL. Among other functionality it does not support client authentication with SSL.

3.) Following section is general for python client ssl support and valid across all the versions, so it shall be moved above the "MRG 2.0 - 2.2" title

<start>
- To use SSL with the Python client in MRG 2.2 either:
+ To use SSL with the Python client:

   1.Use a URL of the form amqps://<host>:<port>, where host is the brokers hostname and port is the SSL port (usually 5671), or
   2.Set the 'transport' attribute of the connection to "ssl". 
<end>

^^ move above "MRG 2.0 - 2.2" title

4. to be more precise:

-    *The client's identity is not read from the client's certificate. You must provide the client name in the connection string. 
+    *When using EXTERNAL sasl mechanism for authentication, the client's identity is not read from the client's certificate. You must provide the client name in the connection.

5.) As this is already stated in the ssl_certificate option description above, I suggest to remove this sentence:

- When SSL is enabled on the broker and the client's authentication is required, the clients require a client certificate to establish a secure connection.

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Enable_SSL_in_Python_Clients.html

I noticed one more issue here, my apologise to not mention it earlier in the previous comment:

1.) 5672 is a common TCP port, as we are talking about ssl here I would recommend to change the port to 5671 and specify amqps protocol in the URL to make the example more obvious:
 
- Connection("client.0.1:5672", ssl_certfile="/path/to/certfile", ssl_keyfile="/path/to/keyfile")
+ Connection("amqps://client.0.1:5671", ssl_certfile="/path/to/certfile", ssl_keyfile="/path/to/keyfile")


2.) There is one more minor objection from my side. As already written in the point 2 of comment 10, the python has more limitations than just "connection hostname against the server certificate hostname validation", therefore I would propose to not list the one simple limitations here. Alternatively use the one named limitation only as an example: 

- The Python client has some limitations in SSL functionality. It does not validate the connection hostname against the server certificate hostname. In MRG versions up to 2.2 it does not support client authentication with SSL. 

EITHER
+ The Python client has some limitations in SSL functionality. In MRG versions up to 2.2 it does not support client authentication with SSL. 
OR
+ The Python client has some limitations in SSL functionality (ie: It does not validate the connection hostname against the server certificate hostname, etc..). In MRG versions up to 2.2 it does not support client authentication with SSL. 

Moreover the information is redundant because:
( It does not validate the connection hostname against the server certificate hostname  ==  The server's SSL certificate is not matched against the connection hostname. (listed below in the 2.3 caveats) ) 

Anyway this is only minor issue and I will push to VERIFIED even if the content remains the same.

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Enable_SSL_in_Python_Clients.html

I approve the content.

Version used for verification:
Messaging Installation and Configuration Guide (Revision 1.0.0-49)

-> VERIFIED

*** Bug 895602 has been marked as a duplicate of this bug. ***

Docs published on https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_MRG/