Description of problem: According to documentation (MRG/M ICG), when EXTERNAL sasl mechanism is used for authentication, the client's identity is taken from the validated SSL certificate (using the CN, and appending any DC's to create the domain). This is valid for C++ client, ie.: # qpid-perftest -b dhcp-37-228.lab.eng.brq.redhat.com --log-enable=info+ --count 100 -s --mechanism EXTERNAL The client's identity is NOT taken from the SSL certificate when python client is used: # qpid-stat -b amqps://$(hostname):5671 -q --ssl-certificate=/var/lib/qpidd/qpid_nss_db/client.pem --sasl-mechanism EXTERNAL Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: To get this working user have to provide the client's identity manually, ie.: qpid-stat -b amqps://client@$(hostname):5671 -q --ssl-certificate=/var/lib/qpidd/qpid_nss_db/client.pem --sasl-mechanism EXTERNAL Version-Release number of selected component (if applicable): python-qpid-0.18-4.el5 qpid-tools-0.18-7.el5 How reproducible: 100% Steps to Reproduce: 1. Setup SSL broker requiring client authentication 2. use EXTERNAL sasl mechanism to connect to the broker with python client 3. AuthenticationFailure 4. Provide client's identity in the broker url string 5. Success Actual results: Client's identity is not taken from the SSL certificate when EXTERNAL sasl mechanism is used for authentication Expected results: Client's identity is taken from the SSL certificate when EXTERNAL sasl mechanism is used for authentication