Bug 895539 - Client's identity shall be taken from the SSL certificate when EXTERNAL sasl mechanism is used
Summary: Client's identity shall be taken from the SSL certificate when EXTERNAL sasl ...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: python-qpid
Version: Development
Hardware: Unspecified
OS: Unspecified
low
unspecified
Target Milestone: ---
: ---
Assignee: Ken Giusti
QA Contact: MRG Quality Engineering
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-15 13:41 UTC by Petr Matousek
Modified: 2024-01-19 19:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 782806 0 medium CLOSED [RFE] Python qpid client ssl support 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 895602 0 unspecified CLOSED Document python client SSL limitations 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1039109 0 medium NEW Different authentication behavior of python client when EXTERNAL mechanisms is used 2024-01-19 19:11:01 UTC

Internal Links: 782806 895602 1039109

Description Petr Matousek 2013-01-15 13:41:57 UTC 
Description of problem:

According to documentation (MRG/M ICG), when EXTERNAL sasl mechanism is used for authentication, the client's identity is taken from the validated SSL certificate  (using the CN, and appending any DC's to create the domain).

This is valid for C++ client, ie.:
# qpid-perftest -b dhcp-37-228.lab.eng.brq.redhat.com --log-enable=info+ --count 100 -s --mechanism EXTERNAL

The client's identity is NOT taken from the SSL certificate when python client is used:
# qpid-stat -b amqps://$(hostname):5671 -q --ssl-certificate=/var/lib/qpidd/qpid_nss_db/client.pem --sasl-mechanism EXTERNAL
Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: 

To get this working user have to provide the client's identity manually, ie.:
qpid-stat -b amqps://client@$(hostname):5671 -q --ssl-certificate=/var/lib/qpidd/qpid_nss_db/client.pem --sasl-mechanism EXTERNAL

Version-Release number of selected component (if applicable):
python-qpid-0.18-4.el5
qpid-tools-0.18-7.el5

How reproducible:
100%

Steps to Reproduce:
1. Setup SSL broker requiring client authentication
2. use EXTERNAL sasl mechanism to connect to the broker with python client
3. AuthenticationFailure
4. Provide client's identity in the broker url string
5. Success
  
Actual results:
Client's identity is not taken from the SSL certificate when EXTERNAL sasl mechanism is used for authentication

Expected results:
Client's identity is taken from the SSL certificate when EXTERNAL sasl mechanism is used for authentication
Note You need to log in before you can comment on or make changes to this bug.