rabbitmq-c and SimpleAmqpClient SSL authentication

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

rabbitmq-c and SimpleAmqpClient SSL authentication

Dushin Fred
Hi Folks,

I have run into two issues with the (admittedly unsupported) rabbitmq-c and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ mailing list for this topic, but I am guessing the Pivotal folks don't mind, because this should result in an improvement of the overall RabbitMQ ecosystem.)

The first issue is with the SimpleAmqpClient library.  It appears that there is no knob in the Channel::CreateSecureChannel operation to disable hostname verification of the RabbitMQ server.  There is a knob in the rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call it, and the only reasonable place to do that is in the Channel constructor.  I am including a patch off the github 2.3 tag for doing just that, though for some reason I did not track down, I could not get boost::make_shared take my new constructor signature, so I just used the shared_ptr constructor in the raw.  That may not fit the current model, but it seems harmless for testing.

> Note.  The reason we should allow disabling hostname verification is that there are tightly constrained deployments in which it is unreasonable to expect the RabbitMQ server certificate to correspond with the hostname of the machine on which the server is deployed.  Besides, I would argue that hostname verification is really targeted at e-commerce scenarios -- if you look at the history, it really came out of HTTP, where users needed some mechanism over the relatively weak trust model implemented in Web Browsers.  (Who ever takes the time to scour their operating systems trust store, anyway?)

The second issue has to do with client certificate authentication and the use of the EXTERNAL authentication mechanism.  I have been unable to get my C++ clients to authenticate and authorize using the rabbitmq-auth-mechanism-ssl plugin to a RabbitMQ server which is configured to support the EXTERNAL authentication mechanism.  (I can get an Erlang client to authorize to the same server and using the same client certificates, so I am confident it is not a server-side configuration issue.)

If I look at the rabbitmq-c code, I see that the C client library and API only seems to support the PLAIN SASL method.  For example, see the sasl_response definition at [1].

I would assume we'd need to add something similar, in order to support the EXTERNAL SASL mechanism.  (It looks to be supported in the Java APIs, as well, looking at the Javadoc [2]).  If so, would I need to start here to nail down the command protocol for EXTERNAL?  (I am guessing reverse engineering one of the supported client libraries would be the way forward here.)  Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client auth) or existing code would be greatly appreciated.

Thanks,

-Fred

[1] https://github.com/alanxz/rabbitmq-c/blob/master/librabbitmq/amqp_socket.c
[2] http://www.rabbitmq.com/releases/rabbitmq-java-client/v3.2.4/rabbitmq-java-client-javadoc-3.2.4/com/rabbitmq/client/DefaultSaslConfig.html#EXTERNAL
[3] http://www.rabbitmq.com/amqp-0-9-1-reference.html#class.connection

encl.

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

patch.diff (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c and SimpleAmqpClient SSL authentication

alan.antonuk
Fred;


On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <[hidden email]> wrote:
Hi Folks,

I have run into two issues with the (admittedly unsupported) rabbitmq-c and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ mailing list for this topic, but I am guessing the Pivotal folks don't mind, because this should result in an improvement of the overall RabbitMQ ecosystem.)

Currently this mailing list is the best place to have discussions concerning these two libraries. 

The first issue is with the SimpleAmqpClient library.  It appears that there is no knob in the Channel::CreateSecureChannel operation to disable hostname verification of the RabbitMQ server.  There is a knob in the rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call it, and the only reasonable place to do that is in the Channel constructor.  I am including a patch off the github 2.3 tag for doing just that, though for some reason I did not track down, I could not get boost::make_shared take my new constructor signature, so I just used the shared_ptr constructor in the raw.  That may not fit the current model, but it seems harmless for testing.

This is probably what you want: https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel free to open a pull-request against the library on github. The error you were seeing with boost::make_shared most likely had to do its limit of 10 arguments.


If I look at the rabbitmq-c code, I see that the C client library and API only seems to support the PLAIN SASL method.

That is correct. I'm open to adding support for additional SASL mechanisms to rabbitmq-c. If the implementation of the SASL mechanism is anything more than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c should probably link in a thoroughly tested external library (like cyrus-SASL). Given use of these alternate SASL mechanisms appears to be very low, any external library dependancies should remain optional. I can provide some other hints to get started adding this to rabbitmq-c if you so desire.
 
 Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client auth) or existing code would be greatly appreciated.

The RFC for SASL includes a pretty good description of how the SASL EXTERNAL method should operate: http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty simple to implement).


-Alan


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c and SimpleAmqpClient SSL authentication

alan.antonuk
I haven't tried it out yet, but here's a PR adding the EXTERNAL SASL mechanism to rabbitmq-c.


Feel free to try it out and let me know how it works.

-Alan


On Sun, Mar 30, 2014 at 5:46 PM, Alan Antonuk <[hidden email]> wrote:
Fred;


On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <[hidden email]> wrote:
Hi Folks,

I have run into two issues with the (admittedly unsupported) rabbitmq-c and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ mailing list for this topic, but I am guessing the Pivotal folks don't mind, because this should result in an improvement of the overall RabbitMQ ecosystem.)

Currently this mailing list is the best place to have discussions concerning these two libraries. 

The first issue is with the SimpleAmqpClient library.  It appears that there is no knob in the Channel::CreateSecureChannel operation to disable hostname verification of the RabbitMQ server.  There is a knob in the rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call it, and the only reasonable place to do that is in the Channel constructor.  I am including a patch off the github 2.3 tag for doing just that, though for some reason I did not track down, I could not get boost::make_shared take my new constructor signature, so I just used the shared_ptr constructor in the raw.  That may not fit the current model, but it seems harmless for testing.

This is probably what you want: https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel free to open a pull-request against the library on github. The error you were seeing with boost::make_shared most likely had to do its limit of 10 arguments.


If I look at the rabbitmq-c code, I see that the C client library and API only seems to support the PLAIN SASL method.

That is correct. I'm open to adding support for additional SASL mechanisms to rabbitmq-c. If the implementation of the SASL mechanism is anything more than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c should probably link in a thoroughly tested external library (like cyrus-SASL). Given use of these alternate SASL mechanisms appears to be very low, any external library dependancies should remain optional. I can provide some other hints to get started adding this to rabbitmq-c if you so desire.
 
 Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client auth) or existing code would be greatly appreciated.

The RFC for SASL includes a pretty good description of how the SASL EXTERNAL method should operate: http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty simple to implement).


-Alan



_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c and SimpleAmqpClient SSL authentication

Dushin Fred
In reply to this post by alan.antonuk

On Mar 30, 2014, at 8:46 PM, Alan Antonuk <[hidden email]> wrote:

This is probably what you want: https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel free to open a pull-request against the library on github. The error you were seeing with boost::make_shared most likely had to do its limit of 10 arguments.

Looks good to me.  Let me run it through some testing.

-Fred

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c and SimpleAmqpClient SSL authentication

Dushin Fred
In reply to this post by alan.antonuk
And I suppose we would want to plumb this through as a parameter to the SimpleAmqpClient API, as well, no?  I can try that.

-Fred

On Mar 31, 2014, at 1:31 AM, Alan Antonuk <[hidden email]> wrote:

I haven't tried it out yet, but here's a PR adding the EXTERNAL SASL mechanism to rabbitmq-c.


Feel free to try it out and let me know how it works.

-Alan


On Sun, Mar 30, 2014 at 5:46 PM, Alan Antonuk <[hidden email]> wrote:
Fred;


On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <[hidden email]> wrote:
Hi Folks,

I have run into two issues with the (admittedly unsupported) rabbitmq-c and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ mailing list for this topic, but I am guessing the Pivotal folks don't mind, because this should result in an improvement of the overall RabbitMQ ecosystem.)

Currently this mailing list is the best place to have discussions concerning these two libraries. 

The first issue is with the SimpleAmqpClient library.  It appears that there is no knob in the Channel::CreateSecureChannel operation to disable hostname verification of the RabbitMQ server.  There is a knob in the rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call it, and the only reasonable place to do that is in the Channel constructor.  I am including a patch off the github 2.3 tag for doing just that, though for some reason I did not track down, I could not get boost::make_shared take my new constructor signature, so I just used the shared_ptr constructor in the raw.  That may not fit the current model, but it seems harmless for testing.

This is probably what you want: https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel free to open a pull-request against the library on github. The error you were seeing with boost::make_shared most likely had to do its limit of 10 arguments.


If I look at the rabbitmq-c code, I see that the C client library and API only seems to support the PLAIN SASL method.

That is correct. I'm open to adding support for additional SASL mechanisms to rabbitmq-c. If the implementation of the SASL mechanism is anything more than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c should probably link in a thoroughly tested external library (like cyrus-SASL). Given use of these alternate SASL mechanisms appears to be very low, any external library dependancies should remain optional. I can provide some other hints to get started adding this to rabbitmq-c if you so desire.
 
 Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client auth) or existing code would be greatly appreciated.

The RFC for SASL includes a pretty good description of how the SASL EXTERNAL method should operate: http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty simple to implement).


-Alan


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c and SimpleAmqpClient SSL authentication

alan.antonuk
Yes, that should be done at some point. Feel free to open a PR on SimpleAmqpClient when you've got something.

-Alan

On Thu, Apr 3, 2014 at 5:19 PM, Dushin Fred <[hidden email]> wrote:
And I suppose we would want to plumb this through as a parameter to the SimpleAmqpClient API, as well, no?  I can try that.

-Fred

On Mar 31, 2014, at 1:31 AM, Alan Antonuk <[hidden email]> wrote:

I haven't tried it out yet, but here's a PR adding the EXTERNAL SASL mechanism to rabbitmq-c.


Feel free to try it out and let me know how it works.

-Alan


On Sun, Mar 30, 2014 at 5:46 PM, Alan Antonuk <[hidden email]> wrote:
Fred;


On Sun, Mar 30, 2014 at 1:29 PM, Dushin Fred <[hidden email]> wrote:
Hi Folks,

I have run into two issues with the (admittedly unsupported) rabbitmq-c and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ mailing list for this topic, but I am guessing the Pivotal folks don't mind, because this should result in an improvement of the overall RabbitMQ ecosystem.)

Currently this mailing list is the best place to have discussions concerning these two libraries. 

The first issue is with the SimpleAmqpClient library.  It appears that there is no knob in the Channel::CreateSecureChannel operation to disable hostname verification of the RabbitMQ server.  There is a knob in the rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call it, and the only reasonable place to do that is in the Channel constructor.  I am including a patch off the github 2.3 tag for doing just that, though for some reason I did not track down, I could not get boost::make_shared take my new constructor signature, so I just used the shared_ptr constructor in the raw.  That may not fit the current model, but it seems harmless for testing.

This is probably what you want: https://github.com/alanxz/SimpleAmqpClient/pull/85. In the future feel free to open a pull-request against the library on github. The error you were seeing with boost::make_shared most likely had to do its limit of 10 arguments.


If I look at the rabbitmq-c code, I see that the C client library and API only seems to support the PLAIN SASL method.

That is correct. I'm open to adding support for additional SASL mechanisms to rabbitmq-c. If the implementation of the SASL mechanism is anything more than trivial (e.g., PLAIN really is dead-simple), rabbitmq-c should probably link in a thoroughly tested external library (like cyrus-SASL). Given use of these alternate SASL mechanisms appears to be very low, any external library dependancies should remain optional. I can provide some other hints to get started adding this to rabbitmq-c if you so desire.
 
 Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client auth) or existing code would be greatly appreciated.

The RFC for SASL includes a pretty good description of how the SASL EXTERNAL method should operate: http://tools.ietf.org/html/rfc4422#appendix-A (it actually looks pretty simple to implement).


-Alan


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss



_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss