[
https://issues.apache.org/jira/browse/DISPATCH-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Dolding updated DISPATCH-2362:
-----------------------------------
Description:
I have deployed Qpid Dispatch 1.19.0 and have successfully configured an SSL
profile where my Proton-j2 client (1.0.0-M22) is authenticated using the
EXTERNAL SASL mechanism so that the Common Name in the client certificate must
match the userId of the AMQP message and be a user in the vhost group. So I
have a listener like this:
{code:java}
listener {
port: 5671
role: normal
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
} {code}
and sslProfile like this:
{code:java}
sslProfile {
name: mesh-clients
certFile: /vault/secrets/oi-amqp-mesh-certs-external.crt
privateKeyFile: /vault/secrets/oi-amqp-mesh-certs-external.key
caCertFile: /vault/secrets/client.crt
uidFormat: n
} {code}
and vhost of the form:
{code:java}
vhost {
hostname: myhost.com
maxConnections: 10000
maxMessageSize: 500000
maxConnectionsPerUser: 100
maxConnectionsPerHost: 100
groups: {
"$myGroup": {
"users": "MyCommonName",
"remoteHosts": "*",
"sources": "",
"targets": "MyQueue",
"allowAnonymousSender": "true",
"allowDynamicSource": "true"
}
}
} {code}
So far everything works fine.
However I now wish to expose the service through a proxy using websockets. To
this end I have amended the config to add a second identical listener but with
http: true, knowing that the websockets parameter will then default to true.
{code:java}
listener {
port: 8080
role: normal
http: true
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
} {code}
In the Proton-2j client I similarly enable websockets:
{code:java}
options.transportOptions().useWebSockets(true); {code}
When I try to send messages over websockets on port 8080 the Proton client say
that Qpid Dispatch did not offer any SASL Mechanisms:
{code:java}
Caused by: javax.security.sasl.SaslException:
Could not find a suitable SASL Mechanism. No supported mechanism, or none
usable with the available credentials. Server offered: []* at
org.apache.qpid.protonj2.engine.sasl.client.SaslAuthenticator.handleSaslMechanisms(SaslAuthenticator.java:97)
{code}
The Qpid Dispatch logs shows that it has upgraded from HTTP to AMQPWS but the
connection was then aborted:
{code:java}
2024-12-02 15:07:46.141919 +0000 SERVER (debug) [187] upgraded HTTP connection
from 127.0.0.1 to AMQPWS
2024-12-02 15:07:46.142165 +0000 SERVER (trace) [C187] Configuring SSL on :8080
2024-12-02 15:07:46.154025 +0000 SERVER (info) [C187] Accepted connection to
:8080 from 127.0.0.1
2024-12-02 15:07:46.361440 +0000 SERVER (info) [C187] Connection from
127.0.0.1 (to :8080) failed: amqp:connection:framing-error connection
aborted{code}
was:
I have deployed Qpid Dispatch 1.19.0 and have successfully configured an SSL
profile where my Proton-j2 client (1.0.0-M22) is authenticated using the
EXTERNAL SASL mechanism so that the Common Name in the client certificate must
match the userId of the AMQP message and be users in the vhost group. So I have
a listener like this:
{code:java}
listener {
port: 5671
role: normal
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
} {code}
and sslProfile like this:
{code:java}
sslProfile {
name: mesh-clients
certFile: /vault/secrets/oi-amqp-mesh-certs-external.crt
privateKeyFile: /vault/secrets/oi-amqp-mesh-certs-external.key
caCertFile: /vault/secrets/client.crt
uidFormat: n
} {code}
and vhost of the form:
{code:java}
vhost {
hostname: myhost.com
maxConnections: 10000
maxMessageSize: 500000
maxConnectionsPerUser: 100
maxConnectionsPerHost: 100
groups: {
"$myGroup": {
"users": "MyCommonName",
"remoteHosts": "*",
"sources": "",
"targets": "MyQueue",
"allowAnonymousSender": "true",
"allowDynamicSource": "true"
}
}
} {code}
So far everything works fine.
However I now wish to expose the service through a proxy using websockets. To
this end I have amended the config to add a second identical listener but with
http: true, knowing that the websockets parameter will then default to true.
{code:java}
listener {
port: 8080
role: normal
http: true
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
} {code}
In the Proton-2j client I similarly enable websockets:
{code:java}
options.transportOptions().useWebSockets(true); {code}
When I try to send messages over websockets on port 8080 the Proton client say
that Qpid Dispatch did not offer any SASL Mechanisms:
{code:java}
Caused by: javax.security.sasl.SaslException:
Could not find a suitable SASL Mechanism. No supported mechanism, or none
usable with the available credentials. Server offered: []* at
org.apache.qpid.protonj2.engine.sasl.client.SaslAuthenticator.handleSaslMechanisms(SaslAuthenticator.java:97)
{code}
The Qpid Dispatch logs shows that it has upgraded from HTTP to AMQPWS but the
connection was then aborted:
{code:java}
2024-12-02 15:07:46.141919 +0000 SERVER (debug) [187] upgraded HTTP connection
from 127.0.0.1 to AMQPWS
2024-12-02 15:07:46.142165 +0000 SERVER (trace) [C187] Configuring SSL on :8080
2024-12-02 15:07:46.154025 +0000 SERVER (info) [C187] Accepted connection to
:8080 from 127.0.0.1
2024-12-02 15:07:46.361440 +0000 SERVER (info) [C187] Connection from
127.0.0.1 (to :8080) failed: amqp:connection:framing-error connection
aborted{code}
> Client EXTERNAL authentication fails when websockets enabled with Proton-j2
> client
> ----------------------------------------------------------------------------------
>
> Key: DISPATCH-2362
> URL: https://issues.apache.org/jira/browse/DISPATCH-2362
> Project: Qpid Dispatch
> Issue Type: Bug
> Affects Versions: 1.19.0
> Environment: * Qpid Dispatch 1.19.0
> * Proton-j2 client (1.0.0-M22)
> Reporter: Mike Dolding
> Priority: Major
>
> I have deployed Qpid Dispatch 1.19.0 and have successfully configured an SSL
> profile where my Proton-j2 client (1.0.0-M22) is authenticated using the
> EXTERNAL SASL mechanism so that the Common Name in the client certificate
> must match the userId of the AMQP message and be a user in the vhost group.
> So I have a listener like this:
> {code:java}
> listener {
> port: 5671
> role: normal
> authenticatePeer: true
> saslMechanisms: EXTERNAL
> sslProfile: mesh-clients
> requireSsl: true
> } {code}
> and sslProfile like this:
> {code:java}
> sslProfile {
> name: mesh-clients
> certFile: /vault/secrets/oi-amqp-mesh-certs-external.crt
> privateKeyFile: /vault/secrets/oi-amqp-mesh-certs-external.key
> caCertFile: /vault/secrets/client.crt
> uidFormat: n
> } {code}
> and vhost of the form:
> {code:java}
> vhost {
> hostname: myhost.com
> maxConnections: 10000
> maxMessageSize: 500000
> maxConnectionsPerUser: 100
> maxConnectionsPerHost: 100
> groups: {
> "$myGroup": {
> "users": "MyCommonName",
> "remoteHosts": "*",
> "sources": "",
> "targets": "MyQueue",
> "allowAnonymousSender": "true",
> "allowDynamicSource": "true"
> }
> }
> } {code}
> So far everything works fine.
> However I now wish to expose the service through a proxy using websockets. To
> this end I have amended the config to add a second identical listener but
> with http: true, knowing that the websockets parameter will then default to
> true.
> {code:java}
> listener {
> port: 8080
> role: normal
> http: true
> authenticatePeer: true
> saslMechanisms: EXTERNAL
> sslProfile: mesh-clients
> requireSsl: true
> } {code}
> In the Proton-2j client I similarly enable websockets:
> {code:java}
> options.transportOptions().useWebSockets(true); {code}
> When I try to send messages over websockets on port 8080 the Proton client
> say that Qpid Dispatch did not offer any SASL Mechanisms:
> {code:java}
> Caused by: javax.security.sasl.SaslException:
> Could not find a suitable SASL Mechanism. No supported mechanism, or none
> usable with the available credentials. Server offered: []* at
> org.apache.qpid.protonj2.engine.sasl.client.SaslAuthenticator.handleSaslMechanisms(SaslAuthenticator.java:97)
> {code}
> The Qpid Dispatch logs shows that it has upgraded from HTTP to AMQPWS but the
> connection was then aborted:
> {code:java}
> 2024-12-02 15:07:46.141919 +0000 SERVER (debug) [187] upgraded HTTP
> connection from 127.0.0.1 to AMQPWS
> 2024-12-02 15:07:46.142165 +0000 SERVER (trace) [C187] Configuring SSL on
> :8080
> 2024-12-02 15:07:46.154025 +0000 SERVER (info) [C187] Accepted connection to
> :8080 from 127.0.0.1
> 2024-12-02 15:07:46.361440 +0000 SERVER (info) [C187] Connection from
> 127.0.0.1 (to :8080) failed: amqp:connection:framing-error connection
> aborted{code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
