[jira] Created: (QPID-1899) --require-encryption doesn't work unless cyrus sasl authentication is turned on

--require-encryption doesn't work unless cyrus sasl authentication is turned on
-------------------------------------------------------------------------------

                 Key: QPID-1899
                 URL: https://issues.apache.org/jira/browse/QPID-1899
             Project: Qpid
          Issue Type: Bug
          Components: C++ Broker
    Affects Versions: 0.5
            Reporter: Gordon Sim
            Assignee: Gordon Sim
             Fix For: 0.6


If you specify --require-encryption and --auth no then the broker will allow un-encrypted conections. (If on the other hand you have authentication on, it will prevent you connecting with anything other than a mech that supports encryption and will require an encrypting sasl security layer - or of course an ssl connection)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12752755#action_12752755 ]

Ken Giusti commented on QPID-1899:
----------------------------------

Hi Gordon,

I'm trying to envision what the correct behavior of the broker should be.  Is it simply that the option combination  --auth no with --require-encryption a user error?

thanks,

-K


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12752855#action_12752855 ]

Carl Trieloff commented on QPID-1899:
-------------------------------------


I would fail the start of the broker and log a Critcal -- configuration incompatibility....

Carl..

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12753021#action_12753021 ]

Gordon Sim commented on QPID-1899:
----------------------------------

I think the ideal behaviour would be to reject all plain TCP connections if authentication is turned off (as in that case no security layer is negotiated and therefore no encryption takes place).

I _think_ this could be fixed by a simple (though 'hacky') check before registering the TCP protocol factory (i.e. around line 69 in qpid/sys/TCPIOPlugin.cpp); if the broker options indicate that encryption is required and auth is off don't register the protocol. That would at least 'plug the hole' for now, (and would be very safe as the broker would not even be listening for non-ssl connections).

A 'cleaner' solution be to add a method to qpid::sys::OutputControl through which the various 'protocol' implementations (tcp, rdma, ssl) could indicate whether traffic would be encrypted or not. This could then be used in the SaslAuthenticator impls to (a) determine whether to accept the connection during the AMQP handshake and (b) whether to force a security layer or not.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

     [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ken Giusti updated QPID-1899:
-----------------------------

    Attachment: qpid-1899-hacky.patch

Hi Gordon,

I've tried implementing the hacky/safe approach (see patch).   I tested it against perftest running in the clear with authentication.  When I run the broker with --auth no --require-encryption,  the connection is refused as expected.    However, if I run broker with --auth yes & --require-encryption,  the unencrypted (but authenticated) perftest connection succeeds - is that correct behavior?

In the meantime, I'll try implementing the "cleaner" approach...

thanks,  
-K

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755429#action_12755429 ]

Gordon Sim commented on QPID-1899:
----------------------------------

Ken,

What authentication mechanism did you use? The intended semantics is that it fails to allow connection over tcp to succeed unless a mechanism supporting encryption is selected and a sufficiently high SSF is used on that. What I see is that with authentication enabled, unencrypted mechanisms such as ANONYMOUS or PLAIN are not included in the list of supported mechanisms and if the client attempts to use them it gets an error. The broker also logs an error of the form: 'mech ANONYMOUS is too weak'. Are you seeing something different?

--Gordon.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755521#action_12755521 ]

Ken Giusti commented on QPID-1899:
----------------------------------

Hi Gordon,

I've setup a local kerberos server and am using GSSAPI.  I've also created my own certificate.      I run qpidd in the foreground as so:

[kgiusti@localhost cpp]$ ./src/qpidd --auth yes --realm EXAMPLE.COM --require-encryption --transport ssl --no-data-dir --no-module-dir --load-module ./src/.libs/ssl.so --ssl-cert-db /home/kgiusti/.test_ssl_cert_db/test_cert_db --ssl-cert-password-file /home/kgiusti/.test_ssl_cert_db/cert.password
2009-09-15 10:44:05 notice Listening on TCP port 5672
2009-09-15 10:44:05 notice Listening for SSL connections on TCP port 5671
5671
2009-09-15 10:44:05 notice Broker running


Notice the two open ports - port 5672 appears to allow unencrypted (but authenticated) connection:

[kgiusti@localhost cpp]$ /usr/kerberos/bin/kinit -k testuser
[kgiusti@localhost cpp]$ export QPID_NO_MODULE_DIR=1
[kgiusti@localhost cpp]$ export QPID_LOAD_MODULE=./src/.libs/sslconnector.so
[kgiusti@localhost cpp]$ export QPID_SSL_CERT_PASSWORD_FILE=/home/kgiusti/.test_ssl_cert_db/cert.password
[kgiusti@localhost cpp]$ export QPID_SSL_CERT_DB=/home/kgiusti/.test_ssl_cert_db/test_cert_db
[kgiusti@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5672 --summary
377.649 23.7361 74.1992 0.0724601


Just fyi - auth is required:

[kgiusti@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --tx 1 --count 1 --port 5672 --summary
Please enter your password <I enter the wrong password>
2009-09-15 10:52:27 warning Broker closed connection: 320, connection-forced: Authentication failed
connection-forced: Authentication failed


No log messages are generated by broker to stderr for the above transactions.


Another interesting point:  I cannot connect over the SSL port, even w/auth:

[kgiusti@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5671 -P ssl --summary
2009-09-15 10:55:12 warning Connection closed
Connection closed

In this case, broker issues the following log msg:

2009-09-15 10:55:12 error internal-error: SASL decode error: SASL(-1): generic failure: Unable to find a callback: 32775 (qpid/sys/cyrus/CyrusSecurityLayer.cpp:50)


Have I mis-configured something?  

thanks,
-K




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755686#action_12755686 ]

Ken Giusti commented on QPID-1899:
----------------------------------

update:  my assumption that:

[kgiusti@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5672 --summary

was not encrypted is *False*:  GSSAPI is providing encryption in this example (max-ssf = 256).  Therefore this particular "issue" is not-a-bug.

The second issue:

[kgiusti@localhost cpp]$ src/tests/.libs/lt-perftest -b localhost.localdomain --mechanism GSSAPI --username testuser --tx 1 --count 1 --port 5671 -P ssl --summary
2009-09-15 10:55:12 warning Connection closed
Connection closed

appears to be a legitimate bug.  I'll work on fixing this as part of the "clean" fix implementation.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12756217#action_12756217 ]

Ken Giusti commented on QPID-1899:
----------------------------------

I've modified the OutputControl objects to export a encrypted() method, which returns 'true' if the transport is encrypted (ie. ssl) or 'false' if not (rdma, tcp).

I'm trying to modify the CyrusAuthenticator::init() method to turn off the need for encryption if the transport is already encrypted.  Right now, I'm setting max_sff & min_sff to zero (see below).  
What do you think?


Index: src/qpid/broker/SaslAuthenticator.cpp
===================================================================
--- src/qpid/broker/SaslAuthenticator.cpp (revision 814633)
+++ src/qpid/broker/SaslAuthenticator.cpp (working copy)
@@ -125,6 +125,8 @@
 std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c)
 {
     static bool needWarning = true;
+
+    QPID_LOG(error, "*** KAG: createAuthenticator - connection is " << (c.getOutput().encrypted() ? "ENCRYPTED" : "CLEAR") );
     if (c.getBroker().getOptions().auth) {
         return std::auto_ptr<SaslAuthenticator>(new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
     } else {
@@ -225,8 +227,20 @@
     sasl_security_properties_t secprops;
     
     //TODO: should the actual SSF values be configurable here?
-    secprops.min_ssf = encrypt ? 10: 0;
-    secprops.max_ssf = 256;
+    if (connection.getOutput().encrypted()) {
+        secprops.min_ssf = 0;
+        secprops.max_ssf = 0;
+
+        // KAG
+        // sasl_ssf_t external_ssf = 256;
+        // result = sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL, &external_ssf);
+        // if (result != SASL_OK) {
+        // throw framing::InternalErrorException(QPID_MSG("SASL error: " << result));
+        // }
+    } else {
+        secprops.min_ssf = encrypt ? 10: 0;
+        secprops.max_ssf = 256;
+    }
     secprops.maxbufsize = 65535;
 
     QPID_LOG(debug, "min_ssf: " << secprops.min_ssf << ", max_ssf: " << secprops.max_ssf);
@@ -240,6 +254,8 @@
         throw framing::InternalErrorException(QPID_MSG("SASL error: " << result));
     }
 
+
+    
 }
 
 CyrusAuthenticator::~CyrusAuthenticator()

--------------------------------------------------------------------------

There is a sasl property "SASL_EXTERNAL_SFF" which may be a better approach - it is supposed to indicate an external SFF that is being applied to the connection.  I haven't gotten that to work yet.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12756386#action_12756386 ]

Gordon Sim commented on QPID-1899:
----------------------------------

looks good to me

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12756388#action_12756388 ]

Gordon Sim commented on QPID-1899:
----------------------------------

the external ssf also looks interesting; would that allow the negotiation to complete without a sasl negotiated encryption providing the external ssf was high enough?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

     [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ken Giusti updated QPID-1899:
-----------------------------

    Attachment: qpid-1899-9-17.patch

Good question - I haven't found an example for the recommended usage of SASL_SSF_EXTERNAL.  On experimentation, setting it to 256 appears to prevent the additional encryption, whereas setting it to 56 (the value that usually gets negotiated) doesn't prevent the additional encryption.    I'll google/post a Q to the sasl mailing lists to see if I can get some clarification on its intended use.

Ideally, I'd like to see a solution where the new encrypted() outputcontrol method returns an "ssf-like" encryption level supplied by the transport (with 0 == none), instead of a bool.  The returned value could be used to determine a meaningful input to SASL_SSF_EXTERNAL.  Thoughts?

In any case, attached is the current, non-SASL_SSF_EXTERNAL fix.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12756655#action_12756655 ]

Gordon Sim commented on QPID-1899:
----------------------------------

I like that approach. Current patch also looks good; shall I commit that in the meantime or wait for the SSF_EXTERNAL change?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12756692#action_12756692 ]

Ken Giusti commented on QPID-1899:
----------------------------------

The SSF_EXTERNAL stuff doesn't appear to buy us anything: doing a sasl_getopts( SASL_SFF ) reports a negotiated ssf of zero, even if I set it to non-zero via sasl_setopts( SASL_SFF_EXTERNAL).  The client (perftest) logs that there is no security layer regardless, also:

2009-09-17 14:45:30 debug No security layer in place


So I don't see an advantage with the EXTERNAL stuff.  I'm fine with the current patch - let's go with that.



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12757141#action_12757141 ]

Gordon Sim commented on QPID-1899:
----------------------------------

Unfortunately, when starting to apply this I realised it doesn't work for the cluster. The initial compile error is easy to 'fix', but to work correctly it is going to need some more effort. The replicas will all need to know whether their shadow connections represent encrypted connections or not.

It also struck me on deeper review that my advice on adding a method to OutputControl was not very good - it results in a much wider change than is really necessary. I think actually a better fix would be to pass in an indicator of encrypted or not to qpid::sys::ConnectionCodec::Factory::create(). What do you think? Many apologies for the bad advice :-(

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12757202#action_12757202 ]

Ken Giusti commented on QPID-1899:
----------------------------------

No worries - this experience has taught me quite a bit about the sasl authentication and security stuff, and how the broker/client use it, and that's valuable to me :)

Did you want to go with the "hacky" solution for now?

I'll have to gain a better understanding of the clustering implementation before I would understand what needs to be done to indicate if a shadow connection is encrypted or not (maybe it comes for free with the Factory change?)

I'm good with the factory approach.  What I'd really like to understand is the purpose of sasl's EXTERNAL_SSF functionality, as it seems to be designed for just this reason.  I think the proper solution would be to pass the encryption key strength (ssf) to that create() method - zero if unencrypted.  If I can figure out the EXTERNAL_SSF usage, that key strength would be handy to have.

I've spent some time testing the EXTERNAL_SSF stuff - it's behaviour in our server isn't straightforward - and I've zapped a question to the cyrus mailing list to see if I can get some answers - I'll update this bug if I hear anything.

Just for posterity, this is what I've learned about external_ssf:

1) the value should be the bit length of the key used by the external security layer.
2) has to be set on both ends of the connection - client and server.
3) it has local significance only - ie, it is not exchanged so the value set on the peer is unknown.
4) on the client, this value is compared against the configured min-ssf - when (min-ssf <= external-ssf) a mech is selected, otherwise the client terminates the connection.
5) on the server - it seems to be totally ignored.
I've asked the cyrus mailing list about #5... stay tuned.
 

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12758839#action_12758839 ]

Gordon Sim commented on QPID-1899:
----------------------------------

The change for clustering would be a bit more involved. It doesn't come for free with the factory change but I suspect that will make it more convenient. Agree with you re EXTERNAL_SSF.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

     [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ken Giusti updated QPID-1899:
-----------------------------

    Attachment: qpid-1899.patch

Patch that associates the encryption key length with the given connection.   Supports extracting key length from underlying transport.

Doesn't address clustered links (just yet) - wanted to get feedback on this approach before going further...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762198#action_12762198 ]

Gordon Sim commented on QPID-1899:
----------------------------------

I like this approach. As compared with the earlier alteration of the OutputControl interface, this change doesn't leak into unrelated areas of the code. One question though; altering the min_ssf in the SaslAuthenticator makes perfect sense, but whats the motivation behind altering the max_ssf?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...

    [ https://issues.apache.org/jira/browse/QPID-1899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762310#action_12762310 ]

Ken Giusti commented on QPID-1899:
----------------------------------

Good catch - lowering max_ssf doesn't buy us anything.    As a matter of fact, we should probably punt the whole "adjustment" of the min/max_ssf, and just set the range to zero to ensure we don't attempt any additional encryption.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@...