server not advertising EXTERNAL auth mechanism

[abr...@gmail.com]

Hi,

I am running a rabbitmq-server (v3.1.5) on a linux server (Centos 6.5). I've modified the

config to enable external auth mechanism. The report for my server using 'rabbitmqctl report'

is shown below.

The problem I am having is that my rabbitmq-server is not advertising the EXTERNAL auth

mechanism in its connection start message even though I've enable it in the configuration.

I've enabled the ssl plugin as well. The tcpdump below of the connection start message from

the server confirms this.

0000   01 00 00 00 00 01 4a 00 0a 00 0a 00 09 00 00 01  ......J.........

0010   25 0c 63 61 70 61 62 69 6c 69 74 69 65 73 46 00  %.capabilitiesF.

0020   00 00 58 12 70 75 62 6c 69 73 68 65 72 5f 63 6f  ..X.publisher_co

0030   6e 66 69 72 6d 73 74 01 1a 65 78 63 68 61 6e 67  nfirmst..exchang

0040   65 5f 65 78 63 68 61 6e 67 65 5f 62 69 6e 64 69  e_exchange_bindi

0050   6e 67 73 74 01 0a 62 61 73 69 63 2e 6e 61 63 6b  ngst..basic.nack

0060   74 01 16 63 6f 6e 73 75 6d 65 72 5f 63 61 6e 63  t..consumer_canc

0070   65 6c 5f 6e 6f 74 69 66 79 74 01 09 63 6f 70 79  el_notifyt..copy

0080   72 69 67 68 74 53 00 00 00 27 43 6f 70 79 72 69  rightS...'Copyri

0090   67 68 74 20 28 43 29 20 32 30 30 37 2d 32 30 31  ght (C) 2007-201

00a0   33 20 47 6f 50 69 76 6f 74 61 6c 2c 20 49 6e 63  3 GoPivotal, Inc

00b0   2e 0b 69 6e 66 6f 72 6d 61 74 69 6f 6e 53 00 00  ..informationS..

00c0   00 35 4c 69 63 65 6e 73 65 64 20 75 6e 64 65 72  .5Licensed under

00d0   20 74 68 65 20 4d 50 4c 2e 20 20 53 65 65 20 68   the MPL.  See h

00e0   74 74 70 3a 2f 2f 77 77 77 2e 72 61 62 62 69 74  ttp://www.rabbit

00f0   6d 71 2e 63 6f 6d 2f 08 70 6c 61 74 66 6f 72 6d  mq.com/.platform

0100   53 00 00 00 0a 45 72 6c 61 6e 67 2f 4f 54 50 07  S....Erlang/OTP.

0110   70 72 6f 64 75 63 74 53 00 00 00 08 52 61 62 62  productS....Rabb

0120   69 74 4d 51 07 76 65 72 73 69 6f 6e 53 00 00 00  itMQ.versionS...

0130   05 33 2e 31 2e 35 00 00 00 0e 50 4c 41 49 4e 20  .3.1.5....PLAIN

0140   41 4d 51 50 4c 41 49 4e 00 00 00 05 65 6e 5f 55  AMQPLAIN....en_U

0150   53 ce                                            S.

I'd like to know why my server is not advertising the external auth even though I've configured it.

Is there any configuration I am missing that I need to enable. Thanks.

-abr

Status of node 'rabbit@dev-xxxxxxx' ...

[{pid,17064},

 {running_applications,

     [{rabbitmq_management,"RabbitMQ Management Console","3.1.5"},

      {rabbit,"RabbitMQ","3.1.5"},

      {ssl,"Erlang/OTP SSL application","4.1.6"},

      {public_key,"Public key infrastructure","0.13"},

      {crypto,"CRYPTO version 2","2.0.4"},

      {asn1,"The Erlang ASN1 compiler version 1.6.18","1.6.18"},

      {os_mon,"CPO  CXC 138 46","2.2.7"},

      {rabbitmq_auth_mechanism_ssl,

          "RabbitMQ SSL authentication (SASL EXTERNAL)","3.1.5"},

      {rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.1.5"},

      {webmachine,"webmachine","1.10.3-rmq3.1.5-gite9359c7"},

      {mochiweb,"MochiMedia Web Server","2.7.0-rmq3.1.5-git680dba8"},

      {xmerl,"XML parser","1.2.10"},

      {inets,"INETS  CXC 138 49","5.7.1"},

      {mnesia,"MNESIA  CXC 138 12","4.5"},

      {amqp_client,"RabbitMQ AMQP Client","3.1.5"},

      {sasl,"SASL  CXC 138 11","2.1.10"},

      {stdlib,"ERTS  CXC 138 10","1.17.5"},

      {kernel,"ERTS  CXC 138 10","2.14.5"}]},

 {os,{unix,linux}},

 {erlang_version,

     "Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:16:16] [rq:16] [async-threads:30] [kernel-poll:true]\n"},

 {memory,

     [{total,173168816},

      {connection_procs,8112},

      {queue_procs,5408},

      {plugins,346560},

      {other_proc,9364576},

      {mnesia,60632},

      {mgmt_db,30256},

      {msg_index,34760},

      {other_ets,1153904},

      {binary,1848},

      {code,18983678},

      {atom,1749665},

      {other_system,141429417}]},

 {vm_memory_high_watermark,0.4},

 {vm_memory_limit,3301176115},

 {disk_free_limit,857733120},

 {disk_free,106222104576},

 {file_descriptors,

     [{total_limit,262044},

      {total_used,4},

      {sockets_limit,235837},

      {sockets_used,2}]},

 {processes,[{limit,1048576},{used,219}]},

 {run_queue,0},

 {uptime,5754}]

Cluster status of node 'rabbit@dev-xxxxxx' ...

[{nodes,[{disc,['rabbit@dev-xxxxxx']}]},

 {running_nodes,['rabbit@dev-xxxxxx']},

 {partitions,[]}]

Application environment of node 'rabbit@dev-xxxxxx' ...

[{auth_backends,[rabbit_auth_backend_internal]},

 {auth_mechanisms,['PLAIN','AMQPLAIN','EXTERNAL']},

 {backing_queue_module,rabbit_variable_queue},

 {cluster_nodes,{[],disc}},

 {cluster_partition_handling,ignore},

 {collect_statistics,fine},

 {collect_statistics_interval,5000},

 {default_permissions,[<<".*">>,<<".*">>,<<".*">>]},

 {default_user,<<"guest">>},

 {default_user_tags,[administrator]},

 {default_vhost,<<"/">>},

 {delegate_count,16},

 {disk_free_limit,857733120},

 {enabled_plugins_file,"/etc/rabbitmq/enabled_plugins"},

 {error_logger,{file,"/var/log/rabbitmq/rab...@dev-xxxxxx.log"}},

 {frame_max,131072},

 {heartbeat,600},

 {hipe_compile,false},

 {hipe_modules,[rabbit_reader,rabbit_channel,gen_server2,rabbit_exchange,

                rabbit_command_assembler,rabbit_framing_amqp_0_9_1,

                rabbit_basic,rabbit_event,lists,queue,priority_queue,

                rabbit_router,rabbit_trace,rabbit_misc,rabbit_binary_parser,

                rabbit_exchange_type_direct,rabbit_guid,rabbit_net,

                rabbit_amqqueue_process,rabbit_variable_queue,

                rabbit_binary_generator,rabbit_writer,delegate,gb_sets,lqueue,

                sets,orddict,rabbit_amqqueue,rabbit_limiter,gb_trees,

                rabbit_queue_index,rabbit_exchange_decorator,gen,dict,ordsets,

                file_handle_cache,rabbit_msg_store,array,

                rabbit_msg_store_ets_index,rabbit_msg_file,

                rabbit_exchange_type_fanout,rabbit_exchange_type_topic,mnesia,

                mnesia_lib,rpc,mnesia_tm,qlc,sofs,proplists,credit_flow,pmon,

                ssl_connection,tls_connection,ssl_record,tls_record,gen_fsm,

                ssl]},

 {included_applications,[]},

 {log_levels,[{connection,info}]},

 {loopback_users,[]},

 {msg_store_file_size_limit,16777216},

 {msg_store_index_module,rabbit_msg_store_ets_index},

 {plugins_dir,"/usr/lib/rabbitmq/lib/rabbitmq_server-3.1.5/sbin/../plugins"},

 {plugins_expand_dir,"/var/lib/rabbitmq/mnesia/rabbit@dev-xxxxxx-plugins-expand"},

 {queue_index_max_journal_entries,65536},

 {reverse_dns_lookups,false},

 {sasl_error_logger,{file,"/var/log/rabbitmq/rab...@dev-xxxxxx-sasl.log"}},

 {server_properties,[]},

 {ssl_apps,[asn1,crypto,public_key,ssl]},

 {ssl_cert_login_from,common_name},

 {ssl_listeners,[5671]},

 {ssl_options,[{cacertfile,"/etc/rabbitmq/ssl/truststore.pem"},

               {certfile,"/etc/rabbitmq/ssl/server/cert.pem"},

               {keyfile,"/etc/rabbitmq/ssl/server/key.pem"},

               {verify,verify_peer},

               {fail_if_no_peer_cert,true},

               {ssl_cert_login_from,common_name},

               {ciphers,[{rsa,aes_256_cbc,sha}]}]},

 {tcp_listen_options,[binary,

                      {packet,raw},

                      {reuseaddr,true},

                      {backlog,128},

                      {nodelay,true},

                      {linger,{true,0}},

                      {exit_on_close,false}]},

 {tcp_listeners,[{"127.0.0.1",5672}]},

 {trace_vhosts,[]},

 {vm_memory_high_watermark,0.4}]

[Michael Klishin]

On 24 April 2015 at 01:43:51, abr...@gmail.com (abr...@gmail.com) wrote:
> {auth_backends,[rabbit_auth_backend_internal]},
> {auth_mechanisms,['PLAIN','AMQPLAIN','EXTERNAL']},

EXTERNAL mechanism is provided by the rabbitmq_auth_mechanism_ssl plugin: is it enabled? 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ

[Abr Abr]

Yes, it is. If you see the 'rabbitmqctl report' I included in my previous mail, it is enabled... Look for the lines, I've shown below...

Bhasker.

      {rabbitmq_auth_mechanism_ssl,

          "RabbitMQ SSL authentication (SASL EXTERNAL)","3.1.5"},

[Michael Klishin]

On 24 April 2015 at 04:51:18, Abr Abr (abr...@gmail.com) wrote:
> {rabbitmq_auth_mechanism_ssl,
> "RabbitMQ SSL authentication (SASL EXTERNAL)","3.1.5"},

I could not find any known issues in the plugin. Please try with a recent version: 3.5.1 or at least 3.4.4.
3.1.x is no longer supported .

[Michael Klishin]

On 24 April 2015 at 12:41:03, Michael Klishin (mkli...@pivotal.io) wrote:
> I could not find any known issues in the plugin.

This commit seems somewhat relevant:
https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl/commit/fec63809b6d081107b52edb99200518b02a14dcc

please check if the client certificate is actually  present.