There is a defect in the CRAM MD5 Hex SASL mechanism within the Qpid broker that prevents some passwords from being used to connect from the Qpid 0-8 .Net client. The defect does not affect authentications using the same password from the Java client as it connects using a different SASL mechanism.
The defect seemingly affects about 30% of all possible passwords. It shows no bias towards strong/weak passwords as the defect in the mechanism is after the cleartext has been MD5 digested.
The client sees a 503 exception (Apache.Qpid.Client.AMQAuthenticationException: not allowed) from the new AMQConnection(QpidConnectionInfo) constructor.
|Field||Original Value||New Value|
|Attachment||0001-QPID-3158-Defect-in-the-CRAM-MD5-HEX-mechanism-CRAMM.patch [ 12474206 ]|
|Attachment||0001-QPID-3158-Defect-in-the-CRAM-MD5-HEX-mechanism-CRAMM.patch [ 12474207 ]|
|Status||Open [ 1 ]||In Progress [ 3 ]|
|Attachment||0001-QPID-3158-Defect-in-the-CRAM-MD5-HEX-mechanism-CRAMM_trunk.patch [ 12474281 ]|
|Fix Version/s||0.11 [ 12316272 ]|
|Affects Version/s||0.8 [ 12315477 ]|
|Affects Version/s||0.7 [ 12314455 ]|
|Affects Version/s||0.6 [ 12313728 ]|
|Affects Version/s||M4 [ 12313279 ]|
|Affects Version/s||M3 [ 12312117 ]|
|Affects Version/s||M2.1 [ 12312720 ]|
|Affects Version/s||0.9 [ 12315382 ]|
|Affects Version/s||0.10 [ 12316273 ]|
|Status||In Progress [ 3 ]||Resolved [ 5 ]|
|Assignee||Keith Wall [ k-wall ]||Robbie Gemmell [ gemmellr ]|
|Resolution||Fixed [ 1 ]|
|Status||Resolved [ 5 ]||Closed [ 6 ]|