[zeromq-dev] Authentication with CURVE doesn't fail
Goswin von Brederlow
goswin-v-b at web.de
Tue Jan 14 09:30:47 CET 2014
On Mon, Jan 13, 2014 at 07:04:15PM +0100, Pieter Hintjens wrote:
> On Mon, Jan 13, 2014 at 3:01 PM, Goswin von Brederlow <goswin-v-b at web.de> wrote:
>
> > 1) How does the client detect a login failure (as opposed to an
> > unreachable, unresponsive, crashing server?
>
> It's explained in the ZMTP RFC. It's an area we're changing, to avoid
> specifically the problem you experienced. An authentication failure
> will result in an explicit ERROR reply rather than a disconnect.
"will" as in "in the future", "once we implement the RFC more fully"?
> > 2) How do I get at the status text from the ZAP reply in the client?
>
> You can't. Providing this would be a leakage of information
> potentially useful to crafting an attack.
There should be a way to return something explaining the problem. For
example the server might want to return "Account locked, contact
admin" or "Service suspended for maintanance". Just closing the
connection without comment is plain bad.
> > 3) Why does ZMQ reconnect on a 400 status code at all? It should mark
> > the connection as bad and fail all further send/recv attempts.
>
> Yes, it should.
Bug or unimplemented?
> > 4) The example from the wiki used PUSH/PULL from server to client and
> > that is what I started from. But what if the server has a PULL or REP
> > socket and gets messages from clients. How do I get at the credetials
> > from the ZAP request or user_id or metadata fields from the ZAP reply
> > on the server?
>
> There's a work in process to provide the credentials to the server for
> each message received.
>
> -Pieter
Anything I can test already or help with?
MfG
Goswin
More information about the zeromq-dev
mailing list