Security layers are used to establish an authenticated and/or encrypted transport over which regular AMQP traffic can be tunneled. Security layers may be tunneled through one another (for instance a security layer used by the peers to do authentication may be tunneled through a security layer established for encryption purposes).

The framing and protocol definitions for security layers are expected to be defined externally to the AMQP specification as in the case of TLS [RFC5246]. An exception to this is the SASL [RFC4422] security layer which depends on its host protocol to provide framing. Therefore defines the frames necessary for SASL to function. When a security layer terminates (either before or after a secure tunnel is established), the TCP connection MUST be closed by first shutting down the outgoing stream and then reading the incoming stream until it is terminated.

To establish a TLS session, each peer MUST start by sending a protocol header before commencing with TLS negotiation. The protocol header consists of the upper case ASCII letters "AMQP" followed by a protocol id of two, followed by three unsigned bytes representing the major, minor, and revision of the specification version (currently , , ). In total this is an 8-octet sequence:

4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET +----------+---------+---------+---------+----------+ | "AMQP" | %d2 | major | minor | revision | +----------+---------+---------+---------+----------+

Other than using a protocol id of two, the exchange of TLS protocol headers follows the same rules specified in the version negotiation section of the transport specification (See ).

The following diagram illustrates the interaction involved in creating a TLS security layer:

TCP Client TCP Server ========================================= AMQP%d2.1.0.0 ---------> <--------- AMQP%d2.1.0.0 : : <TLS negotiation> : : AMQP%d0.1.0.0 ---------> (over TLS secured connection) <--------- AMQP%d0.1.0.0 open ---------> <--------- open

When the use of the TLS security layer is negotiated, the following rules apply:

  • The TLS client peer and TLS server peer are determined by the TCP client peer and TCP server peer respectively.

  • The TLS client peer SHOULD use the server name indication extension as described in RFC-4366 [RFC4366]. If it does so, then it is undefined what happens if this differs from hostname in the and frame frames.

    This field can be used by AMQP proxies to determine the correct back-end service to connect the client to, and to determine the domain to validate the client's credentials against if TLS client certificates are being used.

  • The TLS client MUST validate the certificate presented by the TLS server.

  • Implementations MAY choose to use TLS with unidirectional shutdown, i.e., an application initiating shutdown using close_notify is not obliged to wait for the peer to respond, and MAY close the write half of the TCP socket.

In certain situations, such as connecting through firewalls, it may not be possible to establish a TLS security layer using the above procedure. This might be because a deep packet inspecting firewall sees the first few bytes of the connection 'as not being TLS'.

As an alternative, implementations MAY run a pure TLS server, i.e., one that does not expect the initial TLS-invoking handshake. The IANA service name for this is amqps and the port is (5671). Implementations may also choose to run this pure TLS server on other ports, should this be operationally required (e.g., to tunnel through a legacy firewall that only expects TLS traffic on port 443).

To establish a SASL layer, each peer MUST start by sending a protocol header. The protocol header consists of the upper case ASCII letters "AMQP" followed by a protocol id of three, followed by three unsigned bytes representing the major, minor, and revision of the specification version (currently , , ). In total this is an 8-octet sequence:

4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET +----------+---------+---------+---------+----------+ | "AMQP" | %d3 | major | minor | revision | +----------+---------+---------+---------+----------+

Other than using a protocol id of three, the exchange of SASL layer headers follows the same rules specified in the version negotiation section of the transport specification (See ).

The following diagram illustrates the interaction involved in creating a SASL security layer:

TCP Client TCP Server ========================================= AMQP%d3.1.0.0 ---------> <--------- AMQP%d3.1.0.0 : : <SASL negotiation> : : AMQP%d0.1.0.0 ---------> (over SASL secured connection) <--------- AMQP%d0.1.0.0 open ---------> <--------- open

SASL performatives are framed as per . A SASL frame has a type code of 0x01. Bytes 6 and 7 of the header are ignored. Implementations SHOULD set these to 0x00. The extended header is ignored. Implementations SHOULD therefore set DOFF to 0x02.

type: 0x01 - SASL frame +0 +1 +2 +3 +-----------------------------------+ -. 0 | SIZE | | +-----------------------------------+ |---> Frame Header 4 | DOFF | TYPE | <IGNORED>*1 | | (8 bytes) +-----------------------------------+ -' +-----------------------------------+ -. 8 | ... | | . . |---> Extended Header . <IGNORED>*2 . | (DOFF * 4 - 8) bytes | ... | | +-----------------------------------+ -' +-----------------------------------+ -. 4*DOFF | | | . . | . . | . Sasl Mechanisms / Sasl Init . | . Sasl Challenge / Sasl Response . |---> Frame Body . Sasl Outcome . | (SIZE - DOFF * 4) bytes . . | . . | . ________| | | ... | | +--------------------------+ -' *1 SHOULD be set to 0x0000 *2 Ignored, so DOFF should be set to 0x02

The maximum size of a SASL frame is defined by . There is no mechanism within the SASL negotiation to negotiate a different size. The frame body of a SASL frame may contain exactly one AMQP type, whose type encoding must have provides="sasl-frame" . Receipt of an empty frame is an irrecoverable error.

The peer acting as the SASL server must announce supported authentication mechanisms using the frame. The partner must then choose one of the supported mechanisms and initiate a sasl exchange.

SASL Client SASL Server ================================ <-- SASL-MECHANISMS SASL-INIT --> ... <-- SASL-CHALLENGE * SASL-RESPONSE --> ... <-- SASL-OUTCOME -------------------------------- * Note that the SASL challenge/response step may occur zero or more times depending on the details of the SASL mechanism chosen.

The peer playing the role of the SASL client and the peer playing the role of the SASL server MUST correspond to the TCP client and server respectively.

Advertises the available SASL mechanisms that may be used for authentication.

A list of the sasl security mechanisms supported by the sending peer. It is invalid for this list to be null or empty. If the sending peer does not require its partner to authenticate with it, then it should send a list of one element with its value as the SASL mechanism ANONYMOUS. The server mechanisms are ordered in decreasing level of preference.

Selects the sasl mechanism and provides the initial response if needed.

The name of the SASL mechanism used for the SASL exchange. If the selected mechanism is not supported by the receiving peer, it MUST close the connection with the authentication-failure close-code. Each peer MUST authenticate using the highest-level security profile it can handle from the list provided by the partner.

A block of opaque data passed to the security mechanism. The contents of this data are defined by the SASL security mechanism.

The DNS name of the host (either fully qualified or relative) to which the sending peer is connecting. It is not mandatory to provide the hostname. If no hostname is provided the receiving peer should select a default based on its own configuration.

This field can be used by AMQP proxies to determine the correct back-end service to connect the client to, and to determine the domain to validate the client's credentials against.

This field may already have been specified by the server name indication extension as described in RFC-4366 [RFC4366], if a TLS layer is used, in which case this field SHOULD either be null or contain the same value. It is undefined what a different value to those already specified means.

Send the SASL challenge data as defined by the SASL specification.

Challenge information, a block of opaque binary data passed to the security mechanism.

Send the SASL response data as defined by the SASL specification.

A block of opaque data passed to the security mechanism. The contents of this data are defined by the SASL security mechanism.

This frame indicates the outcome of the SASL dialog. Upon successful completion of the SASL dialog the security layer has been established, and the peers must exchange protocol headers to either start a nested security layer, or to establish the AMQP connection.

A reply-code indicating the outcome of the SASL dialog.

The additional-data field carries additional data on successful authentication outcome as specified by the SASL specification [RFC4422]. If the authentication is unsuccessful, this field is not set.

Connection authentication succeeded.

Connection authentication failed due to an unspecified problem with the supplied credentials.

Connection authentication failed due to a system error.

Connection authentication failed due to a system error that is unlikely to be corrected without intervention.

Connection authentication failed due to a transient system error.