qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gordon Sim (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-1039) websocket listener with authenticatePeer=true requires client certs
Date Fri, 15 Jun 2018 18:29:00 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-1039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16514216#comment-16514216
] 

Gordon Sim commented on DISPATCH-1039:
--------------------------------------

A simple change that would allow alternative authentication mechanisms would be:

{noformat}
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index 6df0cca..76518a8 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -300,8 +300,7 @@ static void listener_start(qd_http_listener_t *hl, qd_http_server_t *hs)
{
 
         info.options |=
             LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
-            (config->ssl_required ? 0 : LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT) |
-            (config->requireAuthentication ? LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT
: 0);
+            (config->ssl_required ? 0 : LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT);
     }
     info.vhost_name = hl->listener->config.host_port;
     hl->vhost = lws_create_vhost(hs->context, &info);
{noformat}

However, it would *not* then be possible to require client certificates, as EXTERNAL does
not work with websockets at present (see DISPATCH-1040).

An alternative fix would be to request client certs only if there were any CA(s) set against
which to validate them:

{noformat}
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index 6df0cca..ff26f57 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -295,13 +295,13 @@ static void listener_start(qd_http_listener_t *hl, qd_http_server_t
*hs) {
         info.ssl_cert_filepath = config->ssl_certificate_file;
         info.ssl_private_key_filepath = config->ssl_private_key_file;
         info.ssl_private_key_password = config->ssl_password;
-        info.ssl_ca_filepath = config->ssl_trusted_certificates;
+        info.ssl_ca_filepath = config->ssl_trusted_certificates ? config->ssl_trusted_certificates
: config->ssl_trusted_certificate_db;
         info.ssl_cipher_list = config->ssl_ciphers;
 
         info.options |=
             LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
             (config->ssl_required ? 0 : LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT) |
-            (config->requireAuthentication ? LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT
: 0);
+            ((config->requireAuthentication && info.ssl_ca_filepath) ? LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT
: 0);
     }
     info.vhost_name = hl->listener->config.host_port;
     hl->vhost = lws_create_vhost(hs->context, &info);
{noformat}

Though this would still be different behaviour from where http=no, it would allow client certs
to be used if desired, without requiring them as the only possible means of authentication.
(Since EXTERNAL doesn't yet work with websockets, using client certs for authentication would
not allow any user specific policy to be applied).

(Note, at present the ssl_trusted_certificates option is never set, see DISPATCH-1042. This
change also falls back to the caCertFile from the ssl_profile).

I favour the second patch. at least until DISPATCH-1040/PROTON-1864 is resolved. [~aconway]
[~tross@redhat.com] [~ganeshmurthy] thoughts?

> websocket listener with authenticatePeer=true requires client certs
> -------------------------------------------------------------------
>
>                 Key: DISPATCH-1039
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1039
>             Project: Qpid Dispatch
>          Issue Type: Bug
>            Reporter: Gordon Sim
>            Priority: Major
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message