qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Bride <jbr...@redhat.com>
Subject Re: SSL certificate control list in c++ broker ?
Date Tue, 02 Jun 2009 18:14:23 GMT
thank you Gordon.

I had a conversation with a maintainer (Red Hat employee) of mod_nss on
#dogtag-pki (irc.freenode.net) .  He seemed to be very familiar with how
this functionality was implemented in mod_nss .  The following are his
comments :


-- The function you want is SSL_OptionSet()
-- the options, depending on what you want, are:
-- SSL_OptionSet(sslfd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
-- that will have NSS request a cert during the handshake
-- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
-- that will have it require a certificate or discontinue the
conversation
-- the docs for this are really, really, really out-of-date
-- http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html
-- the NSS source tree is also useful for digging this stuff out
-- in mozilla/nss/cmd one can find the NSS utilities, including some
clients which do client auth (tstclnt)
-- and servers which can require it (the name escapes me at the moment)

jeff

On Tue, 2009-06-02 at 06:59 -0400, Jeffrey Bride wrote:

> Hi,
>   I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
> java QPid client libraries to successfully communicate over two-way SSL
> (ssl-require-client-authentication = true) .  In addition to two-way
> SSL, my military customer is also asking that the QPid broker only allow
> a SSL connection from a configurable list of client certificates.  As an
> example, similar PKI certificate control lists are provided by both
> mod_ssl and mod_nss when configuring the Apache httpd .  In httpd.conf,
> the following directive only allows an SSL connection to httpd from a
> client using my certificate :
> 
> SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
> "BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
> 
> Since the C++ broker leverages the NSS libraries, is there an
> equivalent in QPid ??  My customer would like to have very tight control
> of 
> SSL connections between brokers in our AMQP federation
> scenarios.
> When configuring the C++ broker, could I somehow add something similar
> to /etc/qpidd.conf to dictate which client certificates can make SSL
> connections to that broker ??
> 
> thank you!
> jeff
> 

-- 
Jeffrey Bride
RedHat / JBoss
303-523-7885


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message