qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: SSL certificate control list in c++ broker ?
Date Tue, 02 Jun 2009 18:33:14 GMT
Jeffrey Bride wrote:
> thank you Gordon.
> 
> I had a conversation with a maintainer (Red Hat employee) of mod_nss on
> #dogtag-pki (irc.freenode.net) .  He seemed to be very familiar with how
> this functionality was implemented in mod_nss .  The following are his
> comments :
> 
> 
> -- The function you want is SSL_OptionSet()
> -- the options, depending on what you want, are:
> -- SSL_OptionSet(sslfd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
> -- that will have NSS request a cert during the handshake
> -- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
> -- that will have it require a certificate or discontinue the
> conversation

We already do this part (or pretty close to, currently we set 
SSL_REQUIRE_CERTIFICATE to PR_TRUE). You can enable the checking of 
client certificates by specifying --ssl-require-client-authentication to 
qpidd.

What we don't do is let you further restrict the set of acceptable 
certificates by CN. The only way you can control the clients that can 
connect at present is by restricting the set that the server trusts.

> -- the docs for this are really, really, really out-of-date
> -- http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html
> -- the NSS source tree is also useful for digging this stuff out
> -- in mozilla/nss/cmd one can find the NSS utilities, including some
> clients which do client auth (tstclnt)
> -- and servers which can require it (the name escapes me at the moment)
> 
> jeff
> 
> On Tue, 2009-06-02 at 06:59 -0400, Jeffrey Bride wrote:
> 
>> Hi,
>>   I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
>> java QPid client libraries to successfully communicate over two-way SSL
>> (ssl-require-client-authentication = true) .  In addition to two-way
>> SSL, my military customer is also asking that the QPid broker only allow
>> a SSL connection from a configurable list of client certificates.  As an
>> example, similar PKI certificate control lists are provided by both
>> mod_ssl and mod_nss when configuring the Apache httpd .  In httpd.conf,
>> the following directive only allows an SSL connection to httpd from a
>> client using my certificate :
>>
>> SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
>> "BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
>>
>> Since the C++ broker leverages the NSS libraries, is there an
>> equivalent in QPid ??  My customer would like to have very tight control
>> of 
>> SSL connections between brokers in our AMQP federation
>> scenarios.
>> When configuring the C++ broker, could I somehow add something similar
>> to /etc/qpidd.conf to dictate which client certificates can make SSL
>> connections to that broker ??
>>
>> thank you!
>> jeff
>>
> 


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org


Mime
View raw message