Mailing-List: contact users-help@qpid.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@qpid.apache.org
Received-SPF: pass (nike.apache.org: domain of gsim@redhat.com designates
 66.187.233.31 as permitted sender)
Message-ID: <4A25706A.8040103@redhat.com>
Date: Tue, 02 Jun 2009 19:33:14 +0100
From: Gordon Sim <gsim@redhat.com>
Organization: Registered Address: Red Hat UK Ltd, Amberley Place, 107-111
 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom.,Registered in
 England and Wales under Company Registration No. 3798903,Directors: Michael
 Cunningham (USA), Charlie Peters (USA) and David Owens (Ireland)
User-Agent: Thunderbird 1.5.0.2 (X11/20060501)
MIME-Version: 1.0
To: users@qpid.apache.org
Subject: Re: SSL certificate control list in c++ broker ?
References: <1243940356.13211.60.camel@ratwater.dyndns.org>
 <1243966463.13211.117.camel@ratwater.dyndns.org>
In-Reply-To: <1243966463.13211.117.camel@ratwater.dyndns.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Jeffrey Bride wrote:
> thank you Gordon.
> 
> I had a conversation with a maintainer (Red Hat employee) of mod_nss on
> #dogtag-pki (irc.freenode.net) .  He seemed to be very familiar with how
> this functionality was implemented in mod_nss .  The following are his
> comments :
> 
> 
> -- The function you want is SSL_OptionSet()
> -- the options, depending on what you want, are:
> -- SSL_OptionSet(sslfd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
> -- that will have NSS request a cert during the handshake
> -- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
> -- that will have it require a certificate or discontinue the
> conversation

We already do this part (or pretty close to, currently we set 
SSL_REQUIRE_CERTIFICATE to PR_TRUE). You can enable the checking of 
client certificates by specifying --ssl-require-client-authentication to 
qpidd.

What we don't do is let you further restrict the set of acceptable 
certificates by CN. The only way you can control the clients that can 
connect at present is by restricting the set that the server trusts.

> -- the docs for this are really, really, really out-of-date
> -- http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html
> -- the NSS source tree is also useful for digging this stuff out
> -- in mozilla/nss/cmd one can find the NSS utilities, including some
> clients which do client auth (tstclnt)
> -- and servers which can require it (the name escapes me at the moment)
> 
> jeff
> 
> On Tue, 2009-06-02 at 06:59 -0400, Jeffrey Bride wrote:
> 
>> Hi,
>>   I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
>> java QPid client libraries to successfully communicate over two-way SSL
>> (ssl-require-client-authentication = true) .  In addition to two-way
>> SSL, my military customer is also asking that the QPid broker only allow
>> a SSL connection from a configurable list of client certificates.  As an
>> example, similar PKI certificate control lists are provided by both
>> mod_ssl and mod_nss when configuring the Apache httpd .  In httpd.conf,
>> the following directive only allows an SSL connection to httpd from a
>> client using my certificate :
>>
>> SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
>> "BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
>>
>> Since the C++ broker leverages the NSS libraries, is there an
>> equivalent in QPid ??  My customer would like to have very tight control
>> of 
>> SSL connections between brokers in our AMQP federation
>> scenarios.
>> When configuring the C++ broker, could I somehow add something similar
>> to /etc/qpidd.conf to dictate which client certificates can make SSL
>> connections to that broker ??
>>
>> thank you!
>> jeff
>>
> 


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org