qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Huston" <shus...@riverace.com>
Subject RE: SSL Client Authentication support for C++ on Windows
Date Wed, 07 Mar 2012 19:19:41 GMT
Ah, ok - thank you very much, Jakub!

> -----Original Message-----
> From: Jakub Scholz [mailto:jakub@scholz.cz]
> Sent: Wednesday, March 07, 2012 1:38 PM
> To: users@qpid.apache.org
> Subject: Re: SSL Client Authentication support for C++ on Windows
>
> Hi Steve,
>
> Yes, I know. There are still some unresolved issues as mentioned in the
first
> email and I also need to check how does it work against the trunk - this
> version is prepared against 0.14 release. The patch here is mainly for
the
> people who want to give it a try ... once I have that, I will create an
JIRA and
> attached with the licence granted.
>
> Regards
> Jakub
>
> On Wed, Mar 7, 2012 at 18:13, Steve Huston <shuston@riverace.com> wrote:
> > Ok, Jakub, but we still need to have the patch(es) attached to a jira
> > and make sure you check the  box granting rights to ASF, or we can't
use it.
> >
> > I just checked and did not see an existing jira for this issue (though
> > it has been discussed on the mailing list recently), so please go
> > ahead and open a new jira, and attach your patches to that.
> >
> > Thanks!
> > -Steve
> >
> >> -----Original Message-----
> >> From: Jakub Scholz [mailto:jakub@scholz.cz]
> >> Sent: Wednesday, March 07, 2012 4:22 AM
> >> To: users@qpid.apache.org
> >> Subject: Re: SSL Client Authentication support for C++ on Windows
> >>
> >> BTW: The attachment was probably discarded by the mailing list
> >> server,
> > so I
> >> uploaded it to http://pastebin.com/gb1RnUYk ... the URL will
> >> hopefully survive :-)
> >>
> >> On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <jakub@scholz.cz> wrote:
> >> > Hi,
> >> >
> >> > I played a bit with the support for SSL client authentication in
> >> > the
> >> > C++ API for Windows. It seems that I got it working, at least
> >> > C++ against
> >> > our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following
changes:
> >> > 1) Added a support for SASL EXTERNAL mechanism
> >> > 2) Added new connection option ssl-cert-store which allows to
> >> > select the certificate store which should be used to search for the
> >> > certificate. If not specified, the default "Personal" store is
used.
> >> > 3) Changed the SSL Connector to try to load the private key if
> >> > EXTERNAL mechanism has been selected
> >> > 4) The username for the SASL EXTERNAL mechanism is used from the
> >> > "username" connection option. The username is also used to find the
> >> > right certificate, since the username has to be in the subject of
> >> > the certificate. I was considering adding new option for this, but
> >> > this approach seemed to be the best.
> >> >
> >> > Currently, I'm aware of few limitations:
> >> > 1) when the SSL client authentication is enabled on the broker, the
> >> > client can connect only with EXTERNAL, not with PLAIN. But this
> >> > problem was there already before my changes ... I have some idea
> >> > where the problem is, but I'm not sure whether I will manage to fix
it ...
> >> > 2) When there are multiple certificates with a matching subject,
> >> > the first one is always used. I didn't found any better method for
> >> > selecting the certificate ...
> >> >
> >> > Also, the current version is developed against 0.14 source codes,
> >> > because I had some problems getting the trunk to compile&work ... I
> >> > have to look at it ...
> >> >
> >> > The patch is attached. If someone wants to try it right now, feel
> >> > free to do so. Also if anyone has some comments, please share them.
> >> > Otherwise, I will try to reconcile the patch to trunk and will
> >> > attach the patch to some JIRA Issue ... either existing one or a
> >> > new one - I'm not sure whether there already is some open JIRA
> covering it.
> >> >
> >> > Regards
> >> > JAkub
> >> >
> >> > PS: I didn't looked into the .NET API yet. Does someone know
> >> > whether the .NET API needs to be somehow modified or are the
> >> > modifications in the C++ APIs automatically used by the .NET?
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> >> additional commands, e-mail: users-help@qpid.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional
> commands, e-mail: users-help@qpid.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message