qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: SSL Client Authentication support for C++ on Windows
Date Wed, 07 Mar 2012 18:37:49 GMT
Hi Steve,

Yes, I know. There are still some unresolved issues as mentioned in
the first email and I also need to check how does it work against the
trunk - this version is prepared against 0.14 release. The patch here
is mainly for the people who want to give it a try ... once I have
that, I will create an JIRA and attached with the licence granted.

Regards
Jakub

On Wed, Mar 7, 2012 at 18:13, Steve Huston <shuston@riverace.com> wrote:
> Ok, Jakub, but we still need to have the patch(es) attached to a jira and
> make sure you check the  box granting rights to ASF, or we can't use it.
>
> I just checked and did not see an existing jira for this issue (though it
> has been discussed on the mailing list recently), so please go ahead and
> open a new jira, and attach your patches to that.
>
> Thanks!
> -Steve
>
>> -----Original Message-----
>> From: Jakub Scholz [mailto:jakub@scholz.cz]
>> Sent: Wednesday, March 07, 2012 4:22 AM
>> To: users@qpid.apache.org
>> Subject: Re: SSL Client Authentication support for C++ on Windows
>>
>> BTW: The attachment was probably discarded by the mailing list server,
> so I
>> uploaded it to http://pastebin.com/gb1RnUYk ... the URL will hopefully
>> survive :-)
>>
>> On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <jakub@scholz.cz> wrote:
>> > Hi,
>> >
>> > I played a bit with the support for SSL client authentication in the
>> > C++ API for Windows. It seems that I got it working, at least against
>> > our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
>> > 1) Added a support for SASL EXTERNAL mechanism
>> > 2) Added new connection option ssl-cert-store which allows to select
>> > the certificate store which should be used to search for the
>> > certificate. If not specified, the default "Personal" store is used.
>> > 3) Changed the SSL Connector to try to load the private key if
>> > EXTERNAL mechanism has been selected
>> > 4) The username for the SASL EXTERNAL mechanism is used from the
>> > "username" connection option. The username is also used to find the
>> > right certificate, since the username has to be in the subject of the
>> > certificate. I was considering adding new option for this, but this
>> > approach seemed to be the best.
>> >
>> > Currently, I'm aware of few limitations:
>> > 1) when the SSL client authentication is enabled on the broker, the
>> > client can connect only with EXTERNAL, not with PLAIN. But this
>> > problem was there already before my changes ... I have some idea where
>> > the problem is, but I'm not sure whether I will manage to fix it ...
>> > 2) When there are multiple certificates with a matching subject, the
>> > first one is always used. I didn't found any better method for
>> > selecting the certificate ...
>> >
>> > Also, the current version is developed against 0.14 source codes,
>> > because I had some problems getting the trunk to compile&work ... I
>> > have to look at it ...
>> >
>> > The patch is attached. If someone wants to try it right now, feel free
>> > to do so. Also if anyone has some comments, please share them.
>> > Otherwise, I will try to reconcile the patch to trunk and will attach
>> > the patch to some JIRA Issue ... either existing one or a new one -
>> > I'm not sure whether there already is some open JIRA covering it.
>> >
>> > Regards
>> > JAkub
>> >
>> > PS: I didn't looked into the .NET API yet. Does someone know whether
>> > the .NET API needs to be somehow modified or are the modifications in
>> > the C++ APIs automatically used by the .NET?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional
>> commands, e-mail: users-help@qpid.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message