qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject SSL Client Authentication support for C++ on Windows
Date Tue, 06 Mar 2012 23:47:31 GMT

I played a bit with the support for SSL client authentication in the
C++ API for Windows. It seems that I got it working, at least against
our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
1) Added a support for SASL EXTERNAL mechanism
2) Added new connection option ssl-cert-store which allows to select
the certificate store which should be used to search for the
certificate. If not specified, the default "Personal" store is used.
3) Changed the SSL Connector to try to load the private key if
EXTERNAL mechanism has been selected
4) The username for the SASL EXTERNAL mechanism is used from the
"username" connection option. The username is also used to find the
right certificate, since the username has to be in the subject of the
certificate. I was considering adding new option for this, but this
approach seemed to be the best.

Currently, I'm aware of few limitations:
1) when the SSL client authentication is enabled on the broker, the
client can connect only with EXTERNAL, not with PLAIN. But this
problem was there already before my changes ... I have some idea where
the problem is, but I'm not sure whether I will manage to fix it ...
2) When there are multiple certificates with a matching subject, the
first one is always used. I didn't found any better method for
selecting the certificate ...

Also, the current version is developed against 0.14 source codes,
because I had some problems getting the trunk to compile&work ... I
have to look at it ...

The patch is attached. If someone wants to try it right now, feel free
to do so. Also if anyone has some comments, please share them.
Otherwise, I will try to reconcile the patch to trunk and will attach
the patch to some JIRA Issue ... either existing one or a new one -
I'm not sure whether there already is some open JIRA covering it.


PS: I didn't looked into the .NET API yet. Does someone know whether
the .NET API needs to be somehow modified or are the modifications in
the C++ APIs automatically used by the .NET?

View raw message