qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: SSL Client Authentication support for C++ on Windows
Date Wed, 07 Mar 2012 09:22:13 GMT
BTW: The attachment was probably discarded by the mailing list server,
so I uploaded it to http://pastebin.com/gb1RnUYk ... the URL will
hopefully survive :-)

On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <jakub@scholz.cz> wrote:
> Hi,
> I played a bit with the support for SSL client authentication in the
> C++ API for Windows. It seems that I got it working, at least against
> our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
> 1) Added a support for SASL EXTERNAL mechanism
> 2) Added new connection option ssl-cert-store which allows to select
> the certificate store which should be used to search for the
> certificate. If not specified, the default "Personal" store is used.
> 3) Changed the SSL Connector to try to load the private key if
> EXTERNAL mechanism has been selected
> 4) The username for the SASL EXTERNAL mechanism is used from the
> "username" connection option. The username is also used to find the
> right certificate, since the username has to be in the subject of the
> certificate. I was considering adding new option for this, but this
> approach seemed to be the best.
> Currently, I'm aware of few limitations:
> 1) when the SSL client authentication is enabled on the broker, the
> client can connect only with EXTERNAL, not with PLAIN. But this
> problem was there already before my changes ... I have some idea where
> the problem is, but I'm not sure whether I will manage to fix it ...
> 2) When there are multiple certificates with a matching subject, the
> first one is always used. I didn't found any better method for
> selecting the certificate ...
> Also, the current version is developed against 0.14 source codes,
> because I had some problems getting the trunk to compile&work ... I
> have to look at it ...
> The patch is attached. If someone wants to try it right now, feel free
> to do so. Also if anyone has some comments, please share them.
> Otherwise, I will try to reconcile the patch to trunk and will attach
> the patch to some JIRA Issue ... either existing one or a new one -
> I'm not sure whether there already is some open JIRA covering it.
> Regards
> JAkub
> PS: I didn't looked into the .NET API yet. Does someone know whether
> the .NET API needs to be somehow modified or are the modifications in
> the C++ APIs automatically used by the .NET?

To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

View raw message