qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Domen Vrankar <domen.vran...@gmail.com>
Subject C++ broker SSL authentication and ACL
Date Wed, 25 May 2016 12:14:08 GMT

Is it possible to write ACL so that it takes into account both
certificate common name and ca certificate that issued it when
granting access rights?

What I'm trying to do:

I'm using SSL authentication and ACL with C++ qpid broker like this:
- On broker side I have acl file with <client_cert_common_name>@QPID
entries for each certificate with assigned access rights,
- Also on broker side I have a NSS database that contains soft
certificates (ca certificate and server certificate),
- On client side I have a NSS database with soft client certificate
that was issued with ca certificate from broker NSS database and
public ca certificate from broker NSS database.

This works fine as long as there is only one CA issuing certificates
but I could generate some client certificates with a different ca
certificate and add that ca certificate to broker NSS database.
>From that ca certificate I could issue a certificate with same common name.
Now all of a sudden two certificates from different CA agencies have
access to same queues and I don't want that but would still like to
support client certificates from different ca authorities.

Is such configuration even possible/supported/correct thing to go for?


To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

View raw message