At least for the cpp broker, ssl-require-client-authentication=yes will do
the trick. The broker book (
http://qpid.apache.org/releases/qpid-cpp-0.34/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Encryption_using_SSL)
is a good resource for SSL options.
As far as the check goes, I think it looks at the Subject Alternative Name,
and falls back to CN if there is no SAN on the cert.
On Thu, Jun 9, 2016 at 1:09 PM, Olivier Mallassi <olivier.mallassi@gmail.com
> wrote:
> All,
>
> The whole idea is
> (1) to build the following chain : clients (Java/c++) <-> dispatcher(s) <->
> java qpid brokers.
> (2) with two ways SSL between all the components........
>
> test are ongoing but I was wondering if there is a way to configure the
> dispatchers and the brokers to check (or not) the client hostname (while
> checking the client certificate)?
> if activated, does it use the CN for hostname?
>
> Thx for your help.
>
> Cheers.
>
> Olivier.
>
|