qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Donner <jdon...@morphodetection.com>
Subject Getting a client onto the qpidd broker via Proton C++, mutually authenticated with SSL. Or SASL.
Date Tue, 09 Aug 2016 03:39:51 GMT
Hi -

  What is some C++ code to get a client /onto the broker/ via SSL, with Proton, and mutually
authenticated? Assuming that I have all the needed .pem or certutil .db files? I prefer peer-to-peer
(certificate exchange) rather than an internal root CA, though I can do that too if need be.

There's an example in this mailing list thread:

http://qpid.2158936.n2.nabble.com/EXTERNAL-authentication-and-peer-certificates-td6270012.html#a6293640,

but that particular qpid-perf client probably isn't applicable to Proton (it's not in the
source) and I'm not convinced that Proton accepts the QPID_* env. vars. (Does Proton accept
those, btw? Or is they only for the older C++ client? I don't find them in the Proton source.)
I tried the same setup with the  examples/cpp/client.cpp example with the same env vars set
and had no luck:

> ssl-play$ ./client -a amqps://0.0.0.0:5671/example
> amqp:connection:framing-error: SSL Failure: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad certificate

I gather that examples/cpp/ssl_client_cert.cpp is the most relevant example (in 0.12.1,2 --
though I can go to 0.13, or 0.14 if that's easier), but it deals in .pem files, how would
you make it use certutil .db files, so as to handle clients with multiple, different certs?


Here's the SSL-configuration part of examples/cpp/ssl_client_cert.cpp:

  void on_start(proton::event &e) {
    // "EXTERNAL", where authentication is implicit in the context (e.g.,
    // for protocols already using IPsec or TLS)
    //
    // Configure listener.  Details vary by platform.
    ssl_certificate server_cert = platform_certificate("tserver", "tserverpw");
    std::string client_CA = platform_CA("tclient");
    // Specify an SSL domain with CA's for client certificate verification.
    ssl_server_options srv_ssl(server_cert, client_CA);
    connection_options server_opts;
    server_opts.ssl_server_options(srv_ssl).handler(&s_handler);
    server_opts.allowed_mechs("EXTERNAL");
    e.container().server_connection_options(server_opts);

    // Configure client.
    ssl_certificate client_cert = platform_certificate("tclient", "tclientpw");
    std::string server_CA = platform_CA("tserver");
    ssl_client_options ssl_cli(client_cert, server_CA);
    connection_options client_opts;
    client_opts.ssl_client_options(ssl_cli).allowed_mechs("EXTERNAL");
    // Validate the server certificate against this name:
    client_opts.peer_hostname("test_server");
    e.container().client_connection_options(client_opts);

    s_handler.inbound_listener = e.container().listen(url);
    e.container().open_sender(url);
  }


// Support utils:
// Just the certificate.pem
std::string platform_CA(const std::string &base_name) {
    return g_cert_directory + base_name + "-certificate.pem";
}

// The certificate and the private key
ssl_certificate platform_certificate(const std::string &base_name,
                                     const std::string &passwd) {
    return ssl_certificate(g_cert_directory + base_name + "-certificate.pem",
                           g_cert_directory + base_name + "-private-key.pem",
                           passwd);
}

Any help greatly appreciated.

Thanks,
Jeff


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message