qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: Getting a client onto the qpidd broker via Proton C++, mutually authenticated with SSL. Or SASL.
Date Tue, 09 Aug 2016 21:42:11 GMT
Hi Jeff,

The QPID_* variables and the certutil databases work only with the Qpid
Messaging C++ API (
http://qpid.apache.org/components/messaging-api/index.html) or with the
Qpid C++ broker. They are not supported by Proton's C++ API - you really
have to use PEM files directly. However, the trusted peer / trusted CA
concept which is discussed in the old discussion you linked is part of the
broker setup. So as long as your broker is still the C++ broker / qpidd,
you can easily use Proton with trusted peer certificates.

Here is some example code which has Proton C++ client connecting to Qpid
C++ broker with SSL client authentication:
https://github.com/Eurex-Clearing-Messaging-Interfaces/C-Code-Examples

Regards
Jakub


On Tue, Aug 9, 2016 at 5:39 AM, Jeff Donner <jdonner@morphodetection.com>
wrote:

> Hi -
>
>   What is some C++ code to get a client /onto the broker/ via SSL, with
> Proton, and mutually authenticated? Assuming that I have all the needed
> .pem or certutil .db files? I prefer peer-to-peer (certificate exchange)
> rather than an internal root CA, though I can do that too if need be.
>
> There's an example in this mailing list thread:
>
> http://qpid.2158936.n2.nabble.com/EXTERNAL-authentication-
> and-peer-certificates-td6270012.html#a6293640,
>
> but that particular qpid-perf client probably isn't applicable to Proton
> (it's not in the source) and I'm not convinced that Proton accepts the
> QPID_* env. vars. (Does Proton accept those, btw? Or is they only for the
> older C++ client? I don't find them in the Proton source.) I tried the same
> setup with the  examples/cpp/client.cpp example with the same env vars set
> and had no luck:
>
> > ssl-play$ ./client -a amqps://0.0.0.0:5671/example
> > amqp:connection:framing-error: SSL Failure: error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate
>
> I gather that examples/cpp/ssl_client_cert.cpp is the most relevant
> example (in 0.12.1,2 -- though I can go to 0.13, or 0.14 if that's easier),
> but it deals in .pem files, how would you make it use certutil .db files,
> so as to handle clients with multiple, different certs?
>
>
> Here's the SSL-configuration part of examples/cpp/ssl_client_cert.cpp:
>
>   void on_start(proton::event &e) {
>     // "EXTERNAL", where authentication is implicit in the context (e.g.,
>     // for protocols already using IPsec or TLS)
>     //
>     // Configure listener.  Details vary by platform.
>     ssl_certificate server_cert = platform_certificate("tserver",
> "tserverpw");
>     std::string client_CA = platform_CA("tclient");
>     // Specify an SSL domain with CA's for client certificate verification.
>     ssl_server_options srv_ssl(server_cert, client_CA);
>     connection_options server_opts;
>     server_opts.ssl_server_options(srv_ssl).handler(&s_handler);
>     server_opts.allowed_mechs("EXTERNAL");
>     e.container().server_connection_options(server_opts);
>
>     // Configure client.
>     ssl_certificate client_cert = platform_certificate("tclient",
> "tclientpw");
>     std::string server_CA = platform_CA("tserver");
>     ssl_client_options ssl_cli(client_cert, server_CA);
>     connection_options client_opts;
>     client_opts.ssl_client_options(ssl_cli).allowed_mechs("EXTERNAL");
>     // Validate the server certificate against this name:
>     client_opts.peer_hostname("test_server");
>     e.container().client_connection_options(client_opts);
>
>     s_handler.inbound_listener = e.container().listen(url);
>     e.container().open_sender(url);
>   }
>
>
> // Support utils:
> // Just the certificate.pem
> std::string platform_CA(const std::string &base_name) {
>     return g_cert_directory + base_name + "-certificate.pem";
> }
>
> // The certificate and the private key
> ssl_certificate platform_certificate(const std::string &base_name,
>                                      const std::string &passwd) {
>     return ssl_certificate(g_cert_directory + base_name +
> "-certificate.pem",
>                            g_cert_directory + base_name +
> "-private-key.pem",
>                            passwd);
> }
>
> Any help greatly appreciated.
>
> Thanks,
> Jeff
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message