diff options
| author | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
|---|---|---|
| committer | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
| commit | f5e41be93bec9b5556a65292516db07ff845f7d4 (patch) | |
| tree | d26b9519d281dbb36fd6717205462399292896dd /cpp/src/qpid/client/Sasl.h | |
| parent | 74d838068a2a24423c0c5af1e33b612e132291fb (diff) | |
| download | qpid-python-f5e41be93bec9b5556a65292516db07ff845f7d4.tar.gz | |
QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.
On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.
The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/client/Sasl.h')
| -rw-r--r-- | cpp/src/qpid/client/Sasl.h | 14 |
1 files changed, 4 insertions, 10 deletions
diff --git a/cpp/src/qpid/client/Sasl.h b/cpp/src/qpid/client/Sasl.h index 63da37fcb1..56735a5fc3 100644 --- a/cpp/src/qpid/client/Sasl.h +++ b/cpp/src/qpid/client/Sasl.h @@ -30,6 +30,7 @@ namespace qpid { namespace sys { class SecurityLayer; +struct SecuritySettings; } namespace client { @@ -48,17 +49,10 @@ class Sasl * * @param mechanisms Comma-separated list of the SASL mechanism the * client supports. - * @param ssf Security Strength Factor (SSF). SSF is used to negotiate - * a SASL security layer on top of the connection should both - * parties require and support it. The value indicates the - * required level of security for communication. Possible - * values are: - * @li 0 No security - * @li 1 Integrity checking only - * @li >1 Integrity and confidentiality with the number - * giving the encryption key length. + * @param externalSecuritySettings security related details from the underlying transport */ - virtual std::string start(const std::string& mechanisms, unsigned int ssf) = 0; + virtual std::string start(const std::string& mechanisms, + const qpid::sys::SecuritySettings* externalSecuritySettings = 0) = 0; virtual std::string step(const std::string& challenge) = 0; virtual std::string getMechanism() = 0; virtual std::string getUserId() = 0; |