diff options
| author | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
|---|---|---|
| committer | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
| commit | f5e41be93bec9b5556a65292516db07ff845f7d4 (patch) | |
| tree | d26b9519d281dbb36fd6717205462399292896dd /cpp/src/qpid/sys/ssl/SslHandler.cpp | |
| parent | 74d838068a2a24423c0c5af1e33b612e132291fb (diff) | |
| download | qpid-python-f5e41be93bec9b5556a65292516db07ff845f7d4.tar.gz | |
QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.
On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.
The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/sys/ssl/SslHandler.cpp')
| -rw-r--r-- | cpp/src/qpid/sys/ssl/SslHandler.cpp | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/cpp/src/qpid/sys/ssl/SslHandler.cpp b/cpp/src/qpid/sys/ssl/SslHandler.cpp index 3469f88c0f..5516d72065 100644 --- a/cpp/src/qpid/sys/ssl/SslHandler.cpp +++ b/cpp/src/qpid/sys/ssl/SslHandler.cpp @@ -42,13 +42,14 @@ struct Buff : public SslIO::BufferBase { { delete [] bytes;} }; -SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f) : +SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f, bool _nodict) : identifier(id), aio(0), factory(f), codec(0), readError(false), - isClient(false) + isClient(false), + nodict(_nodict) {} SslHandler::~SslHandler() { @@ -111,7 +112,7 @@ void SslHandler::readbuff(SslIO& , SslIO::BufferBase* buff) { decoded = in.getPosition(); QPID_LOG(debug, "RECV [" << identifier << "] INIT(" << protocolInit << ")"); try { - codec = factory->create(protocolInit.getVersion(), *this, identifier, aio->getKeyLen()); + codec = factory->create(protocolInit.getVersion(), *this, identifier, getSecuritySettings(aio)); if (!codec) { //TODO: may still want to revise this... //send valid version header & close connection. @@ -166,7 +167,7 @@ void SslHandler::nobuffs(SslIO&) { void SslHandler::idle(SslIO&){ if (isClient && codec == 0) { - codec = factory->create(*this, identifier, aio->getKeyLen()); + codec = factory->create(*this, identifier, getSecuritySettings(aio)); write(framing::ProtocolInitiation(codec->getVersion())); return; } @@ -183,5 +184,12 @@ void SslHandler::idle(SslIO&){ aio->queueWriteClose(); } +SecuritySettings SslHandler::getSecuritySettings(SslIO* aio) +{ + SecuritySettings settings = aio->getSecuritySettings(); + settings.nodict = nodict; + return settings; +} + }}} // namespace qpid::sys::ssl |