From f5e41be93bec9b5556a65292516db07ff845f7d4 Mon Sep 17 00:00:00 2001 From: Gordon Sim Date: Fri, 5 Mar 2010 16:51:22 +0000 Subject: QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections. On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use. The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example). git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68 --- cpp/src/qpid/broker/SecureConnectionFactory.cpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'cpp/src/qpid/broker/SecureConnectionFactory.cpp') diff --git a/cpp/src/qpid/broker/SecureConnectionFactory.cpp b/cpp/src/qpid/broker/SecureConnectionFactory.cpp index 5a31dbceeb..754b443c22 100644 --- a/cpp/src/qpid/broker/SecureConnectionFactory.cpp +++ b/cpp/src/qpid/broker/SecureConnectionFactory.cpp @@ -23,12 +23,14 @@ #include "qpid/amqp_0_10/Connection.h" #include "qpid/broker/Connection.h" #include "qpid/broker/SecureConnection.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/log/Statement.h" namespace qpid { namespace broker { using framing::ProtocolVersion; +using qpid::sys::SecuritySettings; typedef std::auto_ptr CodecPtr; typedef std::auto_ptr SecureConnectionPtr; typedef std::auto_ptr ConnectionPtr; @@ -38,7 +40,7 @@ SecureConnectionFactory::SecureConnectionFactory(Broker& b) : broker(b) {} sys::ConnectionCodec* SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id, - unsigned int conn_ssf ) { + const SecuritySettings& external) { if (broker.getConnectionCounter().allowConnection()) { QPID_LOG(error, "Client max connection count limit exceeded: " << broker.getOptions().maxConnections << " connection refused"); @@ -47,7 +49,7 @@ SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, cons if (v == ProtocolVersion(0, 10)) { SecureConnectionPtr sc(new SecureConnection()); CodecPtr c(new amqp_0_10::Connection(out, id, false)); - ConnectionPtr i(new broker::Connection(c.get(), broker, id, conn_ssf, false)); + ConnectionPtr i(new broker::Connection(c.get(), broker, id, external, false)); i->setSecureConnection(sc.get()); c->setInputHandler(InputPtr(i.release())); sc->setCodec(std::auto_ptr(c)); @@ -58,11 +60,11 @@ SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, cons sys::ConnectionCodec* SecureConnectionFactory::create(sys::OutputControl& out, const std::string& id, - unsigned int conn_ssf) { + const SecuritySettings& external) { // used to create connections from one broker to another SecureConnectionPtr sc(new SecureConnection()); CodecPtr c(new amqp_0_10::Connection(out, id, true)); - ConnectionPtr i(new broker::Connection(c.get(), broker, id, conn_ssf, true )); + ConnectionPtr i(new broker::Connection(c.get(), broker, id, external, true )); i->setSecureConnection(sc.get()); c->setInputHandler(InputPtr(i.release())); sc->setCodec(std::auto_ptr(c)); -- cgit v1.2.1