From f5e41be93bec9b5556a65292516db07ff845f7d4 Mon Sep 17 00:00:00 2001 From: Gordon Sim Date: Fri, 5 Mar 2010 16:51:22 +0000 Subject: QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections. On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use. The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example). git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68 --- cpp/src/qpid/client/SslConnector.cpp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'cpp/src/qpid/client/SslConnector.cpp') diff --git a/cpp/src/qpid/client/SslConnector.cpp b/cpp/src/qpid/client/SslConnector.cpp index cf6d54d261..0c794145db 100644 --- a/cpp/src/qpid/client/SslConnector.cpp +++ b/cpp/src/qpid/client/SslConnector.cpp @@ -34,6 +34,7 @@ #include "qpid/sys/ssl/SslSocket.h" #include "qpid/sys/Dispatcher.h" #include "qpid/sys/Poller.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/Msg.h" #include @@ -86,6 +87,7 @@ class SslConnector : public Connector const uint16_t maxFrameSize; framing::ProtocolVersion version; bool initiated; + SecuritySettings securitySettings; sys::Mutex closedLock; bool closed; @@ -125,7 +127,7 @@ class SslConnector : public Connector sys::ShutdownHandler* getShutdownHandler() const; framing::OutputHandler* getOutputHandler(); const std::string& getIdentifier() const; - unsigned int getSSF() { return socket.getKeyLen(); } + const SecuritySettings* getSecuritySettings(); public: SslConnector(Poller::shared_ptr p, framing::ProtocolVersion pVersion, @@ -366,4 +368,11 @@ void SslConnector::eof(SslIO&) { handleClosed(); } +const SecuritySettings* SslConnector::getSecuritySettings() +{ + securitySettings.ssf = socket.getKeyLen(); + securitySettings.authid = "dummy";//set to non-empty string to enable external authentication + return &securitySettings; +} + }} // namespace qpid::client -- cgit v1.2.1