From f5e41be93bec9b5556a65292516db07ff845f7d4 Mon Sep 17 00:00:00 2001 From: Gordon Sim Date: Fri, 5 Mar 2010 16:51:22 +0000 Subject: QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections. On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use. The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example). git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68 --- cpp/src/qpid/cluster/Cluster.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'cpp/src/qpid/cluster/Cluster.cpp') diff --git a/cpp/src/qpid/cluster/Cluster.cpp b/cpp/src/qpid/cluster/Cluster.cpp index 460f974b36..9da183a14d 100644 --- a/cpp/src/qpid/cluster/Cluster.cpp +++ b/cpp/src/qpid/cluster/Cluster.cpp @@ -510,8 +510,13 @@ ConnectionPtr Cluster::getConnection(const EventFrame& e, Lock&) { assert(cp); } else { // New remote connection, create a shadow. - unsigned int ssf = (announce && announce->hasSsf()) ? announce->getSsf() : 0; - cp = new Connection(*this, shadowOut, announce->getManagementId(), id, ssf); + qpid::sys::SecuritySettings secSettings; + if (announce) { + secSettings.ssf = announce->getSsf(); + secSettings.authid = announce->getAuthid(); + secSettings.nodict = announce->getNodict(); + } + cp = new Connection(*this, shadowOut, announce->getManagementId(), id, secSettings); } connections.insert(ConnectionMap::value_type(id, cp)); } -- cgit v1.2.1