From f5e41be93bec9b5556a65292516db07ff845f7d4 Mon Sep 17 00:00:00 2001 From: Gordon Sim Date: Fri, 5 Mar 2010 16:51:22 +0000 Subject: QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections. On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use. The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example). git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68 --- cpp/src/qpid/sys/ConnectionCodec.h | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) (limited to 'cpp/src/qpid/sys/ConnectionCodec.h') diff --git a/cpp/src/qpid/sys/ConnectionCodec.h b/cpp/src/qpid/sys/ConnectionCodec.h index 7231b1daa6..c2890f06dc 100644 --- a/cpp/src/qpid/sys/ConnectionCodec.h +++ b/cpp/src/qpid/sys/ConnectionCodec.h @@ -30,6 +30,7 @@ namespace sys { class InputHandlerFactory; class OutputControl; +struct SecuritySettings; /** * Interface of coder/decoder for a connection of a specific protocol @@ -49,27 +50,15 @@ class ConnectionCodec : public Codec { struct Factory { virtual ~Factory() {} - /** Security Strength Factor - indicates the level of security provided - * by the underlying transport. If zero, the transport provides no - * security (e.g. TCP). If non-zero, the transport provides some level - * of security (e.g. SSL). The values for SSF can be interpreted as: - * - * 0 = No protection. - * 1 = Integrity checking only. - * >1 = Supports authentication, integrity and confidentiality. - * The number represents the encryption key length. - */ - /** Return 0 if version unknown */ virtual ConnectionCodec* create( framing::ProtocolVersion, OutputControl&, const std::string& id, - unsigned int conn_ssf + const SecuritySettings& ) = 0; /** Return "preferred" codec for outbound connections. */ virtual ConnectionCodec* create( - OutputControl&, const std::string& id, - unsigned int conn_ssf + OutputControl&, const std::string& id, const SecuritySettings& ) = 0; }; }; -- cgit v1.2.1