From 2d5dc11e2f401852980cf3c5627926312b038767 Mon Sep 17 00:00:00 2001
From: Kenneth Anthony Giusti <kgiusti@apache.org>
Date: Thu, 28 Jan 2010 23:01:12 +0000
Subject: QPID-2374: Null authenticator now checks for SSL if
 --encryption-required specified

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@904293 13f79535-47bb-0310-9956-ffa450edef68
---
 cpp/src/qpid/broker/SaslAuthenticator.cpp | 9 +++++++--
 cpp/src/tests/ssl_test                    | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

(limited to 'cpp/src')

diff --git a/cpp/src/qpid/broker/SaslAuthenticator.cpp b/cpp/src/qpid/broker/SaslAuthenticator.cpp
index 0e509c8d93..4769789bff 100644
--- a/cpp/src/qpid/broker/SaslAuthenticator.cpp
+++ b/cpp/src/qpid/broker/SaslAuthenticator.cpp
@@ -148,8 +148,13 @@ void NullAuthenticator::getMechanisms(Array& mechanisms)
 void NullAuthenticator::start(const string& mechanism, const string& response)
 {
     if (encrypt) {
-        QPID_LOG(error, "Rejected un-encrypted connection.");
-        throw ConnectionForcedException("Connection must be encrypted.");
+        // encryption required - check to see if we are running over an
+        // encrypted SSL connection.
+        sasl_ssf_t external_ssf = (sasl_ssf_t) connection.getSSF();
+        if (external_ssf < 1) {   // < 1 == unencrypted
+            QPID_LOG(error, "Rejected un-encrypted connection.");
+            throw ConnectionForcedException("Connection must be encrypted.");
+        }
     }
     if (mechanism == "PLAIN") { // Old behavior
         if (response.size() > 0) {
diff --git a/cpp/src/tests/ssl_test b/cpp/src/tests/ssl_test
index 528833076e..36b332f868 100755
--- a/cpp/src/tests/ssl_test
+++ b/cpp/src/tests/ssl_test
@@ -46,7 +46,7 @@ delete_certs() {
 }
 
 start_broker() {
-    PORT=`../qpidd --daemon --transport ssl --port 0 --ssl-port 0 --no-data-dir --no-module-dir --auth no --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME`
+    PORT=`../qpidd --daemon --transport ssl --port 0 --ssl-port 0 --no-data-dir --no-module-dir --auth no --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME --require-encryption`
 }
 
 stop_broker() {
-- 
cgit v1.2.1