From f5e41be93bec9b5556a65292516db07ff845f7d4 Mon Sep 17 00:00:00 2001
From: Gordon Sim <gsim@apache.org>
Date: Fri, 5 Mar 2010 16:51:22 +0000
Subject: QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL
 connections.

On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.

The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68
---
 cpp/xml/cluster.xml | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'cpp/xml/cluster.xml')

diff --git a/cpp/xml/cluster.xml b/cpp/xml/cluster.xml
index 44f055ea32..42903502ad 100644
--- a/cpp/xml/cluster.xml
+++ b/cpp/xml/cluster.xml
@@ -122,6 +122,10 @@
       encryption (e.g. ssl), ssf is the bit length of the key.  Zero if no
       encryption provided. -->
       <field name="ssf" type="uint32"/>
+      <!-- external auth id (e.g. ssl client certificate id) -->
+      <field name="authid" type="str16"/>
+      <!-- exclude certain sasl mechs, used with ssl and sasl-external -->
+      <field name="nodict" type="bit"/>
     </control>
 
     <!-- Marks the cluster-wide point when a connection is considered closed. -->
-- 
cgit v1.2.1