qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Jansen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-5375) Windows SSL client certificates should not be tied to SASL EXTERNAL
Date Tue, 26 Nov 2013 08:35:37 GMT
Cliff Jansen created QPID-5375:

             Summary: Windows SSL client certificates should not be tied to SASL EXTERNAL
                 Key: QPID-5375
                 URL: https://issues.apache.org/jira/browse/QPID-5375
             Project: Qpid
          Issue Type: Improvement
          Components: C++ Client
    Affects Versions: 0.25
         Environment: Windows
            Reporter: Cliff Jansen
            Assignee: Cliff Jansen

QPID-3914 provided initial client certificate support.  It is triggered by specifying the
SASL EXTERNAL mechanism and is useful for many scenarios.  As implemented, the connection
is not even attempted if the client certificate cannot be loaded successfully.

The Posix implementation behaves differently.  Client certificate handling is triggered by
the actual request from the server for the client certificate as part of the SSL handshake.
 It is not dependent on the SASL mechanism specified by the user.  A client cert can be required
to complete the SSL handshake, but an alternative SASL mechanism (PLAIN, ANONYMOUS... ) can
be specified in addition to resolve the actual user identity for the connection.

The Posix implementation provides a lazy client certificate loading mechanism which is invoked
part way through the SSL handshake, but only if the server requests it.  In particular, the
inability to locate a client certificate is never an error if the server does not request

The Windows SSL implementation can be made to work the same way by attempting to pre-load
a client certificate prior to starting the handshake.  Any errors in loading the certificate
must be remembered but ignored unless the server does request a client certificate and none
was supplied.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message