SSL certificate control list in c++ broker ?

[Jeffrey Bride <jb...@redhat.com>]

Hi,
  I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
java QPid client libraries to successfully communicate over two-way SSL
(ssl-require-client-authentication = true) .  In addition to two-way
SSL, my military customer is also asking that the QPid broker only allow
a SSL connection from a configurable list of client certificates.  As an
example, similar PKI certificate control lists are provided by both
mod_ssl and mod_nss when configuring the Apache httpd .  In httpd.conf,
the following directive only allows an SSL connection to httpd from a
client using my certificate :

SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
"BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")

Since the C++ broker leverages the NSS libraries, is there an
equivalent in QPid ??  My customer would like to have very tight control
of 
SSL connections between brokers in our AMQP federation
scenarios.
When configuring the C++ broker, could I somehow add something similar
to /etc/qpidd.conf to dictate which client certificates can make SSL
connections to that broker ??

thank you!
jeff

-- 
Jeffrey Bride
RedHat / JBoss
303-523-7885

Re: SSL certificate control list in c++ broker ?

[Gordon Sim <gs...@redhat.com>]

Jeffrey Bride wrote:
> Hi,
>   I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
> java QPid client libraries to successfully communicate over two-way SSL
> (ssl-require-client-authentication = true) .  In addition to two-way
> SSL, my military customer is also asking that the QPid broker only allow
> a SSL connection from a configurable list of client certificates.  As an
> example, similar PKI certificate control lists are provided by both
> mod_ssl and mod_nss when configuring the Apache httpd .  In httpd.conf,
> the following directive only allows an SSL connection to httpd from a
> client using my certificate :
> 
> SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
> "BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
> 
> Since the C++ broker leverages the NSS libraries, is there an
> equivalent in QPid ??  

Nothing like that is directly supported by qpidd at present.

I believe you could arrange for the broker only to trust a specific set 
of certificates, but certificate management is not something I have 
significant experience of.

> My customer would like to have very tight control
> of 
> SSL connections between brokers in our AMQP federation
> scenarios.
> When configuring the C++ broker, could I somehow add something similar
> to /etc/qpidd.conf to dictate which client certificates can make SSL
> connections to that broker ??
> 
> thank you!
> jeff
> 


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: SSL certificate control list in c++ broker ?

[Gordon Sim <gs...@redhat.com>]

Jeffrey Bride wrote:
> thank you Gordon.
> 
> I had a conversation with a maintainer (Red Hat employee) of mod_nss on
> #dogtag-pki (irc.freenode.net) .  He seemed to be very familiar with how
> this functionality was implemented in mod_nss .  The following are his
> comments :
> 
> 
> -- The function you want is SSL_OptionSet()
> -- the options, depending on what you want, are:
> -- SSL_OptionSet(sslfd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
> -- that will have NSS request a cert during the handshake
> -- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
> -- that will have it require a certificate or discontinue the
> conversation

We already do this part (or pretty close to, currently we set 
SSL_REQUIRE_CERTIFICATE to PR_TRUE). You can enable the checking of 
client certificates by specifying --ssl-require-client-authentication to 
qpidd.

What we don't do is let you further restrict the set of acceptable 
certificates by CN. The only way you can control the clients that can 
connect at present is by restricting the set that the server trusts.

> -- the docs for this are really, really, really out-of-date
> -- http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html
> -- the NSS source tree is also useful for digging this stuff out
> -- in mozilla/nss/cmd one can find the NSS utilities, including some
> clients which do client auth (tstclnt)
> -- and servers which can require it (the name escapes me at the moment)
> 
> jeff
> 
> On Tue, 2009-06-02 at 06:59 -0400, Jeffrey Bride wrote:
> 
>> Hi,
>>   I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
>> java QPid client libraries to successfully communicate over two-way SSL
>> (ssl-require-client-authentication = true) .  In addition to two-way
>> SSL, my military customer is also asking that the QPid broker only allow
>> a SSL connection from a configurable list of client certificates.  As an
>> example, similar PKI certificate control lists are provided by both
>> mod_ssl and mod_nss when configuring the Apache httpd .  In httpd.conf,
>> the following directive only allows an SSL connection to httpd from a
>> client using my certificate :
>>
>> SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
>> "BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
>>
>> Since the C++ broker leverages the NSS libraries, is there an
>> equivalent in QPid ??  My customer would like to have very tight control
>> of 
>> SSL connections between brokers in our AMQP federation
>> scenarios.
>> When configuring the C++ broker, could I somehow add something similar
>> to /etc/qpidd.conf to dictate which client certificates can make SSL
>> connections to that broker ??
>>
>> thank you!
>> jeff
>>
> 


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: SSL certificate control list in c++ broker ?

[Jeffrey Bride <jb...@redhat.com>]

thank you Gordon.

I had a conversation with a maintainer (Red Hat employee) of mod_nss on
#dogtag-pki (irc.freenode.net) .  He seemed to be very familiar with how
this functionality was implemented in mod_nss .  The following are his
comments :


-- The function you want is SSL_OptionSet()
-- the options, depending on what you want, are:
-- SSL_OptionSet(sslfd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
-- that will have NSS request a cert during the handshake
-- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
-- that will have it require a certificate or discontinue the
conversation
-- the docs for this are really, really, really out-of-date
-- http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html
-- the NSS source tree is also useful for digging this stuff out
-- in mozilla/nss/cmd one can find the NSS utilities, including some
clients which do client auth (tstclnt)
-- and servers which can require it (the name escapes me at the moment)

jeff

On Tue, 2009-06-02 at 06:59 -0400, Jeffrey Bride wrote:

> Hi,
>   I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
> java QPid client libraries to successfully communicate over two-way SSL
> (ssl-require-client-authentication = true) .  In addition to two-way
> SSL, my military customer is also asking that the QPid broker only allow
> a SSL connection from a configurable list of client certificates.  As an
> example, similar PKI certificate control lists are provided by both
> mod_ssl and mod_nss when configuring the Apache httpd .  In httpd.conf,
> the following directive only allows an SSL connection to httpd from a
> client using my certificate :
> 
> SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
> "BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
> 
> Since the C++ broker leverages the NSS libraries, is there an
> equivalent in QPid ??  My customer would like to have very tight control
> of 
> SSL connections between brokers in our AMQP federation
> scenarios.
> When configuring the C++ broker, could I somehow add something similar
> to /etc/qpidd.conf to dictate which client certificates can make SSL
> connections to that broker ??
> 
> thank you!
> jeff
> 

-- 
Jeffrey Bride
RedHat / JBoss
303-523-7885