You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gs...@apache.org on 2010/03/05 19:07:49 UTC

svn commit: r919525 - /qpid/trunk/qpid/cpp/SSL

Author: gsim
Date: Fri Mar  5 18:07:49 2010
New Revision: 919525

URL: http://svn.apache.org/viewvc?rev=919525&view=rev
Log:
QPID-2412: updated notes for SASL EXTERNAL support and added option.

Modified:
    qpid/trunk/qpid/cpp/SSL

Modified: qpid/trunk/qpid/cpp/SSL
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/SSL?rev=919525&r1=919524&r2=919525&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/SSL (original)
+++ qpid/trunk/qpid/cpp/SSL Fri Mar  5 18:07:49 2010
@@ -13,16 +13,16 @@
 
 SSL Settings:
   --ssl-use-export-policy              Use NSS export policy
-  --ssl-cert-password-file PATH        File containing password to use for
-                                       accessing certificate database
+  --ssl-cert-password-file PATH        File containing password to use for accessing
+                                       certificate database
   --ssl-cert-db PATH                   Path to directory containing certificate
                                        database
-  --ssl-cert-name NAME (thinkpad)      Name of the certificate to use
-  --ssl-port PORT (5671)               Port on which to listen for SSL
-                                       connections
-  --ssl-require-client-authentication  Forces clients to authenticate in order
+  --ssl-cert-name NAME (hostname)      Name of the certificate to use
+  --ssl-port PORT (5671)               Port on which to listen for SSL connections
+  --ssl-require-client-authentication  Forces clients to authenticate in order 
                                        to establish an SSL connection
-
+  --ssl-sasl-no-dict                   Disables SASL mechanisms that are vulner able to
+                                       passive dictionary-based password attacks
 
 The first four of these are also available as client options (where
 they must either be in the client config file or set as environment
@@ -66,6 +66,12 @@
 ./src/tests/perftest --count 10000 -P ssl --port 5671 \
                      --broker myhost.mydomain
 
+When authentication is enabled, the EXTERNAL mechanism will be
+available on client authenticated SSL connections. This allows the
+clients authorisation id to be taken from the validated client
+certificate (it will be the CN with any DCs present appended as the
+domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of
+bob@acme.com).
 
 [1] http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html
 [2] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html



---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org