You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Eric Li <er...@yahoo.com> on 2010/04/22 06:05:33 UTC
certificate authentication
Hi,
I know qpid c++ broker supports certificate authentication, I would like to know whether the c++ broker verifies the client certificate against CRL (certificate revoked list). Thanks.
li
Re: certificate authentication
Posted by Gordon Sim <gs...@redhat.com>.
On 04/24/2010 02:52 AM, Eric Li wrote:
> Thanks. I just gave a trial with the following command on ubuntu.
>
> sudo ./src/qpidd --auth no --load-module /usr/lib/libssl3.so --ssl-cert-db /home/amqp/server_db --ssl-cert-password-file /home/amqp/ok.pwd --ssl-cert-name localhost.domain
> 2010-04-20 05:44:12 critical Unexpected error: Error in command line options: unknown option ssl-cert-db
> Use --help to see valid options
>
> I built the qpid from the source distribution and do not see the ssl.so module under the .src/.lib/ folder. Do I miss anything here?
Do you have nss installed? If so does your config.log show it being
picked up ok (e.g. grep nss config.log, or if you used cmake
CMakeCache.txt)?
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: certificate authentication
Posted by Eric Li <er...@yahoo.com>.
Thanks. I just gave a trial with the following command on ubuntu.
sudo ./src/qpidd --auth no --load-module /usr/lib/libssl3.so --ssl-cert-db /home/amqp/server_db --ssl-cert-password-file /home/amqp/ok.pwd --ssl-cert-name localhost.domain
2010-04-20 05:44:12 critical Unexpected error: Error in command line options: unknown option ssl-cert-db
Use --help to see valid options
I built the qpid from the source distribution and do not see the ssl.so module under the .src/.lib/ folder. Do I miss anything here?
Thanks,
li
________________________________
From: Gordon Sim <gs...@redhat.com>
To: dev@qpid.apache.org
Sent: Fri, April 23, 2010 4:30:24 AM
Subject: Re: certificate authentication
On 04/23/2010 01:14 AM, Steve Huston wrote:
>> Can you tell me where I can specify the crl location that
>> contains the list of revoked certificates info?
>
> I believe that's part of the certificate database you're already passing
> to qpidd, but I'm not 100% clear on that.
For the nss based ssl implementation (on linux) I believe you use the crlutil tool: http://www.mozilla.org/projects/security/pki/nss/tools/crlutil.html
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: certificate authentication
Posted by Gordon Sim <gs...@redhat.com>.
On 04/23/2010 01:14 AM, Steve Huston wrote:
>> Can you tell me where I can specify the crl location that
>> contains the list of revoked certificates info?
>
> I believe that's part of the certificate database you're already passing
> to qpidd, but I'm not 100% clear on that.
For the nss based ssl implementation (on linux) I believe you use the
crlutil tool:
http://www.mozilla.org/projects/security/pki/nss/tools/crlutil.html
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
RE: certificate authentication
Posted by Steve Huston <sh...@riverace.com>.
Hi Li,
> Thanks Steve for the quick response.
You're welcome.
> Can you tell me where I can specify the crl location that
> contains the list of revoked certificates info?
I believe that's part of the certificate database you're already passing
to qpidd, but I'm not 100% clear on that.
-Steve
> _________________________
> From: Steve Huston <sh...@riverace.com>
> To: dev@qpid.apache.org; qpid-dev@incubator.apache.org
> Sent: Thu, April 22, 2010 7:29:40 AM
> Subject: RE: certificate authentication
>
> Hi Li,
>
> > I know qpid c++ broker supports certificate authentication, I
> > would like to know whether the c++ broker verifies the client
> > certificate against CRL (certificate revoked list). Thanks.
>
> If the broker is started with the ssl plugin and the option:
>
> --ssl-require-client-authentication
>
> is specified when the broker is started, then yes.
>
> -Steve
>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:dev-subscribe@qpid.apache.org
>
>
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: certificate authentication
Posted by Eric Li <er...@yahoo.com>.
Thanks Steve for the quick response.
Can you tell me where I can specify the crl location that contains the list of revoked certificates info?
Thanks,
li
________________________________
From: Steve Huston <sh...@riverace.com>
To: dev@qpid.apache.org; qpid-dev@incubator.apache.org
Sent: Thu, April 22, 2010 7:29:40 AM
Subject: RE: certificate authentication
Hi Li,
> I know qpid c++ broker supports certificate authentication, I
> would like to know whether the c++ broker verifies the client
> certificate against CRL (certificate revoked list). Thanks.
If the broker is started with the ssl plugin and the option:
--ssl-require-client-authentication
is specified when the broker is started, then yes.
-Steve
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
RE: certificate authentication
Posted by Steve Huston <sh...@riverace.com>.
Hi Li,
> I know qpid c++ broker supports certificate authentication, I
> would like to know whether the c++ broker verifies the client
> certificate against CRL (certificate revoked list). Thanks.
If the broker is started with the ssl plugin and the option:
--ssl-require-client-authentication
is specified when the broker is started, then yes.
-Steve
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org