You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Jakub Scholz <ja...@scholz.cz> on 2012/03/07 00:47:31 UTC
SSL Client Authentication support for C++ on Windows
Hi,
I played a bit with the support for SSL client authentication in the
C++ API for Windows. It seems that I got it working, at least against
our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
1) Added a support for SASL EXTERNAL mechanism
2) Added new connection option ssl-cert-store which allows to select
the certificate store which should be used to search for the
certificate. If not specified, the default "Personal" store is used.
3) Changed the SSL Connector to try to load the private key if
EXTERNAL mechanism has been selected
4) The username for the SASL EXTERNAL mechanism is used from the
"username" connection option. The username is also used to find the
right certificate, since the username has to be in the subject of the
certificate. I was considering adding new option for this, but this
approach seemed to be the best.
Currently, I'm aware of few limitations:
1) when the SSL client authentication is enabled on the broker, the
client can connect only with EXTERNAL, not with PLAIN. But this
problem was there already before my changes ... I have some idea where
the problem is, but I'm not sure whether I will manage to fix it ...
2) When there are multiple certificates with a matching subject, the
first one is always used. I didn't found any better method for
selecting the certificate ...
Also, the current version is developed against 0.14 source codes,
because I had some problems getting the trunk to compile&work ... I
have to look at it ...
The patch is attached. If someone wants to try it right now, feel free
to do so. Also if anyone has some comments, please share them.
Otherwise, I will try to reconcile the patch to trunk and will attach
the patch to some JIRA Issue ... either existing one or a new one -
I'm not sure whether there already is some open JIRA covering it.
Regards
JAkub
PS: I didn't looked into the .NET API yet. Does someone know whether
the .NET API needs to be somehow modified or are the modifications in
the C++ APIs automatically used by the .NET?
Re: SSL Client Authentication support for C++ on Windows
Posted by Jakub Scholz <ja...@scholz.cz>.
So, after a vacation and few days spent with getting the trunk to work
on my Windows XP machine (see JIRA QPID-3759 for more details) I
finally managed to prepare the patch for trunk (well, it is pretty
much the same as for 0.14). I also created the JIRA issue QPID-3914
where I attached the patch ... I hope it gets committed sooner then my
Python patch for the same feature :-o
Regards
Jakub
On Wed, Mar 7, 2012 at 20:19, Steve Huston <sh...@riverace.com> wrote:
> Ah, ok - thank you very much, Jakub!
>
>> -----Original Message-----
>> From: Jakub Scholz [mailto:jakub@scholz.cz]
>> Sent: Wednesday, March 07, 2012 1:38 PM
>> To: users@qpid.apache.org
>> Subject: Re: SSL Client Authentication support for C++ on Windows
>>
>> Hi Steve,
>>
>> Yes, I know. There are still some unresolved issues as mentioned in the
> first
>> email and I also need to check how does it work against the trunk - this
>> version is prepared against 0.14 release. The patch here is mainly for
> the
>> people who want to give it a try ... once I have that, I will create an
> JIRA and
>> attached with the licence granted.
>>
>> Regards
>> Jakub
>>
>> On Wed, Mar 7, 2012 at 18:13, Steve Huston <sh...@riverace.com> wrote:
>> > Ok, Jakub, but we still need to have the patch(es) attached to a jira
>> > and make sure you check the box granting rights to ASF, or we can't
> use it.
>> >
>> > I just checked and did not see an existing jira for this issue (though
>> > it has been discussed on the mailing list recently), so please go
>> > ahead and open a new jira, and attach your patches to that.
>> >
>> > Thanks!
>> > -Steve
>> >
>> >> -----Original Message-----
>> >> From: Jakub Scholz [mailto:jakub@scholz.cz]
>> >> Sent: Wednesday, March 07, 2012 4:22 AM
>> >> To: users@qpid.apache.org
>> >> Subject: Re: SSL Client Authentication support for C++ on Windows
>> >>
>> >> BTW: The attachment was probably discarded by the mailing list
>> >> server,
>> > so I
>> >> uploaded it to http://pastebin.com/gb1RnUYk ... the URL will
>> >> hopefully survive :-)
>> >>
>> >> On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <ja...@scholz.cz> wrote:
>> >> > Hi,
>> >> >
>> >> > I played a bit with the support for SSL client authentication in
>> >> > the
>> >> > C++ API for Windows. It seems that I got it working, at least
>> >> > C++ against
>> >> > our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following
> changes:
>> >> > 1) Added a support for SASL EXTERNAL mechanism
>> >> > 2) Added new connection option ssl-cert-store which allows to
>> >> > select the certificate store which should be used to search for the
>> >> > certificate. If not specified, the default "Personal" store is
> used.
>> >> > 3) Changed the SSL Connector to try to load the private key if
>> >> > EXTERNAL mechanism has been selected
>> >> > 4) The username for the SASL EXTERNAL mechanism is used from the
>> >> > "username" connection option. The username is also used to find the
>> >> > right certificate, since the username has to be in the subject of
>> >> > the certificate. I was considering adding new option for this, but
>> >> > this approach seemed to be the best.
>> >> >
>> >> > Currently, I'm aware of few limitations:
>> >> > 1) when the SSL client authentication is enabled on the broker, the
>> >> > client can connect only with EXTERNAL, not with PLAIN. But this
>> >> > problem was there already before my changes ... I have some idea
>> >> > where the problem is, but I'm not sure whether I will manage to fix
> it ...
>> >> > 2) When there are multiple certificates with a matching subject,
>> >> > the first one is always used. I didn't found any better method for
>> >> > selecting the certificate ...
>> >> >
>> >> > Also, the current version is developed against 0.14 source codes,
>> >> > because I had some problems getting the trunk to compile&work ... I
>> >> > have to look at it ...
>> >> >
>> >> > The patch is attached. If someone wants to try it right now, feel
>> >> > free to do so. Also if anyone has some comments, please share them.
>> >> > Otherwise, I will try to reconcile the patch to trunk and will
>> >> > attach the patch to some JIRA Issue ... either existing one or a
>> >> > new one - I'm not sure whether there already is some open JIRA
>> covering it.
>> >> >
>> >> > Regards
>> >> > JAkub
>> >> >
>> >> > PS: I didn't looked into the .NET API yet. Does someone know
>> >> > whether the .NET API needs to be somehow modified or are the
>> >> > modifications in the C++ APIs automatically used by the .NET?
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
>> >> additional commands, e-mail: users-help@qpid.apache.org
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
>> > additional commands, e-mail: users-help@qpid.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional
>> commands, e-mail: users-help@qpid.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
RE: SSL Client Authentication support for C++ on Windows
Posted by Steve Huston <sh...@riverace.com>.
Ah, ok - thank you very much, Jakub!
> -----Original Message-----
> From: Jakub Scholz [mailto:jakub@scholz.cz]
> Sent: Wednesday, March 07, 2012 1:38 PM
> To: users@qpid.apache.org
> Subject: Re: SSL Client Authentication support for C++ on Windows
>
> Hi Steve,
>
> Yes, I know. There are still some unresolved issues as mentioned in the
first
> email and I also need to check how does it work against the trunk - this
> version is prepared against 0.14 release. The patch here is mainly for
the
> people who want to give it a try ... once I have that, I will create an
JIRA and
> attached with the licence granted.
>
> Regards
> Jakub
>
> On Wed, Mar 7, 2012 at 18:13, Steve Huston <sh...@riverace.com> wrote:
> > Ok, Jakub, but we still need to have the patch(es) attached to a jira
> > and make sure you check the box granting rights to ASF, or we can't
use it.
> >
> > I just checked and did not see an existing jira for this issue (though
> > it has been discussed on the mailing list recently), so please go
> > ahead and open a new jira, and attach your patches to that.
> >
> > Thanks!
> > -Steve
> >
> >> -----Original Message-----
> >> From: Jakub Scholz [mailto:jakub@scholz.cz]
> >> Sent: Wednesday, March 07, 2012 4:22 AM
> >> To: users@qpid.apache.org
> >> Subject: Re: SSL Client Authentication support for C++ on Windows
> >>
> >> BTW: The attachment was probably discarded by the mailing list
> >> server,
> > so I
> >> uploaded it to http://pastebin.com/gb1RnUYk ... the URL will
> >> hopefully survive :-)
> >>
> >> On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <ja...@scholz.cz> wrote:
> >> > Hi,
> >> >
> >> > I played a bit with the support for SSL client authentication in
> >> > the
> >> > C++ API for Windows. It seems that I got it working, at least
> >> > C++ against
> >> > our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following
changes:
> >> > 1) Added a support for SASL EXTERNAL mechanism
> >> > 2) Added new connection option ssl-cert-store which allows to
> >> > select the certificate store which should be used to search for the
> >> > certificate. If not specified, the default "Personal" store is
used.
> >> > 3) Changed the SSL Connector to try to load the private key if
> >> > EXTERNAL mechanism has been selected
> >> > 4) The username for the SASL EXTERNAL mechanism is used from the
> >> > "username" connection option. The username is also used to find the
> >> > right certificate, since the username has to be in the subject of
> >> > the certificate. I was considering adding new option for this, but
> >> > this approach seemed to be the best.
> >> >
> >> > Currently, I'm aware of few limitations:
> >> > 1) when the SSL client authentication is enabled on the broker, the
> >> > client can connect only with EXTERNAL, not with PLAIN. But this
> >> > problem was there already before my changes ... I have some idea
> >> > where the problem is, but I'm not sure whether I will manage to fix
it ...
> >> > 2) When there are multiple certificates with a matching subject,
> >> > the first one is always used. I didn't found any better method for
> >> > selecting the certificate ...
> >> >
> >> > Also, the current version is developed against 0.14 source codes,
> >> > because I had some problems getting the trunk to compile&work ... I
> >> > have to look at it ...
> >> >
> >> > The patch is attached. If someone wants to try it right now, feel
> >> > free to do so. Also if anyone has some comments, please share them.
> >> > Otherwise, I will try to reconcile the patch to trunk and will
> >> > attach the patch to some JIRA Issue ... either existing one or a
> >> > new one - I'm not sure whether there already is some open JIRA
> covering it.
> >> >
> >> > Regards
> >> > JAkub
> >> >
> >> > PS: I didn't looked into the .NET API yet. Does someone know
> >> > whether the .NET API needs to be somehow modified or are the
> >> > modifications in the C++ APIs automatically used by the .NET?
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> >> additional commands, e-mail: users-help@qpid.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional
> commands, e-mail: users-help@qpid.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SSL Client Authentication support for C++ on Windows
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Steve,
Yes, I know. There are still some unresolved issues as mentioned in
the first email and I also need to check how does it work against the
trunk - this version is prepared against 0.14 release. The patch here
is mainly for the people who want to give it a try ... once I have
that, I will create an JIRA and attached with the licence granted.
Regards
Jakub
On Wed, Mar 7, 2012 at 18:13, Steve Huston <sh...@riverace.com> wrote:
> Ok, Jakub, but we still need to have the patch(es) attached to a jira and
> make sure you check the box granting rights to ASF, or we can't use it.
>
> I just checked and did not see an existing jira for this issue (though it
> has been discussed on the mailing list recently), so please go ahead and
> open a new jira, and attach your patches to that.
>
> Thanks!
> -Steve
>
>> -----Original Message-----
>> From: Jakub Scholz [mailto:jakub@scholz.cz]
>> Sent: Wednesday, March 07, 2012 4:22 AM
>> To: users@qpid.apache.org
>> Subject: Re: SSL Client Authentication support for C++ on Windows
>>
>> BTW: The attachment was probably discarded by the mailing list server,
> so I
>> uploaded it to http://pastebin.com/gb1RnUYk ... the URL will hopefully
>> survive :-)
>>
>> On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <ja...@scholz.cz> wrote:
>> > Hi,
>> >
>> > I played a bit with the support for SSL client authentication in the
>> > C++ API for Windows. It seems that I got it working, at least against
>> > our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
>> > 1) Added a support for SASL EXTERNAL mechanism
>> > 2) Added new connection option ssl-cert-store which allows to select
>> > the certificate store which should be used to search for the
>> > certificate. If not specified, the default "Personal" store is used.
>> > 3) Changed the SSL Connector to try to load the private key if
>> > EXTERNAL mechanism has been selected
>> > 4) The username for the SASL EXTERNAL mechanism is used from the
>> > "username" connection option. The username is also used to find the
>> > right certificate, since the username has to be in the subject of the
>> > certificate. I was considering adding new option for this, but this
>> > approach seemed to be the best.
>> >
>> > Currently, I'm aware of few limitations:
>> > 1) when the SSL client authentication is enabled on the broker, the
>> > client can connect only with EXTERNAL, not with PLAIN. But this
>> > problem was there already before my changes ... I have some idea where
>> > the problem is, but I'm not sure whether I will manage to fix it ...
>> > 2) When there are multiple certificates with a matching subject, the
>> > first one is always used. I didn't found any better method for
>> > selecting the certificate ...
>> >
>> > Also, the current version is developed against 0.14 source codes,
>> > because I had some problems getting the trunk to compile&work ... I
>> > have to look at it ...
>> >
>> > The patch is attached. If someone wants to try it right now, feel free
>> > to do so. Also if anyone has some comments, please share them.
>> > Otherwise, I will try to reconcile the patch to trunk and will attach
>> > the patch to some JIRA Issue ... either existing one or a new one -
>> > I'm not sure whether there already is some open JIRA covering it.
>> >
>> > Regards
>> > JAkub
>> >
>> > PS: I didn't looked into the .NET API yet. Does someone know whether
>> > the .NET API needs to be somehow modified or are the modifications in
>> > the C++ APIs automatically used by the .NET?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional
>> commands, e-mail: users-help@qpid.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
RE: SSL Client Authentication support for C++ on Windows
Posted by Steve Huston <sh...@riverace.com>.
Ok, Jakub, but we still need to have the patch(es) attached to a jira and
make sure you check the box granting rights to ASF, or we can't use it.
I just checked and did not see an existing jira for this issue (though it
has been discussed on the mailing list recently), so please go ahead and
open a new jira, and attach your patches to that.
Thanks!
-Steve
> -----Original Message-----
> From: Jakub Scholz [mailto:jakub@scholz.cz]
> Sent: Wednesday, March 07, 2012 4:22 AM
> To: users@qpid.apache.org
> Subject: Re: SSL Client Authentication support for C++ on Windows
>
> BTW: The attachment was probably discarded by the mailing list server,
so I
> uploaded it to http://pastebin.com/gb1RnUYk ... the URL will hopefully
> survive :-)
>
> On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <ja...@scholz.cz> wrote:
> > Hi,
> >
> > I played a bit with the support for SSL client authentication in the
> > C++ API for Windows. It seems that I got it working, at least against
> > our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
> > 1) Added a support for SASL EXTERNAL mechanism
> > 2) Added new connection option ssl-cert-store which allows to select
> > the certificate store which should be used to search for the
> > certificate. If not specified, the default "Personal" store is used.
> > 3) Changed the SSL Connector to try to load the private key if
> > EXTERNAL mechanism has been selected
> > 4) The username for the SASL EXTERNAL mechanism is used from the
> > "username" connection option. The username is also used to find the
> > right certificate, since the username has to be in the subject of the
> > certificate. I was considering adding new option for this, but this
> > approach seemed to be the best.
> >
> > Currently, I'm aware of few limitations:
> > 1) when the SSL client authentication is enabled on the broker, the
> > client can connect only with EXTERNAL, not with PLAIN. But this
> > problem was there already before my changes ... I have some idea where
> > the problem is, but I'm not sure whether I will manage to fix it ...
> > 2) When there are multiple certificates with a matching subject, the
> > first one is always used. I didn't found any better method for
> > selecting the certificate ...
> >
> > Also, the current version is developed against 0.14 source codes,
> > because I had some problems getting the trunk to compile&work ... I
> > have to look at it ...
> >
> > The patch is attached. If someone wants to try it right now, feel free
> > to do so. Also if anyone has some comments, please share them.
> > Otherwise, I will try to reconcile the patch to trunk and will attach
> > the patch to some JIRA Issue ... either existing one or a new one -
> > I'm not sure whether there already is some open JIRA covering it.
> >
> > Regards
> > JAkub
> >
> > PS: I didn't looked into the .NET API yet. Does someone know whether
> > the .NET API needs to be somehow modified or are the modifications in
> > the C++ APIs automatically used by the .NET?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional
> commands, e-mail: users-help@qpid.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SSL Client Authentication support for C++ on Windows
Posted by Jakub Scholz <ja...@scholz.cz>.
BTW: The attachment was probably discarded by the mailing list server,
so I uploaded it to http://pastebin.com/gb1RnUYk ... the URL will
hopefully survive :-)
On Wed, Mar 7, 2012 at 00:47, Jakub Scholz <ja...@scholz.cz> wrote:
> Hi,
>
> I played a bit with the support for SSL client authentication in the
> C++ API for Windows. It seems that I got it working, at least against
> our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
> 1) Added a support for SASL EXTERNAL mechanism
> 2) Added new connection option ssl-cert-store which allows to select
> the certificate store which should be used to search for the
> certificate. If not specified, the default "Personal" store is used.
> 3) Changed the SSL Connector to try to load the private key if
> EXTERNAL mechanism has been selected
> 4) The username for the SASL EXTERNAL mechanism is used from the
> "username" connection option. The username is also used to find the
> right certificate, since the username has to be in the subject of the
> certificate. I was considering adding new option for this, but this
> approach seemed to be the best.
>
> Currently, I'm aware of few limitations:
> 1) when the SSL client authentication is enabled on the broker, the
> client can connect only with EXTERNAL, not with PLAIN. But this
> problem was there already before my changes ... I have some idea where
> the problem is, but I'm not sure whether I will manage to fix it ...
> 2) When there are multiple certificates with a matching subject, the
> first one is always used. I didn't found any better method for
> selecting the certificate ...
>
> Also, the current version is developed against 0.14 source codes,
> because I had some problems getting the trunk to compile&work ... I
> have to look at it ...
>
> The patch is attached. If someone wants to try it right now, feel free
> to do so. Also if anyone has some comments, please share them.
> Otherwise, I will try to reconcile the patch to trunk and will attach
> the patch to some JIRA Issue ... either existing one or a new one -
> I'm not sure whether there already is some open JIRA covering it.
>
> Regards
> JAkub
>
> PS: I didn't looked into the .NET API yet. Does someone know whether
> the .NET API needs to be somehow modified or are the modifications in
> the C++ APIs automatically used by the .NET?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
RE: SSL Client Authentication support for C++ on Windows
Posted by Steve Huston <sh...@riverace.com>.
Terrific, Jakub - thanks!
Could you please open a jira for this and attach your patches to it -
please be sure to check the box granting rights to ASF or we can't use the
patch.
Someone else will need to comment on the .NET aspect.
-Steve
> -----Original Message-----
> From: Jakub Scholz [mailto:jakub@scholz.cz]
> Sent: Tuesday, March 06, 2012 6:48 PM
> To: users@qpid.apache.org
> Subject: SSL Client Authentication support for C++ on Windows
>
> Hi,
>
> I played a bit with the support for SSL client authentication in the
> C++ API for Windows. It seems that I got it working, at least against
> our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes:
> 1) Added a support for SASL EXTERNAL mechanism
> 2) Added new connection option ssl-cert-store which allows to select the
> certificate store which should be used to search for the certificate. If
not
> specified, the default "Personal" store is used.
> 3) Changed the SSL Connector to try to load the private key if EXTERNAL
> mechanism has been selected
> 4) The username for the SASL EXTERNAL mechanism is used from the
> "username" connection option. The username is also used to find the
right
> certificate, since the username has to be in the subject of the
certificate. I
> was considering adding new option for this, but this approach seemed to
be
> the best.
>
> Currently, I'm aware of few limitations:
> 1) when the SSL client authentication is enabled on the broker, the
client can
> connect only with EXTERNAL, not with PLAIN. But this problem was there
> already before my changes ... I have some idea where the problem is, but
I'm
> not sure whether I will manage to fix it ...
> 2) When there are multiple certificates with a matching subject, the
first one
> is always used. I didn't found any better method for selecting the
certificate
> ...
>
> Also, the current version is developed against 0.14 source codes,
because I
> had some problems getting the trunk to compile&work ... I have to look
at it
> ...
>
> The patch is attached. If someone wants to try it right now, feel free
to do so.
> Also if anyone has some comments, please share them.
> Otherwise, I will try to reconcile the patch to trunk and will attach
the patch
> to some JIRA Issue ... either existing one or a new one - I'm not sure
whether
> there already is some open JIRA covering it.
>
> Regards
> JAkub
>
> PS: I didn't looked into the .NET API yet. Does someone know whether the
> .NET API needs to be somehow modified or are the modifications in the
C++
> APIs automatically used by the .NET?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
RE: SSL Client Authentication support for C++ on Windows
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
That will be great, Steve.
Thanks!
--
View this message in context: http://qpid.2158936.n2.nabble.com/SSL-Client-Authentication-support-for-C-on-Windows-tp7350387p7491471.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
RE: SSL Client Authentication support for C++ on Windows
Posted by Steve Huston <sh...@riverace.com>.
Hi Hamid,
> Hi Michal,
>
> Thats great, awsome job!
>
> @ Steve - Would it be possible to add these updates in the next offical
> version of QPID?
Not in 0.16 - that's already frozen for release testing.
I will try to get it in 0.18.
-Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SSL Client Authentication support for C++ on Windows
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
Hi Michal,
Thats great, awsome job!
@ Steve - Would it be possible to add these updates in the next offical
version of QPID?
Thank you.
regards,
Hamid
--
View this message in context: http://qpid.2158936.n2.nabble.com/SSL-Client-Authentication-support-for-C-on-Windows-tp7350387p7479736.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SSL Client Authentication support for C++ on Windows
Posted by Michal Zerola <mi...@gmail.com>.
Hello, I have extended the Jakub's patch for file based certificate client
authentication.
It is attached to the same https://issues.apache.org/jira/browse/QPID-3914
JIRA issue .
This patch extends the Jakub's one for the missing client file based
authentication under the Windows. A client may specify new Connection
options:
■ssl-cert-filename
■ssl-cert-filenamepass
■host-cert-filename
for providing the private P12 key from the file, password for accessing this
file and finally the host public certificate from the file. If specified,
the private key is loaded from the file and used for client authentication
instead of finding the certificate in the registry based store. If the host
key filename is specified, the public key from the file attempts to be added
into the Trusted Root Certification Authority store, so the host will be
trusted (I have not found other way to trust the host other than adding the
public key into the store before the handshake). Any combination of the new
connection parameters is allowed (e.g. load private key from the file and
use public host certificate from existing registry store).
This patch increases the portability of the SSL based client applications,
where certificates can be provided with the application and there is no need
to import them by hand before executing the main application.
--
View this message in context: http://qpid.2158936.n2.nabble.com/SSL-Client-Authentication-support-for-C-on-Windows-tp7350387p7462400.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SSL Client Authentication support for C++ on Windows
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
Hi Jakub,
Yes, I can understand the point a , b...
and definately the point c :)
Great Job!
Best Regards,
Hamid.
--
View this message in context: http://qpid.2158936.n2.nabble.com/SSL-Client-Authentication-support-for-C-on-Windows-tp7350387p7354388.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SSL Client Authentication support for C++ on Windows
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Hamid,
I understand the advantages of the file based certificates. But:
a) right now I have no idea whether the SChannel API is able to work with them
b) I believe the use of the Windows built in certificate is also in
the other parts of the Windows version (the broker, also client is
already searching for the public key of the broker there etc.) ... so
storing the client's private key there as well is much more consistent
behaviour
(and c) I'm glad I managed get it working at least like this :-o)
I can take a quick look at it, but do not put too much hope on it ...
Regards
Jakub
On Wed, Mar 7, 2012 at 17:36, Hamid.Shahid <ha...@hotmail.com> wrote:
> Thats awsome...
>
> It would be ideal case if we can have support for file based certificates as
> well.
>
> thanks Jakub!
>
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/SSL-Client-Authentication-support-for-C-on-Windows-tp7350387p7352312.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SSL Client Authentication support for C++ on Windows
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
Thats awsome...
It would be ideal case if we can have support for file based certificates as
well.
thanks Jakub!
--
View this message in context: http://qpid.2158936.n2.nabble.com/SSL-Client-Authentication-support-for-C-on-Windows-tp7350387p7352312.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org