You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "JAkub Scholz (Created) (JIRA)" <ji...@apache.org> on 2012/03/25 21:53:25 UTC
[jira] [Created] (QPID-3914) SSL Cleint Authentication support for
the Windows C++ client
SSL Cleint Authentication support for the Windows C++ client
------------------------------------------------------------
Key: QPID-3914
URL: https://issues.apache.org/jira/browse/QPID-3914
Project: Qpid
Issue Type: New Feature
Components: C++ Client
Affects Versions: 0.14, 0.16
Environment: Windows (all versions)
Reporter: JAkub Scholz
The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-3914) SSL Client Authentication support for
the Windows C++ client
Posted by "Emmanuel Bourg (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Bourg updated QPID-3914:
---------------------------------
Summary: SSL Client Authentication support for the Windows C++ client (was: SSL Cleint Authentication support for the Windows C++ client)
> SSL Client Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-3914) SSL Cleint Authentication support for
the Windows C++ client
Posted by "JAkub Scholz (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
JAkub Scholz updated QPID-3914:
-------------------------------
Attachment: ssl-client-authentication.patch
The attached path adds the support for SSL client authentication. The limitations of this patch/implementation are described in the related thread in the Apache Qpid maling list: http://goo.gl/RHpgT ... nevertheless the limitations do not break any existing functionality and add new features. Therefore I believe it is worth including ...
> SSL Cleint Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Issue Comment Edited] (QPID-3914) SSL Cleint Authentication
support for the Windows C++ client
Posted by "Michal Zerola (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253279#comment-13253279 ]
Michal Zerola edited comment on QPID-3914 at 4/13/12 10:59 AM:
---------------------------------------------------------------
This patch extends the Jakub's one for the missing client file based authentication under the Windows. A client may specify new Connection options:
- ssl-cert-filename
- ssl-cert-filenamepass
- host-cert-filename
for providing the private P12 key from the file, password for accessing this file and finally the host public certificate from the file. If specified, the private key is loaded from the file and used for client authentication instead of finding the certificate in the registry based store. If the host key filename is specified, the public key from the file attempts to be added into the Trusted Root Certification Authority store, so the host will be trusted (I have not found other way to trust the host other than adding the public key into the store before the handshake). Any combination of the new connection parameters is allowed (e.g. load private key from the file and use public host certificate from existing registry store).
This patch increases the portability of the SSL based client applications, where certificates can be provided with the application and there is no need to import them by hand before executing the main application.
was (Author: zer0):
This patch extends the Jakub's one for the missing client file based authentication under the Windows. A client may specify new Connection options:
- ssl-cert-filename
- ssl-cert-filenamepass
- host-cert-filename
for providing the private P12 key from the file, password for accessing this file and finally the host public certificate from the file. If speficied, the private key is loaded from the file and used for client authentication instead of finding the certificate in the registry based store. If the host key filename is specified, the public key from the file attempts to be added into the Trusted Root Certification Authority store, so the host will be trusted (I have not found other way to trust the host other than adding the public key into the store before the handshake). Any combination of the new connection parameters is allowed (e.g. load private key from the file and use public host certificate from existing registry store).
This patch increases the portability of the SSL based client applications, where certificates can be provided with the application and there is no need to import them by hand before executing the main application.
> SSL Cleint Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3914) SSL Client Authentication support
for the Windows C++ client
Posted by "Andrew Stitcher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13395885#comment-13395885 ]
Andrew Stitcher commented on QPID-3914:
---------------------------------------
I don't think you've explained why you need to make the client install anything in the machines certificate stores using the client code itself. Why not install any certificates you need using some powershell script say when you install the client?
I don't like adding a feature to the client code that seems to me to be purely administration code.
> SSL Client Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3914) SSL Client Authentication support
for the Windows C++ client
Posted by "Steve Huston (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13411500#comment-13411500 ]
Steve Huston commented on QPID-3914:
------------------------------------
Hi Michal... apparently noone has had free time to address the issues raised and fully investigate the options.
> SSL Client Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3914) SSL Client Authentication support
for the Windows C++ client
Posted by "Michal Zerola (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13395823#comment-13395823 ]
Michal Zerola commented on QPID-3914:
-------------------------------------
OK. Which modification do you prefer then:
- disable completely passing certificates from the command line
- disable passing the host (public) certificate from the command line and keep only the possibility to pass the private key (which doesn't require manipulation of the Trusted Root Certification Authority store)
> SSL Client Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-3914) SSL Cleint Authentication support for
the Windows C++ client
Posted by "Michal Zerola (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michal Zerola updated QPID-3914:
--------------------------------
Attachment: ssl-client-auth-filecert.patch
This patch extends the Jakub's one for the missing client file based authentication under the Windows. A client may specify new Connection options:
- ssl-cert-filename
- ssl-cert-filenamepass
- host-cert-filename
for providing the private P12 key from the file, password for accessing this file and finally the host public certificate from the file. If speficied, the private key is loaded from the file and used for client authentication instead of finding the certificate in the registry based store. If the host key filename is specified, the public key from the file attempts to be added into the Trusted Root Certification Authority store, so the host will be trusted (I have not found other way to trust the host other than adding the public key into the store before the handshake). Any combination of the new connection parameters is allowed (e.g. load private key from the file and use public host certificate from existing registry store).
This patch increases the portability of the SSL based client applications, where certificates can be provided with the application and there is no need to import them by hand before executing the main application.
> SSL Cleint Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3914) SSL Client Authentication support
for the Windows C++ client
Posted by "Andrew Stitcher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13293860#comment-13293860 ]
Andrew Stitcher commented on QPID-3914:
---------------------------------------
I don't like the second patch (and I think it needs to be carefully analysed for security implications).
The idea of automatically installing a root certificate seems to me to be outside the scope of what our client library should do.
If nothing else you can do this with some scripting, and I don't see that it needs to be part of the qpid code.
> SSL Client Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3914) SSL Client Authentication support
for the Windows C++ client
Posted by "Michal Zerola (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13395898#comment-13395898 ]
Michal Zerola commented on QPID-3914:
-------------------------------------
One of the reason of extending the client for certificate options was to make it convenient for users to provide certificates on the command line to the application + be able to transfer application to another machine with certificates and be able to execute it without any administration needed. This is what one can easily do with Linux client.
I am not sure if you have studied the patch, but the client's private key can be provided to the application without any modification of the machine's store. The public key of the server where client attempts to connect has to be in the Trusted Root store in order to accept the connection. Currently, with the patch, during the connection hand-shaking, the window is popped up (the same way as when one adds certificate to the store in a Windows traditional way) and the user can decide whether to import the certificate or not. If you are aware of any other way how to provide the public key to the client from the filesystem, please let me know.
I understand your opinion, therefore I have proposed the 2 options above.
> SSL Client Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-3914) SSL Client Authentication support
for the Windows C++ client
Posted by "Michal Zerola (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13411430#comment-13411430 ]
Michal Zerola commented on QPID-3914:
-------------------------------------
Hi, what was the decision taken on the above comments? Should I modify the patch?
> SSL Client Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Issue Comment Edited] (QPID-3914) SSL Cleint Authentication
support for the Windows C++ client
Posted by "Michal Zerola (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253279#comment-13253279 ]
Michal Zerola edited comment on QPID-3914 at 4/13/12 11:00 AM:
---------------------------------------------------------------
This patch extends the Jakub's one for the missing client file based authentication under the Windows. A client may specify new Connection options:
- ssl-cert-filename
- ssl-cert-filenamepass
- host-cert-filename
for providing the private P12 key from the file, password for accessing this file and finally the host public certificate from the file. If specified, the private key is loaded from the file and used for client authentication instead of finding the certificate in the registry based store. If the host key filename is specified, the public key from the file attempts to be added into the Trusted Root Certification Authority store, so the host will be trusted (I have not found other way to trust the host other than adding the public key into the store before the handshake). Any combination of the new connection parameters is allowed (e.g. load private key from the file and use public host certificate from existing registry store).
This patch increases the portability of the SSL based client applications, where certificates can be provided with the application and there is no need to import them by hand before executing the main application.
was (Author: zer0):
This patch extends the Jakub's one for the missing client file based authentication under the Windows. A client may specify new Connection options:
- ssl-cert-filename
- ssl-cert-filenamepass
- host-cert-filename
for providing the private P12 key from the file, password for accessing this file and finally the host public certificate from the file. If specified, the private key is loaded from the file and used for client authentication instead of finding the certificate in the registry based store. If the host key filename is specified, the public key from the file attempts to be added into the Trusted Root Certification Authority store, so the host will be trusted (I have not found other way to trust the host other than adding the public key into the store before the handshake). Any combination of the new connection parameters is allowed (e.g. load private key from the file and use public host certificate from existing registry store).
This patch increases the portability of the SSL based client applications, where certificates can be provided with the application and there is no need to import them by hand before executing the main application.
> SSL Cleint Authentication support for the Windows C++ client
> ------------------------------------------------------------
>
> Key: QPID-3914
> URL: https://issues.apache.org/jira/browse/QPID-3914
> Project: Qpid
> Issue Type: New Feature
> Components: C++ Client
> Affects Versions: 0.14, 0.16
> Environment: Windows (all versions)
> Reporter: JAkub Scholz
> Attachments: ssl-client-auth-filecert.patch, ssl-client-authentication.patch
>
>
> The Windows C++ client has been missing support for the SSL Client Authentication - authentication using SSL certificates on the client side. The patch attached to this JIRA implements this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org