You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2013/12/05 00:13:35 UTC

[jira] [Commented] (QPID-5375) Windows SSL client certificates should not be tied to SASL EXTERNAL

    [ https://issues.apache.org/jira/browse/QPID-5375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839464#comment-13839464 ] 

ASF subversion and git services commented on QPID-5375:
-------------------------------------------------------

Commit 1547958 from cliffjansen@apache.org in branch 'qpid/trunk'
[ https://svn.apache.org/r1547958 ]

QPID-5375: make Windows client certs more like their Posix counterpart, no longer restricted to SASL EXTERNAL

> Windows SSL client certificates should not be tied to SASL EXTERNAL
> -------------------------------------------------------------------
>
>                 Key: QPID-5375
>                 URL: https://issues.apache.org/jira/browse/QPID-5375
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Client
>    Affects Versions: 0.25
>         Environment: Windows
>            Reporter: Cliff Jansen
>            Assignee: Cliff Jansen
>
> QPID-3914 provided initial client certificate support.  It is triggered by specifying the SASL EXTERNAL mechanism and is useful for many scenarios.  As implemented, the connection is not even attempted if the client certificate cannot be loaded successfully.
> The Posix implementation behaves differently.  Client certificate handling is triggered by the actual request from the server for the client certificate as part of the SSL handshake.  It is not dependent on the SASL mechanism specified by the user.  A client cert can be required to complete the SSL handshake, but an alternative SASL mechanism (PLAIN, ANONYMOUS... ) can be specified in addition to resolve the actual user identity for the connection.
> The Posix implementation provides a lazy client certificate loading mechanism which is invoked part way through the SSL handshake, but only if the server requests it.  In particular, the inability to locate a client certificate is never an error if the server does not request one.
> The Windows SSL implementation can be made to work the same way by attempting to pre-load a client certificate prior to starting the handshake.  Any errors in loading the certificate must be remembered but ignored unless the server does request a client certificate and none was supplied.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org