You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Marko Hrastovec <Ma...@sloveniacontrol.si> on 2022/12/07 08:27:12 UTC
: ssl_client_options with ss_certificate and default certificate trust database
Hi,
can please someone help me to resolve an issue in Qpid Proton C++?
I need to connect to AMQP server securely with a client certificate authentication. Server uses a certificate signed by a trusted CA. I can load a certificate into ssl_client_options, but the constructor for ssl_client_options, requires a trust_db parameter as shown in the declaration below:
ssl_client_options (const ssl_certificate &, const std::string &trust_db, enum ssl::verify_mode=ssl::VERIFY_PEER_NAME)
When I connect with these options, I have to provide some trust_db, but I don't know how to provide a default certificate trust database. For now I have set the verify_mode to proton::ssl::ANONYMOUS_PEER, to skip servers identification check. If system's default trust certificate database would be used, proton::ssl::VERIFY_PEER_NAME should work just fine, but I don't know how to use it with this ss_client_options constructor.
Is there a way to provide ssl_certificate to ssl_client_options and leave the default certificate trust database at the same time?
Regards
Marko
Re: : ssl_client_options with ss_certificate and default certificate trust database
Posted by Marko Hrastovec <Ma...@sloveniacontrol.si>.
Hi,
I made a change to qpid proton cpp which allows to use a client certificate without the need to use a custom certifticate trust database.
I cannot create aJIRA account to submit a patch. So I am attaching the change here. Can someone, please, add that to the code for the future qpid proton releases? Thanks.
Kind Regards
Marko
The change:
diff --git a/cpp/include/proton/ssl.hpp b/cpp/include/proton/ssl.hpp
index cbec8767..d978fcb8 100644
--- a/cpp/include/proton/ssl.hpp
+++ b/cpp/include/proton/ssl.hpp
@@ -163,6 +163,10 @@ class ssl_client_options {
enum ssl::verify_mode = ssl::VERIFY_PEER_NAME);
/// Create SSL client with a client certificate.
+ PN_CPP_EXTERN ssl_client_options(const ssl_certificate&,
+ enum ssl::verify_mode = ssl::VERIFY_PEER_NAME);
+
+ /// Create SSL client with a client certificate and a custom certificate trust database.
PN_CPP_EXTERN ssl_client_options(const ssl_certificate&, const std::string &trust_db,
enum ssl::verify_mode = ssl::VERIFY_PEER_NAME);
diff --git a/cpp/src/ssl_options.cpp b/cpp/src/ssl_options.cpp
index f74f014e..40f5e08f 100644
--- a/cpp/src/ssl_options.cpp
+++ b/cpp/src/ssl_options.cpp
@@ -131,6 +131,12 @@ ssl_client_options::ssl_client_options(const std::string &trust_db, enum ssl::ve
set_client_verify_mode(dom, mode);
}
+ssl_client_options::ssl_client_options(const ssl_certificate &cert, enum ssl::verify_mode mode) : impl_(new impl) {
+ pn_ssl_domain_t* dom = impl_->pn_domain();
+ set_cred(dom, cert.certdb_main_, cert.certdb_extra_, cert.passwd_, cert.pw_set_);
+ set_client_verify_mode(dom, mode);
+}
+
ssl_client_options::ssl_client_options(const ssl_certificate &cert, const std::string &trust_db, enum ssl::verify_mode mode) : impl_(new impl) {
pn_ssl_domain_t* dom = impl_->pn_domain();
set_cred(dom, cert.certdb_main_, cert.certdb_extra_, cert.passwd_, cert.pw_set_);
On Wed, 2022-12-07 at 08:27 +0000, Marko Hrastovec wrote:
Hi,
can please someone help me to resolve an issue in Qpid Proton C++?
I need to connect to AMQP server securely with a client certificate authentication. Server uses a certificate signed by a trusted CA. I can load a certificate into ssl_client_options, but the constructor for ssl_client_options, requires a trust_db parameter as shown in the declaration below:
ssl_client_options (const ssl_certificate &, const std::string &trust_db, enum ssl::verify_mode=ssl::VERIFY_PEER_NAME)
When I connect with these options, I have to provide some trust_db, but I don't know how to provide a default certificate trust database. For now I have set the verify_mode to proton::ssl::ANONYMOUS_PEER, to skip servers identification check. If system's default trust certificate database would be used, proton::ssl::VERIFY_PEER_NAME should work just fine, but I don't know how to use it with this ss_client_options constructor.
Is there a way to provide ssl_certificate to ssl_client_options and leave the default certificate trust database at the same time?
Regards
Marko