Author: kgiusti
Date: Thu Oct 11 18:43:50 2012
New Revision: 1397227
URL: http://svn.apache.org/viewvc?rev=1397227&view=rev
Log:
PROTON-64: make ANONYMOUS_PEER the default, remove NO_VERIFY_PEER.
Modified:
qpid/proton/trunk/proton-c/bindings/python/proton.py
qpid/proton/trunk/proton-c/include/proton/ssl.h
qpid/proton/trunk/proton-c/src/ssl/openssl.c
Modified: qpid/proton/trunk/proton-c/bindings/python/proton.py
URL:
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/bindings/python/proton.py?rev=1397227&r1=1397226&r2=1397227&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/bindings/python/proton.py (original)
+++ qpid/proton/trunk/proton-c/bindings/python/proton.py Thu Oct 11 18:43:50
2012
@@ -1815,7 +1815,6 @@ class SSL(object):
return self._check( pn_ssl_allow_unsecured_client(self._ssl) )
VERIFY_PEER = PN_SSL_VERIFY_PEER
- NO_VERIFY_PEER = PN_SSL_NO_VERIFY_PEER
ANONYMOUS_PEER = PN_SSL_ANONYMOUS_PEER
def set_peer_authentication(self, verify_mode, trusted_CAs=None):
Modified: qpid/proton/trunk/proton-c/include/proton/ssl.h
URL:
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/include/proton/ssl.h?rev=1397227&r1=1397226&r2=1397227&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/include/proton/ssl.h (original)
+++ qpid/proton/trunk/proton-c/include/proton/ssl.h Thu Oct 11 18:43:50 2012
@@ -132,20 +132,15 @@ int pn_ssl_allow_unsecured_client(pn_ssl
*
* VERIFY_PEER will only connect to those peers that provide a valid
identifying
* certificate signed by a trusted CA and are using an authenticated cipher.
- * NO_VERIFY_PEER does not require the peer to provide a certificate, but
does require
- * use of an authenticated ciper. ANONYMOUS_PEER not only does not require a
valid
- * certificate, but it permits use of ciphers that do not provide
authentication.
+ * ANONYMOUS_PEER does not require a valid certificate, and permits use of
ciphers that
+ * do not provide authentication.
*
- * By default, a client will use VERIFY_PEER.
+ * ANONYMOUS_PEER is configured by default.
*
- * A server will initially use ANONYMOUS_PEER until a certificate is
configured via
- * ::pn_ssl_set_credentials(), then the server will use NO_VERIFY_PEER.
- *
- * These default settings can be changed via
::pn_ssl_set_peer_authentication()
+ * These settings can be changed via ::pn_ssl_set_peer_authentication()
*/
typedef enum {
PN_SSL_VERIFY_PEER, /**< require peer to provide a valid identifying
certificate */
- PN_SSL_NO_VERIFY_PEER, /**< do not require peer to provide an identifying
certificate */
PN_SSL_ANONYMOUS_PEER, /**< do not require a certificate nor cipher
authorization */
} pn_ssl_verify_mode_t;
@@ -153,8 +148,8 @@ typedef enum {
/** Configure the level of verification used on the peer certificate.
*
* This method controls how the peer's certificate is validated, if at all.
By default,
- * SSL servers do not attempt to verify their peers (PN_SSL_NO_VERIFY), and
SSL clients
- * require the remote to provide a valid certificate (PN_SSL_VERIFY_PEER).
+ * neither servers nor clients attempt to verify their peers
(PN_SSL_ANONYMOUS_PEER).
+ * Once certificates and trusted CAs are configured, peer verification can be
enabled.
*
* @note In order to verify a peer, a trusted CA must be configured. See
* ::pn_ssl_set_trusted_ca_db().
@@ -163,7 +158,7 @@ typedef enum {
* ::pn_ssl_set_credentials().
*
* @param[in] ssl the ssl client/server to configure.
- * @param[in] mode the level of validation to apply to the peer's certificate.
+ * @param[in] mode the level of validation to apply to the peer
* @param[in] trusted_CAs path to a database of trusted CAs that the server
will advertise
* to the peer client if the server has been configured to verify its peer.
* @return 0 on success
@@ -177,7 +172,6 @@ int pn_ssl_set_peer_authentication(pn_ss
* Access the current peer certificate validation level. See
* ::pn_ssl_set_peer_authentication().
*
- *
* @param[in] ssl the ssl client/server to query.
* @param[out] mode the level of validation that will be applied to the peer's
certificate.
* @param[out] trusted_CAs set to a buffer to hold the path to the database of
trusted CAs
Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL:
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1397227&r1=1397226&r2=1397227&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Thu Oct 11 18:43:50 2012
@@ -397,19 +397,6 @@ int pn_ssl_set_peer_authentication(pn_ss
_log( ssl, "Peer authentication mode set to VERIFY-PEER\n");
break;
- case PN_SSL_NO_VERIFY_PEER:
- // @todo - punt this setting?
- SSL_CTX_set_verify( ssl->ctx, SSL_VERIFY_NONE, NULL );
-
- // Still require authenticating ciphers, since they are stronger than
anonymous (KAG:
- // again - ok?)
- if (!SSL_CTX_set_cipher_list( ssl->ctx, CIPHERS_AUTHENTICATE )) {
- _log_ssl_error(ssl, "Failed to set cipher list to %s\n",
CIPHERS_AUTHENTICATE);
- return -2;
- }
- _log( ssl, "Peer authentication mode set to NO-VERIFY-PEER\n");
- break;
-
case PN_SSL_ANONYMOUS_PEER: // hippie free love mode... :)
SSL_CTX_set_verify( ssl->ctx, SSL_VERIFY_NONE, NULL );
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
