----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/14570/ -----------------------------------------------------------
Review request for qpid and Andrew Stitcher. Bugs: QPID-3914 https://issues.apache.org/jira/browse/QPID-3914 Repository: qpid Description ------- This patch borrows much from the last submitted patch but takes it in a different direction. Wherever possible, similarities between Windows certificate handling and NSS certificate handling are emphasized and differences de-emphasized. For example, certificates are now specified by their "Friendly Name" which most closely resembles the NSS nickname. The password is now provided in a file rather than from the command line or environment variable (and using the same specifier). However, some differences cannot be glossed over. Microsoft's SChannel implementation severely restricts where the final trust for a server certificate may reside (either the self-signed certificate itself or the trusted root CA of a certificate chain). It cannot be specified from an arbitrary Windows store or file based store (unlike a client certificate). To make things worse, the tools available to install/manage certificates vary between Windows versions or the presence of optional packages not regularly installed on all target machines. So I am certainly sympathetic to the desire to provide a mechanism to simplify the installation of the server certificate. Nevertheless, I removed that capability for several reasons: Andrew's original objection is still valid regarding qpid intruding on normal system administration of certificates; the previous patch is too specific (handles self signed certs but not certificate chains); the solution is at the mercy of the user who may click in the wrong spot no matter how well he may be coaxed. As best I can tell, this is nuisance for anyone needing SSL validation of their product. Some combination of certutil.exe, certmgr.msc, or powershell wizardry is used but with a fallback description of how to import the certificate by browsing to the certificate in MMC or Windows Explorer. This patch also provides a revised store opening mechanism that doesn't create stray stores if the user species the name incorrectly. Diffs ----- http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/SSL 1530859 http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/CMakeLists.txt 1530859 http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/client/windows/SaslFactory.cpp 1530859 http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/client/windows/SslConnector.cpp 1530859 http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/sys/windows/util.h PRE-CREATION http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/sys/windows/util.cpp PRE-CREATION Diff: https://reviews.apache.org/r/14570/diff/ Testing ------- Windows 7: Personal/MY store, user created store, pkcs#12 file. Self signed, chained certs. Thanks, Cliff Jansen