-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/14570/
-----------------------------------------------------------
(Updated Oct. 17, 2013, 4:05 p.m.)
Review request for qpid and Andrew Stitcher.
Changes
-------
This updated patch tries to incorporate all the suggestions in the first review.
Bugs: QPID-3914
https://issues.apache.org/jira/browse/QPID-3914
Repository: qpid
Description
-------
This patch borrows much from the last submitted patch but takes it in a
different direction. Wherever possible, similarities between Windows
certificate handling and NSS certificate handling are emphasized and
differences de-emphasized.
For example, certificates are now specified by their "Friendly Name" which most
closely resembles the NSS nickname. The password is now provided in a file
rather than from the command line or environment variable (and using the same
specifier).
However, some differences cannot be glossed over. Microsoft's SChannel
implementation severely restricts where the final trust for a server
certificate may reside (either the self-signed certificate itself or the
trusted root CA of a certificate chain). It cannot be specified from an
arbitrary Windows store or file based store (unlike a client certificate).
To make things worse, the tools available to install/manage certificates vary
between Windows versions or the presence of optional packages not regularly
installed on all target machines. So I am certainly sympathetic to the desire
to provide a mechanism to simplify the installation of the server certificate.
Nevertheless, I removed that capability for several reasons:
Andrew's original objection is still valid regarding qpid intruding on normal
system administration of certificates; the previous patch is too specific
(handles self signed certs but not certificate chains); the solution is at the
mercy of the user who may click in the wrong spot no matter how well he may be
coaxed.
As best I can tell, this is nuisance for anyone needing SSL validation of their
product. Some combination of certutil.exe, certmgr.msc, or powershell wizardry
is used but with a fallback description of how to import the certificate by
browsing to the certificate in MMC or Windows Explorer.
This patch also provides a revised store opening mechanism that doesn't create
stray stores if the user species the name incorrectly.
Diffs (updated)
-----
http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/SSL 1533100
http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/CMakeLists.txt
1533100
http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/client/windows/SaslFactory.cpp
1533100
http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/client/windows/SslConnector.cpp
1533100
http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/sys/windows/util.h
PRE-CREATION
http://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/qpid/sys/windows/util.cpp
PRE-CREATION
Diff: https://reviews.apache.org/r/14570/diff/
Testing
-------
Windows 7: Personal/MY store, user created store, pkcs#12 file. Self signed,
chained certs.
Thanks,
Cliff Jansen
