[jira] [Commented] (QPID-5375) Windows SSL client certificates should not be tied to SASL EXTERNAL

Wed, 04 Dec 2013 15:13:53 -0800 

    [ 
https://issues.apache.org/jira/browse/QPID-5375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839464#comment-13839464
 ] 

ASF subversion and git services commented on QPID-5375:
-------------------------------------------------------

Commit 1547958 from [email protected] in branch 'qpid/trunk'
[ https://svn.apache.org/r1547958 ]

QPID-5375: make Windows client certs more like their Posix counterpart, no 
longer restricted to SASL EXTERNAL

> Windows SSL client certificates should not be tied to SASL EXTERNAL
> -------------------------------------------------------------------
>
>                 Key: QPID-5375
>                 URL: https://issues.apache.org/jira/browse/QPID-5375
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Client
>    Affects Versions: 0.25
>         Environment: Windows
>            Reporter: Cliff Jansen
>            Assignee: Cliff Jansen
>
> QPID-3914 provided initial client certificate support.  It is triggered by 
> specifying the SASL EXTERNAL mechanism and is useful for many scenarios.  As 
> implemented, the connection is not even attempted if the client certificate 
> cannot be loaded successfully.
> The Posix implementation behaves differently.  Client certificate handling is 
> triggered by the actual request from the server for the client certificate as 
> part of the SSL handshake.  It is not dependent on the SASL mechanism 
> specified by the user.  A client cert can be required to complete the SSL 
> handshake, but an alternative SASL mechanism (PLAIN, ANONYMOUS... ) can be 
> specified in addition to resolve the actual user identity for the connection.
> The Posix implementation provides a lazy client certificate loading mechanism 
> which is invoked part way through the SSL handshake, but only if the server 
> requests it.  In particular, the inability to locate a client certificate is 
> never an error if the server does not request one.
> The Windows SSL implementation can be made to work the same way by attempting 
> to pre-load a client certificate prior to starting the handshake.  Any errors 
> in loading the certificate must be remembered but ignored unless the server 
> does request a client certificate and none was supplied.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to