[
https://issues.apache.org/jira/browse/DISPATCH-1039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16514216#comment-16514216
]
Gordon Sim commented on DISPATCH-1039:
--------------------------------------
A simple change that would allow alternative authentication mechanisms would be:
{noformat}
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index 6df0cca..76518a8 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -300,8 +300,7 @@ static void listener_start(qd_http_listener_t *hl,
qd_http_server_t *hs) {
info.options |=
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
- (config->ssl_required ? 0 :
LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT) |
- (config->requireAuthentication ?
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT : 0);
+ (config->ssl_required ? 0 :
LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT);
}
info.vhost_name = hl->listener->config.host_port;
hl->vhost = lws_create_vhost(hs->context, &info);
{noformat}
However, it would *not* then be possible to require client certificates, as
EXTERNAL does not work with websockets at present (see DISPATCH-1040).
An alternative fix would be to request client certs only if there were any
CA(s) set against which to validate them:
{noformat}
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index 6df0cca..ff26f57 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -295,13 +295,13 @@ static void listener_start(qd_http_listener_t *hl,
qd_http_server_t *hs) {
info.ssl_cert_filepath = config->ssl_certificate_file;
info.ssl_private_key_filepath = config->ssl_private_key_file;
info.ssl_private_key_password = config->ssl_password;
- info.ssl_ca_filepath = config->ssl_trusted_certificates;
+ info.ssl_ca_filepath = config->ssl_trusted_certificates ?
config->ssl_trusted_certificates : config->ssl_trusted_certificate_db;
info.ssl_cipher_list = config->ssl_ciphers;
info.options |=
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
(config->ssl_required ? 0 :
LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT) |
- (config->requireAuthentication ?
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT : 0);
+ ((config->requireAuthentication && info.ssl_ca_filepath) ?
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT : 0);
}
info.vhost_name = hl->listener->config.host_port;
hl->vhost = lws_create_vhost(hs->context, &info);
{noformat}
Though this would still be different behaviour from where http=no, it would
allow client certs to be used if desired, without requiring them as the only
possible means of authentication. (Since EXTERNAL doesn't yet work with
websockets, using client certs for authentication would not allow any user
specific policy to be applied).
(Note, at present the ssl_trusted_certificates option is never set, see
DISPATCH-1042. This change also falls back to the caCertFile from the
ssl_profile).
I favour the second patch. at least until DISPATCH-1040/PROTON-1864 is
resolved. [~aconway] [[email protected]] [~ganeshmurthy] thoughts?
> websocket listener with authenticatePeer=true requires client certs
> -------------------------------------------------------------------
>
> Key: DISPATCH-1039
> URL: https://issues.apache.org/jira/browse/DISPATCH-1039
> Project: Qpid Dispatch
> Issue Type: Bug
> Reporter: Gordon Sim
> Priority: Major
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
