thank you Gordon. I had a conversation with a maintainer (Red Hat employee) of mod_nss on #dogtag-pki (irc.freenode.net) . He seemed to be very familiar with how this functionality was implemented in mod_nss . The following are his comments :
-- The function you want is SSL_OptionSet() -- the options, depending on what you want, are: -- SSL_OptionSet(sslfd, SSL_REQUEST_CERTIFICATE, PR_TRUE); -- that will have NSS request a cert during the handshake -- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR); -- that will have it require a certificate or discontinue the conversation -- the docs for this are really, really, really out-of-date -- http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html -- the NSS source tree is also useful for digging this stuff out -- in mozilla/nss/cmd one can find the NSS utilities, including some clients which do client auth (tstclnt) -- and servers which can require it (the name escapes me at the moment) jeff On Tue, 2009-06-02 at 06:59 -0400, Jeffrey Bride wrote: > Hi, > I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5 > java QPid client libraries to successfully communicate over two-way SSL > (ssl-require-client-authentication = true) . In addition to two-way > SSL, my military customer is also asking that the QPid broker only allow > a SSL connection from a configurable list of client certificates. As an > example, similar PKI certificate control lists are provided by both > mod_ssl and mod_nss when configuring the Apache httpd . In httpd.conf, > the following directive only allows an SSL connection to httpd from a > client using my certificate : > > SSLRequire (%{SSL_CLIENT_S_DN_CN} eq > "BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx") > > Since the C++ broker leverages the NSS libraries, is there an > equivalent in QPid ?? My customer would like to have very tight control > of > SSL connections between brokers in our AMQP federation > scenarios. > When configuring the C++ broker, could I somehow add something similar > to /etc/qpidd.conf to dictate which client certificates can make SSL > connections to that broker ?? > > thank you! > jeff > -- Jeffrey Bride RedHat / JBoss 303-523-7885
