Hi, I played a bit with the support for SSL client authentication in the C++ API for Windows. It seems that I got it working, at least against our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes: 1) Added a support for SASL EXTERNAL mechanism 2) Added new connection option ssl-cert-store which allows to select the certificate store which should be used to search for the certificate. If not specified, the default "Personal" store is used. 3) Changed the SSL Connector to try to load the private key if EXTERNAL mechanism has been selected 4) The username for the SASL EXTERNAL mechanism is used from the "username" connection option. The username is also used to find the right certificate, since the username has to be in the subject of the certificate. I was considering adding new option for this, but this approach seemed to be the best.
Currently, I'm aware of few limitations: 1) when the SSL client authentication is enabled on the broker, the client can connect only with EXTERNAL, not with PLAIN. But this problem was there already before my changes ... I have some idea where the problem is, but I'm not sure whether I will manage to fix it ... 2) When there are multiple certificates with a matching subject, the first one is always used. I didn't found any better method for selecting the certificate ... Also, the current version is developed against 0.14 source codes, because I had some problems getting the trunk to compile&work ... I have to look at it ... The patch is attached. If someone wants to try it right now, feel free to do so. Also if anyone has some comments, please share them. Otherwise, I will try to reconcile the patch to trunk and will attach the patch to some JIRA Issue ... either existing one or a new one - I'm not sure whether there already is some open JIRA covering it. Regards JAkub PS: I didn't looked into the .NET API yet. Does someone know whether the .NET API needs to be somehow modified or are the modifications in the C++ APIs automatically used by the .NET?
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
