Terrific, Jakub - thanks! Could you please open a jira for this and attach your patches to it - please be sure to check the box granting rights to ASF or we can't use the patch.
Someone else will need to comment on the .NET aspect. -Steve > -----Original Message----- > From: Jakub Scholz [mailto:[email protected]] > Sent: Tuesday, March 06, 2012 6:48 PM > To: [email protected] > Subject: SSL Client Authentication support for C++ on Windows > > Hi, > > I played a bit with the support for SSL client authentication in the > C++ API for Windows. It seems that I got it working, at least against > our Red Hat MRG 2.0 (Qpid 0.10) brokers ... I did following changes: > 1) Added a support for SASL EXTERNAL mechanism > 2) Added new connection option ssl-cert-store which allows to select the > certificate store which should be used to search for the certificate. If not > specified, the default "Personal" store is used. > 3) Changed the SSL Connector to try to load the private key if EXTERNAL > mechanism has been selected > 4) The username for the SASL EXTERNAL mechanism is used from the > "username" connection option. The username is also used to find the right > certificate, since the username has to be in the subject of the certificate. I > was considering adding new option for this, but this approach seemed to be > the best. > > Currently, I'm aware of few limitations: > 1) when the SSL client authentication is enabled on the broker, the client can > connect only with EXTERNAL, not with PLAIN. But this problem was there > already before my changes ... I have some idea where the problem is, but I'm > not sure whether I will manage to fix it ... > 2) When there are multiple certificates with a matching subject, the first one > is always used. I didn't found any better method for selecting the certificate > ... > > Also, the current version is developed against 0.14 source codes, because I > had some problems getting the trunk to compile&work ... I have to look at it > ... > > The patch is attached. If someone wants to try it right now, feel free to do so. > Also if anyone has some comments, please share them. > Otherwise, I will try to reconcile the patch to trunk and will attach the patch > to some JIRA Issue ... either existing one or a new one - I'm not sure whether > there already is some open JIRA covering it. > > Regards > JAkub > > PS: I didn't looked into the .NET API yet. Does someone know whether the > .NET API needs to be somehow modified or are the modifications in the C++ > APIs automatically used by the .NET? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
