Hi Olivier, Speaking for the Java Broker, there is currently no mechanism to tie the TLS client certificate to the host name or IP address corresponding to the origin of the TCP/IP connection (I'd imagine this is also the case for Dispatcher but I'll let someone more knowledgable on that codebase step in there). Similarly to the C++ broker as described in the document Chester provided, when using the SSL Client Certificates on a connection we simply verify that the certificate has been signed by a trusted source, and then (if the External Auth Provider is being used) take the identity from the certificate itself.
It's certainly shouldn't be a big job to add the ability to verify that the certificate provided by the client in the TLS negotiation has a DN or SAN which corresponds to the IP address or reverse-looked-up DNS name of the machine initiating the connection. Obviously in your use case as described below this would be validating that the connection from a Dispatcher instance is coming from the expected machine for the Dispatcher... it won't be verifying anything about the client which connects to the Dispatcher. Would you be interested in me implementing something to add this functionality to the Java Broker? Cheers, Rob On 9 June 2016 at 21:34, Chester <[email protected]> wrote: > At least for the cpp broker, ssl-require-client-authentication=yes will do > the trick. The broker book ( > > http://qpid.apache.org/releases/qpid-cpp-0.34/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Encryption_using_SSL > ) > is a good resource for SSL options. > > As far as the check goes, I think it looks at the Subject Alternative Name, > and falls back to CN if there is no SAN on the cert. > > > On Thu, Jun 9, 2016 at 1:09 PM, Olivier Mallassi < > [email protected] > > wrote: > > > All, > > > > The whole idea is > > (1) to build the following chain : clients (Java/c++) <-> dispatcher(s) > <-> > > java qpid brokers. > > (2) with two ways SSL between all the components........ > > > > test are ongoing but I was wondering if there is a way to configure the > > dispatchers and the brokers to check (or not) the client hostname (while > > checking the client certificate)? > > if activated, does it use the CN for hostname? > > > > Thx for your help. > > > > Cheers. > > > > Olivier. > > >
