>> Are you expected to leave the client-keys.pem file unencrypted, but readable >> only by an admin account which runs the qpid-config etc commands,
> Yes, I *think* that is the case at present. Yes, that works - I should have tested it earlier. Thanks for the roadmap, I think I'm going to go with the first method though. Jeff ________________________________________ From: Gordon Sim [[email protected]] Sent: Monday, January 09, 2017 4:16 AM To: [email protected] Subject: Re: Want to add a key PEM file password option to qpidd admin tools On 09/01/17 07:50, Jeff Donner wrote: > Hi, > > I want to authenticate the admin tools to qpidd with SSL + SASL EXTERNAL, > > which so far looks something like this: > > qpid-config --broker amqps://dev-qpidclient@localhost:5672 \ > --ssl-certificate=pki/client/certs/client-cert.pem \ > --ssl-key=pki/client/private/client-keys.pem \ > --sasl-mechanism=EXTERNAL \ > add queue examples > > (Clients proper I have working.) > > Are you expected to leave the client-keys.pem file unencrypted, but readable > only by an admin account which runs the qpid-config etc commands, Yes, I *think* that is the case at present. > or is there a way to pass a filename that /contains the password for/ an > encrypted client-keys.pem file? > > Any tips for how to go about adding support for this if not? From a quick look at the code, the python client the tool uses, uses ssl.wrap_socket which doesn't expose the ability to set a password. The python docs suggest using SSLContext.wrap_socket() instead, as SSLContext allows a password providing function to be specified when retrieving the key. So I think the fix required would first be to move the code in qpid.messaging.transports.py to use SSLContext.wrap_socket. Then to expose an extra option on the connection to specify the password file (in qpid.messaging.endpoints.py) and use that from transports.py. Finally that option would need to be exposed to qpid-config, qpid-stat etc. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
