Hi,
I made a change to qpid proton cpp which allows to use a client certificate
without the need to use a custom certifticate trust database.
I cannot create aJIRA account to submit a patch. So I am attaching the change
here. Can someone, please, add that to the code for the future qpid proton
releases? Thanks.
Kind Regards
Marko
The change:
diff --git a/cpp/include/proton/ssl.hpp b/cpp/include/proton/ssl.hpp
index cbec8767..d978fcb8 100644
--- a/cpp/include/proton/ssl.hpp
+++ b/cpp/include/proton/ssl.hpp
@@ -163,6 +163,10 @@ class ssl_client_options {
enum ssl::verify_mode = ssl::VERIFY_PEER_NAME);
/// Create SSL client with a client certificate.
+ PN_CPP_EXTERN ssl_client_options(const ssl_certificate&,
+ enum ssl::verify_mode = ssl::VERIFY_PEER_NAME);
+
+ /// Create SSL client with a client certificate and a custom certificate
trust database.
PN_CPP_EXTERN ssl_client_options(const ssl_certificate&, const std::string
&trust_db,
enum ssl::verify_mode = ssl::VERIFY_PEER_NAME);
diff --git a/cpp/src/ssl_options.cpp b/cpp/src/ssl_options.cpp
index f74f014e..40f5e08f 100644
--- a/cpp/src/ssl_options.cpp
+++ b/cpp/src/ssl_options.cpp
@@ -131,6 +131,12 @@ ssl_client_options::ssl_client_options(const std::string
&trust_db, enum ssl::ve
set_client_verify_mode(dom, mode);
}
+ssl_client_options::ssl_client_options(const ssl_certificate &cert, enum
ssl::verify_mode mode) : impl_(new impl) {
+ pn_ssl_domain_t* dom = impl_->pn_domain();
+ set_cred(dom, cert.certdb_main_, cert.certdb_extra_, cert.passwd_,
cert.pw_set_);
+ set_client_verify_mode(dom, mode);
+}
+
ssl_client_options::ssl_client_options(const ssl_certificate &cert, const
std::string &trust_db, enum ssl::verify_mode mode) : impl_(new impl) {
pn_ssl_domain_t* dom = impl_->pn_domain();
set_cred(dom, cert.certdb_main_, cert.certdb_extra_, cert.passwd_,
cert.pw_set_);
On Wed, 2022-12-07 at 08:27 +0000, Marko Hrastovec wrote:
Hi,
can please someone help me to resolve an issue in Qpid Proton C++?
I need to connect to AMQP server securely with a client certificate
authentication. Server uses a certificate signed by a trusted CA. I can load a
certificate into ssl_client_options, but the constructor for
ssl_client_options, requires a trust_db parameter as shown in the declaration
below:
ssl_client_options (const ssl_certificate &, const std::string &trust_db, enum
ssl::verify_mode=ssl::VERIFY_PEER_NAME)
When I connect with these options, I have to provide some trust_db, but I don't
know how to provide a default certificate trust database. For now I have set
the verify_mode to proton::ssl::ANONYMOUS_PEER, to skip servers identification
check. If system's default trust certificate database would be used,
proton::ssl::VERIFY_PEER_NAME should work just fine, but I don't know how to
use it with this ss_client_options constructor.
Is there a way to provide ssl_certificate to ssl_client_options and leave the
default certificate trust database at the same time?
Regards
Marko
