Cliff Jansen created QPID-5375:
----------------------------------

             Summary: Windows SSL client certificates should not be tied to 
SASL EXTERNAL
                 Key: QPID-5375
                 URL: https://issues.apache.org/jira/browse/QPID-5375
             Project: Qpid
          Issue Type: Improvement
          Components: C++ Client
    Affects Versions: 0.25
         Environment: Windows
            Reporter: Cliff Jansen
            Assignee: Cliff Jansen


QPID-3914 provided initial client certificate support.  It is triggered by 
specifying the SASL EXTERNAL mechanism and is useful for many scenarios.  As 
implemented, the connection is not even attempted if the client certificate 
cannot be loaded successfully.

The Posix implementation behaves differently.  Client certificate handling is 
triggered by the actual request from the server for the client certificate as 
part of the SSL handshake.  It is not dependent on the SASL mechanism specified 
by the user.  A client cert can be required to complete the SSL handshake, but 
an alternative SASL mechanism (PLAIN, ANONYMOUS... ) can be specified in 
addition to resolve the actual user identity for the connection.

The Posix implementation provides a lazy client certificate loading mechanism 
which is invoked part way through the SSL handshake, but only if the server 
requests it.  In particular, the inability to locate a client certificate is 
never an error if the server does not request one.

The Windows SSL implementation can be made to work the same way by attempting 
to pre-load a client certificate prior to starting the handshake.  Any errors 
in loading the certificate must be remembered but ignored unless the server 
does request a client certificate and none was supplied.




--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to