Jeffrey Bride wrote:
thank you Gordon.
I had a conversation with a maintainer (Red Hat employee) of mod_nss on
#dogtag-pki (irc.freenode.net) . He seemed to be very familiar with how
this functionality was implemented in mod_nss . The following are his
comments :
-- The function you want is SSL_OptionSet()
-- the options, depending on what you want, are:
-- SSL_OptionSet(sslfd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
-- that will have NSS request a cert during the handshake
-- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
-- that will have it require a certificate or discontinue the
conversation
We already do this part (or pretty close to, currently we set
SSL_REQUIRE_CERTIFICATE to PR_TRUE). You can enable the checking of
client certificates by specifying --ssl-require-client-authentication to
qpidd.
What we don't do is let you further restrict the set of acceptable
certificates by CN. The only way you can control the clients that can
connect at present is by restricting the set that the server trusts.
-- the docs for this are really, really, really out-of-date
-- http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html
-- the NSS source tree is also useful for digging this stuff out
-- in mozilla/nss/cmd one can find the NSS utilities, including some
clients which do client auth (tstclnt)
-- and servers which can require it (the name escapes me at the moment)
jeff
On Tue, 2009-06-02 at 06:59 -0400, Jeffrey Bride wrote:
Hi,
I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
java QPid client libraries to successfully communicate over two-way SSL
(ssl-require-client-authentication = true) . In addition to two-way
SSL, my military customer is also asking that the QPid broker only allow
a SSL connection from a configurable list of client certificates. As an
example, similar PKI certificate control lists are provided by both
mod_ssl and mod_nss when configuring the Apache httpd . In httpd.conf,
the following directive only allows an SSL connection to httpd from a
client using my certificate :
SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
"BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
Since the C++ broker leverages the NSS libraries, is there an
equivalent in QPid ?? My customer would like to have very tight control
of
SSL connections between brokers in our AMQP federation
scenarios.
When configuring the C++ broker, could I somehow add something similar
to /etc/qpidd.conf to dictate which client certificates can make SSL
connections to that broker ??
thank you!
jeff
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
