>> Next I wanted to get user Id from connection >> (connection_.getAuthenticatedUsername()) but I always got "dummy" >> string. I traced that to SslConnector.cpp (getSecuritySettings >> function) where the string is hardcoded. Is there a way to get user id >> (certificate nickname) from this function? >> I tried to add this functionality myself: >> In SslSocket.cpp: >> std::string SslSocket::getCertNickname() const >> { >> std::string nickname; >> CERTCertificate* cert = SSL_LocalCertificate(nssSocket); >> if (cert) { >> nickname = cert->nickname; >> CERT_DestroyCertificate(cert); >> } >> return nickname; >> } >> There is already function getClientAuthId but on client side this >> returns server cert domain (which in my case is the same as >> gettingserver cert nickname - not certain if that is always the >> case)... >> In SslConnector.cpp function getSecuritySettings(): >> >> std::string nickname(socket.getCertNickname()); >> securitySettings.authid = (nickname.size() ? nickname + "@QPID" : >> "dummy"); //"dummy";//set to non-empty string to enable external >> authentication >> >> I'm not certain if this solution is OK/would be something that would >> be accepted by qpid devs? > > > I think it is mostly right, but instead of using the nickname, it should > extract the identity from the local certificate in the same way the server > will. > > I.e. we need a similar method to SslSocket::getClientAuthId() (which was a > poor choice of name, getPeerAuthId() might have been better) but use the > SSL_LocalCertificate rather than the SSL_PeerCertificate. > > We would be very grateful for a contribution that fixed this problem.
I've changed the code and opened a issue report with patches: https://issues.apache.org/jira/browse/QPID-7130 >> Also there is an issue that "@QPID" part is hardcoded and I'm not >> certain if this is always true. > > > This part shouldn't even be needed. You're right. Haven't noticed that. Thanks, Domen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org