QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.

On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.

The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 7 insertions, 2 deletions

diff --git a/cpp/src/qpid/cluster/Cluster.cpp b/cpp/src/qpid/cluster/Cluster.cpp
index 460f974b36..9da183a14d 100644
--- a/cpp/src/qpid/cluster/Cluster.cpp
+++ b/cpp/src/qpid/cluster/Cluster.cpp
@@ -510,8 +510,13 @@ ConnectionPtr Cluster::getConnection(const EventFrame& e, Lock&) {
             assert(cp);
         }
         else {              // New remote connection, create a shadow.
-            unsigned int ssf = (announce && announce->hasSsf()) ? announce->getSsf() : 0;
-            cp = new Connection(*this, shadowOut, announce->getManagementId(), id, ssf);
+            qpid::sys::SecuritySettings secSettings;
+            if (announce) {
+                secSettings.ssf = announce->getSsf();
+                secSettings.authid = announce->getAuthid();
+                secSettings.nodict = announce->getNodict();
+            }
+            cp = new Connection(*this, shadowOut, announce->getManagementId(), id, secSettings);
         }
         connections.insert(ConnectionMap::value_type(id, cp));
     }