QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.

On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.

The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 3 insertions, 1 deletions

diff --git a/cpp/src/qpid/sys/ssl/SslHandler.h b/cpp/src/qpid/sys/ssl/SslHandler.h
index 8f6b8e732a..a340109966 100644
--- a/cpp/src/qpid/sys/ssl/SslHandler.h
+++ b/cpp/src/qpid/sys/ssl/SslHandler.h
@@ -45,11 +45,13 @@ class SslHandler : public OutputControl {
     ConnectionCodec* codec;
     bool readError;
     bool isClient;
+    bool nodict;
 
     void write(const framing::ProtocolInitiation&);
+    qpid::sys::SecuritySettings getSecuritySettings(SslIO* aio);
 
   public:
-    SslHandler(std::string id, ConnectionCodec::Factory* f);
+    SslHandler(std::string id, ConnectionCodec::Factory* f, bool nodict);
     ~SslHandler();
     void init(SslIO* a, int numBuffs);