QPID-2412: updated notes for SASL EXTERNAL support and added option.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919525 13f79535-47bb-0310-9956-ffa450edef68
author: Gordon Sim <gsim@apache.org> 2010-03-05 18:07:49 +0000
committer: Gordon Sim <gsim@apache.org> 2010-03-05 18:07:49 +0000
commit: 4d167622f7bd3da4d78796543c1b603de1510517 (patch)
tree: 2977ece1b5c08055fcbc4449a6df55ca653d12f5 /cpp
parent: 952a527bd4e422de485154da9d38046629ea06b3 (diff)
download: qpid-python-4d167622f7bd3da4d78796543c1b603de1510517.tar.gz
1 files changed, 13 insertions, 7 deletions
diff --git a/cpp/SSL b/cpp/SSL
index 4f80e77479..e7f040c76c 100644
--- a/cpp/SSL
+++ b/cpp/SSL
@@ -13,16 +13,16 @@ providing the ssl.so module is loaded):
 
 SSL Settings:
   --ssl-use-export-policy              Use NSS export policy
-  --ssl-cert-password-file PATH        File containing password to use for
-                                       accessing certificate database
+  --ssl-cert-password-file PATH        File containing password to use for accessing
+                                       certificate database
   --ssl-cert-db PATH                   Path to directory containing certificate
                                        database
-  --ssl-cert-name NAME (thinkpad)      Name of the certificate to use
-  --ssl-port PORT (5671)               Port on which to listen for SSL
-                                       connections
-  --ssl-require-client-authentication  Forces clients to authenticate in order
+  --ssl-cert-name NAME (hostname)      Name of the certificate to use
+  --ssl-port PORT (5671)               Port on which to listen for SSL connections
+  --ssl-require-client-authentication  Forces clients to authenticate in order 
                                        to establish an SSL connection
-
+  --ssl-sasl-no-dict                   Disables SASL mechanisms that are vulner able to
+                                       passive dictionary-based password attacks
 
 The first four of these are also available as client options (where
 they must either be in the client config file or set as environment
@@ -66,6 +66,12 @@ and run e.g.
 ./src/tests/perftest --count 10000 -P ssl --port 5671 \
                      --broker myhost.mydomain
 
+When authentication is enabled, the EXTERNAL mechanism will be
+available on client authenticated SSL connections. This allows the
+clients authorisation id to be taken from the validated client
+certificate (it will be the CN with any DCs present appended as the
+domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of
+bob@acme.com).
 
 [1] http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html
 [2] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
author	Gordon Sim <gsim@apache.org>	2010-03-05 18:07:49 +0000
committer	Gordon Sim <gsim@apache.org>	2010-03-05 18:07:49 +0000
commit	4d167622f7bd3da4d78796543c1b603de1510517 (patch)
tree	2977ece1b5c08055fcbc4449a6df55ca653d12f5 /cpp
parent	952a527bd4e422de485154da9d38046629ea06b3 (diff)
download	qpid-python-4d167622f7bd3da4d78796543c1b603de1510517.tar.gz