I am trying to make a secure connection with qpid proton for C . The server requires a client certificate authentication which I can do with ssl_certificate and ssl_client_options classes.
The problem I have is that I don't know how to have client authentication with certificate and at the same time to use the system's default certificate trust database to check server's certificate.
As the reference documents (https://qpid.apache.org/releases/qpid-proton-0.37.0/proton/cpp/api/classproton_1_1ssl__client__options.html) state, I can set ssl_client_options to use client certificate and custom trust database, but I cannot set just the client certificate, and leave the default certificate trust database.
The only constructor where the certificate can be provided, requires a certificate trust database, too:
ssl_client_options (const ssl_certificate &, const std::string &trust_db, enum ssl::verify_mode=ssl::VERIFY_PEER_NAME)
There are other constructors, where default certificate trust database is used, but they do not accept a client certificate. These are all cunstructors from the reference:
Create SSL client with defaults (use system certificate trust database and require name verification)
ssl_client_options ()
Create SSL client with unusual verification policy (but default certificate trust database)
ssl_client_options (enum ssl::verify_mode)
Create SSL client specifying the certificate trust database.
ssl_client_options (const std::string &trust_db, enum ssl::verify_mode=ssl::VERIFY_PEER_NAME)
Create SSL client with a client certificate.
ssl_client_options (const ssl_certificate &, const std::string &trust_db, enum ssl::verify_mode=ssl::VERIFY_PEER_NAME)
A constructor that takes another class
ssl_client_options (const ssl_client_options &)
I will probably look into the source code, how the default certificate database is defined and try something to reach my goal, but that is not a good solution, if that changes in the future in the qpid proton library.
I can make a connection if I put proton::ssl::ANONYMOUS_PEER
as the last parameter. However, server's identification check is lost in that way. That is unacceptable.
CodePudding user response:
The only option I have found so far was to add ssl_client_options constructor that takes a certificate, and does not require a certificate trust database to the Qpid Proton library source code. The change is actually very simple, and I will try to contribute it to Qpid Proton project. That is actually not so simple, because I have to install a bunch of software in order to compile Qpid Proton and make all required tests. Then, hopefully, the change will eventually get into the released version of Qpid Proton, and in all major linux distributions. From what I have seen until now, that can take a very long time. :(