Class: Qpid::Proton::SSLDomain

Inherits:

Object

• Object
• Qpid::Proton::SSLDomain

Defined in:

lib/core/ssl_domain.rb

Overview

The top-level object that stores the configuration used by one or more SSL sessions.

See Also:

• SSL

Constant Summary

VERIFY_PEER =

Require the peer to provide a valid identifying certificate.

Cproton::PN_SSL_VERIFY_PEER

ANONYMOUS_PEER =

Do no require a certificate nor a cipher authorization.

Cproton::PN_SSL_ANONYMOUS_PEER

VERIFY_PEER_NAME =

Require a valid certficate and matching name.

Cproton::PN_SSL_VERIFY_PEER_NAME

Instance Method Summary

• #allow_unsecured_client ⇒ Object

  Permit a server to accept connection requests from non-SSL clients.

• #credentials(cert_file, key_file, password) ⇒ Object

  Set the certificate that identifies the local node to the remote.

• #peer_authentication(verify_mode, trusted_CAs = nil) ⇒ Object

  Configures the level of verification used on the peer certificate.

• #trusted_ca_db(certificate_db) ⇒ Object

  Configures the set of trusted CA certificates used by this domain to verify peers.

Instance Method Details

#allow_unsecured_client ⇒ Object

Permit a server to accept connection requests from non-SSL clients.

This configures the server to “sniff” the incomfing client data stream and dynamically determine whether SSL/TLS is being used. This option is disabled by default: only clients using SSL/TLS are accepted by default.

Raises:

• (SSLError) —

  If an error occurs.

# File 'lib/core/ssl_domain.rb', line 150

def allow_unsecured_client
  Cproton.pn_ssl_domain_allow_unsecured_client(@impl);
end

#credentials(cert_file, key_file, password) ⇒ Object

Set the certificate that identifies the local node to the remote.

This certificate establishes the identity for thelocal node for all SSL sessions created from this domain. It will be sent to the remote if the remote needs to verify the dientify of this node. This may be used for both SSL servers and SSL clients (if client authentication is required by the server).

NOTE: This setting affects only those instances of SSL created after this call returns. SSL objects created before invoking this method will use the domain’s previous settings.

Parameters:

• cert_file (String) —

  The filename containing the identify certificate. For OpenSSL users, this is a PEM file. For Windows SChannel users, this is the PKCS#12 file or system store.

• key_file (String) —

  An option key to access the identifying certificate. For OpenSSL users, this is an optional PEM file containing the private key used to sign the certificate. For Windows SChannel users, this is the friendly name of the self-identifying certficate if there are multiple certfificates in the store.

• password (String) —

  The password used to sign the key, or nil if the key is not protected.

Raises:

• (SSLError) —

  If an error occurs.

# File 'lib/core/ssl_domain.rb', line 85

def credentials(cert_file, key_file, password)
  Cproton.pn_ssl_domain_set_credentials(@impl,
                                        cert_file, key_file, password)
end

#peer_authentication(verify_mode, trusted_CAs = nil) ⇒ Object

Configures the level of verification used on the peer certificate.

This method congtrols how the peer’s certificate is validated, if at all. By default, neither servers nor clients attempt to verify their peers (ANONYMOUS_PEER). Once certficates and trusted CAs are configured, peer verification can be enabled.

NOTE: In order to verify a peer, a trusted CA must be configured.

NOTE: Servers must provide their own certficate when verifying a peer.

NOTE: This setting affects only those SSL instances created after this call returns. SSL instances created before invoking this method will use the domain’s previous setting.

Parameters:

• verify_mode (Fixnum) —

  The level of validation to apply to the peer.

• trusted_CAs (String) (defaults to: nil) —

  The path to a database of trusted CAs that the server will advertise to the peer client if the server has been configured to verify its peer.

Raises:

• (SSLError) —

  If an error occurs.

See Also:

• VERIFY_PEER
• ANONYMOUS_PEER
• VERIFY_PEER_NAME

# File 'lib/core/ssl_domain.rb', line 137

def peer_authentication(verify_mode, trusted_CAs = nil)
  Cproton.pn_ssl_domain_set_peer_authentication(@impl,
                                                verify_mode, trusted_CAs)
end

#trusted_ca_db(certificate_db) ⇒ Object

Configures the set of trusted CA certificates used by this domain to verify peers.

If the local SSL client/server needs to verify the identify of the remote, it must validate the signature of the remote’s certificate. This function sets the database of trusted CAs that will be used to verify the signature of the remote’s certificate.

*NOTE:# This setting affects only those SSL instances created after this call returns. SSL objects created before invoking this method will use the domain’s previous setting.

Parameters:

• certificate_db (String) —

  The filename for the databse of trusted CAs, used to authenticate the peer.

Raises:

• (SSLError) —

  If an error occurs.

# File 'lib/core/ssl_domain.rb', line 107

def trusted_ca_db(certificate_db)
  Cproton.pn_ssl_domain_set_trusted_ca_db(@impl, certificate_db)
end