Class: Qpid::Proton::SSLDomain

Inherits:

Object

• Object
• Qpid::Proton::SSLDomain

Defined in:

lib/core/ssl_domain.rb

Overview

The top-level object that stores the configuration used by one or more SSL sessions.

See Also:

• SSL

Constant Summary

VERIFY_PEER =

Require the peer to provide a valid identifying certificate.

Cproton::PN_SSL_VERIFY_PEER

ANONYMOUS_PEER =

Do no require a certificate nor a cipher authorization.

Cproton::PN_SSL_ANONYMOUS_PEER

VERIFY_PEER_NAME =

Require a valid certficate and matching name.

Cproton::PN_SSL_VERIFY_PEER_NAME

Instance Method Summary

• #allow_unsecured_client

  Permit a server to accept connection requests from non-SSL clients.

• #credentials(cert_file, key_file, password)

  Set the certificate that identifies the local node to the remote.

• #peer_authentication(verify_mode, trusted_CAs = nil)

  Configures the level of verification used on the peer certificate.

• #trusted_ca_db(certificate_db)

  Configures the set of trusted CA certificates used by this domain to verify peers.

Instance Method Details

#allow_unsecured_client

Permit a server to accept connection requests from non-SSL clients.

This configures the server to “sniff” the incomfing client data stream and dynamically determine whether SSL/TLS is being used. This option is disabled by default: only clients using SSL/TLS are accepted by default.

Raises:

• (SSLError) —

  If an error occurs.

# File 'lib/core/ssl_domain.rb', line 145

def allow_unsecured_client
  Cproton.pn_ssl_domain_allow_unsecured_client(@impl);
end

#credentials(cert_file, key_file, password)

Set the certificate that identifies the local node to the remote.

This certificate establishes the identity for thelocal node for all SSL sessions created from this domain. It will be sent to the remote if the remote needs to verify the dientify of this node. This may be used for both SSL servers and SSL clients (if client authentication is required by the server).

NOTE: This setting affects only those instances of SSL created after this call returns. SSL objects created before invoking this method will use the domain’s previous settings.

Parameters:

• cert_file (String) —

  The filename containing the identify certificate. For OpenSSL users, this is a PEM file. For Windows SChannel users, this is the PKCS#12 file or system store.

• key_file (String) —

  An option key to access the identifying certificate. For OpenSSL users, this is an optional PEM file containing the private key used to sign the certificate. For Windows SChannel users, this is the friendly name of the self-identifying certficate if there are multiple certfificates in the store.

• password (String) —

  The password used to sign the key, or nil if the key is not protected.

Raises:

• (SSLError) —

  If an error occurs.

# File 'lib/core/ssl_domain.rb', line 79

def credentials(cert_file, key_file, password)
  Cproton.pn_ssl_domain_set_credentials(@impl,
                                        cert_file, key_file, password)
end

#peer_authentication(verify_mode, trusted_CAs = nil)

Configures the level of verification used on the peer certificate.

This method congtrols how the peer’s certificate is validated, if at all. By default, servers do not attempt to verify their peers (ANONYMOUS_PEER) but clients attempt to verify both the certificate and peer name (VERIFY_PEER_NAME). Once certficates and trusted CAs are configured, peer verification can be enabled.

NOTE: In order to verify a peer, a trusted CA must be configured.

NOTE: Servers must provide their own certficate when verifying a peer.

NOTE: This setting affects only those SSL instances created after this call returns. SSL instances created before invoking this method will use the domain’s previous setting.

Parameters:

• verify_mode (Integer) —

  The level of validation to apply to the peer.

• trusted_CAs (String) (defaults to: nil) —

  The path to a database of trusted CAs that the server will advertise to the peer client if the server has been configured to verify its peer.

Raises:

• (SSLError) —

  If an error occurs.

See Also:

• VERIFY_PEER
• ANONYMOUS_PEER
• VERIFY_PEER_NAME

# File 'lib/core/ssl_domain.rb', line 132

def peer_authentication(verify_mode, trusted_CAs = nil)
  Cproton.pn_ssl_domain_set_peer_authentication(@impl,
                                                verify_mode, trusted_CAs)
end

#trusted_ca_db(certificate_db)

Configures the set of trusted CA certificates used by this domain to verify peers.

If the local SSL client/server needs to verify the identify of the remote, it must validate the signature of the remote’s certificate. This function sets the database of trusted CAs that will be used to verify the signature of the remote’s certificate.

*NOTE:# This setting affects only those SSL instances created after this call returns. SSL objects created before invoking this method will use the domain’s previous setting.

Parameters:

• certificate_db (String) —

  The filename for the databse of trusted CAs, used to authenticate the peer.

Raises:

• (SSLError) —

  If an error occurs.

# File 'lib/core/ssl_domain.rb', line 101

def trusted_ca_db(certificate_db)
  Cproton.pn_ssl_domain_set_trusted_ca_db(@impl, certificate_db)
end