Class: Qpid::Proton::SSLDomain

Inherits:
Object
  • Object
show all
Includes:
Util::ErrorHandler
Defined in:
lib/core/ssl_domain.rb

Overview

The top-level object that stores the configuration used by one or more SSL sessions.

See Also:

Constant Summary collapse

MODE_CLIENT =

The local connection endpoint is an SSL client.

Cproton::PN_SSL_MODE_CLIENT
MODE_SERVER =

The local connection endpoint is an SSL server.

Cproton::PN_SSL_MODE_SERVER
VERIFY_PEER =

Require the peer to provide a valid identifying certificate.

Cproton::PN_SSL_VERIFY_PEER
ANONYMOUS_PEER =

Do no require a certificate nor a cipher authorization.

Cproton::PN_SSL_ANONYMOUS_PEER
VERIFY_PEER_NAME =

Require a valid certficate and matching name.

Cproton::PN_SSL_VERIFY_PEER_NAME

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Util::ErrorHandler

#can_raise_error, #check_for_error, #create_exception_handler_wrapper, included

Constructor Details

#initialize(mode) ⇒ SSLDomain

Returns a new instance of SSLDomain.

Raises:



49
50
51
52
 
# File 'lib/core/ssl_domain.rb', line 49

def initialize(mode)
  @impl = Cproton.pn_ssl_domain(mode)
  raise Qpid::Proton::SSLError, "SSL Unavailable" if @impl.nil?
end

Instance Attribute Details

#implObject (readonly) 



46
47
48
 
# File 'lib/core/ssl_domain.rb', line 46

def impl
  @impl
end

Instance Method Details

#allow_unsecured_clientObject

Permit a server to accept connection requests from non-SSL clients.

This configures the server to “sniff” the incomfing client data stream and dynamically determine whether SSL/TLS is being used. This option is disabled by default: only clients using SSL/TLS are accepted by default.

Raises:



145
146
147
 
# File 'lib/core/ssl_domain.rb', line 145

def allow_unsecured_client
  Cproton.pn_ssl_domain_allow_unsecured_client(@impl);
end

#credentials(cert_file, key_file, password) ⇒ Object

Set the certificate that identifies the local node to the remote.

This certificate establishes the identity for thelocal node for all SSL sessions created from this domain. It will be sent to the remote if the remote needs to verify the dientify of this node. This may be used for both SSL servers and SSL clients (if client authentication is required by the server).

NOTE: This setting affects only those instances of SSL created after this call returns. SSL objects created before invoking this method will use the domain’s previous settings.

Parameters:

  • cert_file (String)

    The filename containing the identify certificate. For OpenSSL users, this is a PEM file. For Windows SChannel users, this is the PKCS#12 file or system store.

  • key_file (String)

    An option key to access the identifying certificate. For OpenSSL users, this is an optional PEM file containing the private key used to sign the certificate. For Windows SChannel users, this is the friendly name of the self-identifying certficate if there are multiple certfificates in the store.

  • password (String)

    The password used to sign the key, or nil if the key is not protected.

Raises:



79
80
81
82
 
# File 'lib/core/ssl_domain.rb', line 79

def credentials(cert_file, key_file, password)
  Cproton.pn_ssl_domain_set_credentials(@impl,
                                        cert_file, key_file, password)
end

#peer_authentication(verify_mode, trusted_CAs = nil) ⇒ Object

Configures the level of verification used on the peer certificate.

This method congtrols how the peer’s certificate is validated, if at all. By default, servers do not attempt to verify their peers (ANONYMOUS_PEER) but clients attempt to verify both the certificate and peer name (VERIFY_PEER_NAME). Once certficates and trusted CAs are configured, peer verification can be enabled.

NOTE: In order to verify a peer, a trusted CA must be configured.

NOTE: Servers must provide their own certficate when verifying a peer.

NOTE: This setting affects only those SSL instances created after this call returns. SSL instances created before invoking this method will use the domain’s previous setting.

Parameters:

  • verify_mode (Integer)

    The level of validation to apply to the peer.

  • trusted_CAs (String) (defaults to: nil)

    The path to a database of trusted CAs that the server will advertise to the peer client if the server has been configured to verify its peer.

Raises:

See Also:



132
133
134
135
 
# File 'lib/core/ssl_domain.rb', line 132

def peer_authentication(verify_mode, trusted_CAs = nil)
  Cproton.pn_ssl_domain_set_peer_authentication(@impl,
                                                verify_mode, trusted_CAs)
end

#trusted_ca_db(certificate_db) ⇒ Object

Configures the set of trusted CA certificates used by this domain to verify peers.

If the local SSL client/server needs to verify the identify of the remote, it must validate the signature of the remote’s certificate. This function sets the database of trusted CAs that will be used to verify the signature of the remote’s certificate.

*NOTE:# This setting affects only those SSL instances created after this call returns. SSL objects created before invoking this method will use the domain’s previous setting.

Parameters:

  • certificate_db (String)

    The filename for the databse of trusted CAs, used to authenticate the peer.

Raises:



101
102
103
 
# File 'lib/core/ssl_domain.rb', line 101

def trusted_ca_db(certificate_db)
  Cproton.pn_ssl_domain_set_trusted_ca_db(@impl, certificate_db)
end