1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
module Qpid::Proton
# The SSL support for Transport.
#
# A Transport may be configured ot use SLL for encryption and/or
# authentication. A Transport can be configured as either the SSL
# client or the server. An SSL client is the party that proctively
# establishes a connection to an SSL server. An SSL server is the
# party that accepts a connection request from the remote SSL client.
#
# If either the client or the server needs to identify itself with the
# remote node, it must have its SSL certificate configured.
#
# @see SSLDomain#credentials For setting the SSL certificate.
#
# If either the client or the server needs to verify the identify of the
# remote node, it must have its database of trusted CAs configured.
#
# @see SSLDomain#trusted_ca_db Setting the CA database.
#
# An SSL server connection may allow the remote client to connect without
# SS (i.e., "in the clear").
#
# @see SSLDomain#allow_unsecured_client Allowing unsecured clients.
#
# The level of verification required of the remote may be configured.
#
# @see SSLDomain#peer_authentication Setting peer authentication.
#
# Support for SSL client session resume is provided as well.
#
# @see SSLDomain
# @see #resume_status
#
class SSL
# Session resume state is unkonnwn or not supported.
RESUME_UNKNOWN = Cproton::PN_SSL_RESUME_UNKNOWN
# Session renegotiated and not resumed.
RESUME_NEW = Cproton::PN_SSL_RESUME_NEW
# Session resumed from the previous session.
RESUME_REUSED = Cproton::PN_SSL_RESUME_REUSED
# @private
PROTON_METHOD_PREFIX = "pn_ssl"
# @private
include Util::Wrapper
# @private
include Util::ErrorHandler
# Returns whether SSL is supported.
#
# @return [Boolean] True if SSL support is available.
#
def self.present?
Cproton.pn_ssl_present
end
# @private
def self.create(transport, domain, session_details = nil)
result = nil
# like python, make sure we're not creating a different SSL
# object for a transport with an existing SSL object
if transport.ssl?
transport.instance_eval { result = @ssl }
if ((!domain.nil? && (result.domain != domain)) ||
(!session_details.nil? && (result.session_details != session_details)))
raise SSLException.new("cannot re-configure existing SSL object")
end
else
impl = Cproton.pn_ssl(transport.impl)
session_id = nil
session_id = session_details.session_id unless session_details.nil?
result = SSL.new(impl, domain, session_details, session_id)
end
return result
end
private
def initialize(impl, domain, session_details, session_id)
@impl = impl
@domain = domain.impl unless domain.nil?
@session_details = session_details
@session_id = session_id
Cproton.pn_ssl_init(@impl, @domain, @session_id)
end
public
# Returns the cipher name that is currently in used.
#
# Gets the text description of the cipher that is currently active, or
# returns nil if SSL is not active. Note that the cipher in use my change
# over time due to renegotiation or other changes to the SSL layer.
#
# @return [String, nil] The cipher name.
#
def cipher_name
rc, name = Cproton.pn_ssl_get_cipher_name(@impl, 128)
return name if rc
nil
end
# Returns the name of the SSL protocol that is currently active, or
# returns nil if SSL is nota ctive. Not that the protocol may change over
# time due to renegotation.
#
# @return [String, nil] The protocol name.
#
def protocol_name
rc, name = Cproton.pn_ssl_get_protocol_name(@impl, 128)
name if rc
end
# Checks whether or not the state has resumed.
#
# Used for client session resume. When called on an active session, it
# indicates wehther the state has been resumed from a previous session.
#
# *NOTE:* This is a best-effort service - there is no guarantee that the
# remote server will accept the resumed parameters. The remote server may
# choose to ignore these parameters, and request a renegotation instead.
#
def resume_status
Cproton.pn_ssl_resume_status(@impl)
end
# Gets the peer hostname.
#
# @return [String] The peer hostname.
def peer_hostname
(error, name) = Cproton.pn_ssl_get_peer_hostname(@impl, 1024)
raise SSLError.new if error < 0
return name
end
end
end
|
