class Qpid::Proton::SSLDomain

The top-level object that stores the configuration used by one or more SSL sessions.

@see SSL

Constants

ANONYMOUS_PEER

Do no require a certificate nor a cipher authorization.

MODE_CLIENT

The local connection endpoint is an SSL client. @private

MODE_SERVER

The local connection endpoint is an SSL server. @private

VERIFY_PEER

Require the peer to provide a valid identifying certificate.

VERIFY_PEER_NAME

Require a valid certficate and matching name.

Attributes

impl[R]

@private

Public Class Methods

new(mode) click to toggle source

@private

# File lib/core/ssl_domain.rb, line 49
def initialize(mode)
  @impl = Cproton.pn_ssl_domain(mode)
  raise Qpid::Proton::SSLError, "SSL Unavailable" if @impl.nil?
end

Public Instance Methods

allow_unsecured_client() click to toggle source

Permit a server to accept connection requests from non-SSL clients.

This configures the server to “sniff” the incomfing client data stream and dynamically determine whether SSL/TLS is being used. This option is disabled by default: only clients using SSL/TLS are accepted by default.

@raise [SSLError] If an error occurs.

# File lib/core/ssl_domain.rb, line 144
def allow_unsecured_client
  Cproton.pn_ssl_domain_allow_unsecured_client(@impl);
end
credentials(cert_file, key_file, password) click to toggle source

Set the certificate that identifies the local node to the remote.

This certificate establishes the identity for thelocal node for all SSL sessions created from this domain. It will be sent to the remote if the remote needs to verify the dientify of this node. This may be used for both SSL servers and SSL clients (if client authentication is required by the server).

NOTE: This setting affects only those instances of SSL created after this call returns. SSL objects created before invoking this method will use the domain's previous settings.

@param cert_file [String] The filename containing the identify

certificate. For OpenSSL users, this is a PEM file. For Windows SChannel
users, this is the PKCS\#12 file or system store.

@param key_file [String] An option key to access the identifying

certificate. For OpenSSL users, this is an optional PEM file containing
the private key used to sign the certificate. For Windows SChannel users,
this is the friendly name of the self-identifying certficate if there are
multiple certfificates in the store.

@param password [String] The password used to sign the key, or nil if

the key is not protected.

@raise [SSLError] If an error occurs.

# File lib/core/ssl_domain.rb, line 79
def credentials(cert_file, key_file, password)
  Cproton.pn_ssl_domain_set_credentials(@impl,
                                        cert_file, key_file, password)
end
peer_authentication(verify_mode, trusted_CAs = nil) click to toggle source

Configures the level of verification used on the peer certificate.

This method congtrols how the peer's certificate is validated, if at all. By default, neither servers nor clients attempt to verify their peers (ANONYMOUS_PEER). Once certficates and trusted CAs are configured, peer verification can be enabled.

NOTE: In order to verify a peer, a trusted CA must be configured.

NOTE: Servers must provide their own certficate when verifying a peer.

NOTE: This setting affects only those SSL instances created after this call returns. SSL instances created before invoking this method will use the domain's previous setting.

@param verify_mode [Integer] The level of validation to apply to the peer. @param trusted_CAs [String] The path to a database of trusted CAs that

the server will advertise to the peer client if the server has been
configured to verify its peer.

@see VERIFY_PEER @see ANONYMOUS_PEER @see VERIFY_PEER_NAME

@raise [SSLError] If an error occurs.

# File lib/core/ssl_domain.rb, line 131
def peer_authentication(verify_mode, trusted_CAs = nil)
  Cproton.pn_ssl_domain_set_peer_authentication(@impl,
                                                verify_mode, trusted_CAs)
end
trusted_ca_db(certificate_db) click to toggle source

Configures the set of trusted CA certificates used by this domain to verify peers.

If the local SSL client/server needs to verify the identify of the remote, it must validate the signature of the remote's certificate. This function sets the database of trusted CAs that will be used to verify the signature of the remote's certificate.

*NOTE:# This setting affects only those SSL instances created after this call returns. SSL objects created before invoking this method will use the domain's previous setting.

@param certificate_db [String] The filename for the databse of trusted

CAs, used to authenticate the peer.

@raise [SSLError] If an error occurs.

# File lib/core/ssl_domain.rb, line 101
def trusted_ca_db(certificate_db)
  Cproton.pn_ssl_domain_set_trusted_ca_db(@impl, certificate_db)
end