-
Notifications
You must be signed in to change notification settings - Fork 80
Ssl 121p
The enhancements being added to the gem will allow a client to request operation for Use Cases 2, 3, and 4 as described: SSL Use Cases.
A new Stomp::SSLParams class is being added to the gem. An instance of this class will be used to control SSL operation. In the general case, client code will:
- Initialize an SSLParams instance with required data
- Initialize a hash for connection parameters
- Set the :ssl hash parameter to the SSLParams instance
- Use a the hash parameter style connection
To use this functionality, a number of environmental requirements exist. A (possibly incomplete) list is:
- The STOMP server must be configured properly for the functionality being used by the client
- Signed certificates are required (you may sign certificates with your own CA, but they must be signed)
- For use case 1 you do not need much
- For use case 2 you must have available the server's CA certificate
- For use case 3 you must have available the client's private key and certificate
- For use case 4 you must have available all data required by use cases 2 and 3
# Using true or a SSLParams instance signals that the connection
# port on the broker is configured for SSL.
ssl_params = true # or: ssl_params = Stomp::SSLParams.new
servers_CA_cert = "/some/location/TestCA.crt"
ssl_params = Stomp::SSLParams.new(:ts_files => servers_CA_cert)
client_cert_file = "/some/location/Client.crt"
client_key_file = "/private/data/Client.key"
ssl_params = Stomp::SSLParams.new(:cert_file => client_cert_file,
:key_file => client_key_file)
client_cert_file = "/some/location/Client.crt"
client_key_file = "/private/data/Client.key"
servers_CA_cert = "/some/location/TestCA.crt"
ssl_params = Stomp::SSLParams.new(:cert_file => client_cert_file,
:key_file => client_key_file,
:ts_files => servers_CA_cert)
ssl_params = ...... # As above
hash = { :hosts => [
{:login => 'guest', :passcode => 'guest', :host => 'tjjackson', :port => 61612,
:ssl => ssl_params}, # Params are passed here
]
}
c = Stomp::Connection.new(hash)
You are encouraged to review the code in connection.rb in order to understand fully how the gem uses these parameters.
When using :ssl => Stomp::SSLParams.new(...), the gem by default will use the ciphers list specified in Stomp::DEFAULT_CIPHERS. Testing experience shows that this works well across a variety of Ruby releases.
If a different ciphers list is required, there are two additional choices:
- A custom ciphers list supplied by the client.
- The Ruby verions's default ciphers list
Create a list of ciphers in the format required by OpenSSL. See the OpenSSL documentation for the required format. See Stomp::DEFAULT_CIPHERS for an example. Then code:
custom_list = ...
ssl_params = Stomp::SSLParams.new(:ciphers => custom_list, ...)To use Ruby's default ciphers list, create an SSLParams instance using:
ssl_params = Stomp::SSLParams.new(:use_ruby_ciphers => true, ...)In this case, any ciphers specified using :ciphers => are ignored.