QPID-2374: Null authenticator now checks for SSL if --encryption-required specified

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@904293 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 8 insertions, 3 deletions

diff --git a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
index 0e509c8d93..4769789bff 100644
--- a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
+++ b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
@@ -148,8 +148,13 @@ void NullAuthenticator::getMechanisms(Array& mechanisms)
 void NullAuthenticator::start(const string& mechanism, const string& response)
 {
     if (encrypt) {
-        QPID_LOG(error, "Rejected un-encrypted connection.");
-        throw ConnectionForcedException("Connection must be encrypted.");
+        // encryption required - check to see if we are running over an
+        // encrypted SSL connection.
+        sasl_ssf_t external_ssf = (sasl_ssf_t) connection.getSSF();
+        if (external_ssf < 1) {   // < 1 == unencrypted
+            QPID_LOG(error, "Rejected un-encrypted connection.");
+            throw ConnectionForcedException("Connection must be encrypted.");
+        }
     }
     if (mechanism == "PLAIN") { // Old behavior
         if (response.size() > 0) {
diff --git a/qpid/cpp/src/tests/ssl_test b/qpid/cpp/src/tests/ssl_test
index 528833076e..36b332f868 100755
--- a/qpid/cpp/src/tests/ssl_test
+++ b/qpid/cpp/src/tests/ssl_test
@@ -46,7 +46,7 @@ delete_certs() {
 }
 
 start_broker() {
-    PORT=`../qpidd --daemon --transport ssl --port 0 --ssl-port 0 --no-data-dir --no-module-dir --auth no --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME`
+    PORT=`../qpidd --daemon --transport ssl --port 0 --ssl-port 0 --no-data-dir --no-module-dir --auth no --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME --require-encryption`
 }
 
 stop_broker() {