commit a82bd5450e3698bd0f442ed496f8c6dfd635c7fe
author Gordon Sim <gsim@redhat.com> Wed Mar 08 08:59:24 2017 +0000
committer Gordon Sim <gsim@redhat.com> Wed Mar 08 08:59:24 2017 +0000
tree 6f9caf027fa912f4ac7852ab3b8408188437e158
parent 4e393bdfaba0b52cf5d9ee9b254b7814ee43e4ba

QPID-7693: avoid creating prototype until listen() is called

src/qpid/sys/ssl/SslSocket.cpp

diff --git a/src/qpid/sys/ssl/SslSocket.cpp b/src/qpid/sys/ssl/SslSocket.cpp
index 731151c..92561cd 100644
--- a/src/qpid/sys/ssl/SslSocket.cpp
+++ b/src/qpid/sys/ssl/SslSocket.cpp
@@ -118,16 +118,9 @@
 }
 }
 
-SslSocket::SslSocket(const std::string& certName, bool clientAuth) :
-    nssSocket(0), certname(certName), prototype(0), hostnameVerification(true)
+SslSocket::SslSocket(const std::string& certName, bool _clientAuth) :
+    nssSocket(0), certname(certName), clientAuth(_clientAuth), prototype(0), hostnameVerification(true)
 {
-    //configure prototype socket:
-    prototype = SSL_ImportFD(0, PR_NewTCPSocket());
-
-    if (clientAuth) {
-        NSS_CHECK(SSL_OptionSet(prototype, SSL_REQUEST_CERTIFICATE, PR_TRUE));
-        NSS_CHECK(SSL_OptionSet(prototype, SSL_REQUIRE_CERTIFICATE, PR_TRUE));
-    }
 }
 
 /**
@@ -226,6 +219,13 @@
 
 int SslSocket::listen(const SocketAddress& sa, int backlog) const
 {
+    //configure prototype socket:
+    prototype = SSL_ImportFD(0, PR_NewTCPSocket());
+
+    if (clientAuth) {
+        NSS_CHECK(SSL_OptionSet(prototype, SSL_REQUEST_CERTIFICATE, PR_TRUE));
+        NSS_CHECK(SSL_OptionSet(prototype, SSL_REQUIRE_CERTIFICATE, PR_TRUE));
+    }
     //get certificate and key (is this the correct way?)
     std::string cName( (certname == "") ? "localhost.localdomain" : certname);
     CERTCertificate *cert = PK11_FindCertFromNickname(const_cast<char*>(cName.c_str()), 0);

src/qpid/sys/ssl/SslSocket.h

diff --git a/src/qpid/sys/ssl/SslSocket.h b/src/qpid/sys/ssl/SslSocket.h
index 733a47a..6f623ba 100644
--- a/src/qpid/sys/ssl/SslSocket.h
+++ b/src/qpid/sys/ssl/SslSocket.h
@@ -73,6 +73,7 @@
 protected:
     mutable PRFileDesc* nssSocket;
     std::string certname;
+    bool clientAuth;
     mutable std::string url;
 
     /**