qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Jansen <cliffjan...@gmail.com>
Subject Re: SSL Connection under Windows [Was: Qpid Enquiry]
Date Mon, 21 May 2012 20:04:42 GMT
Andrew:

Note that there are pending changes to client side SSL on Windows in
QPID-3914.  I haven't examined it, but it seems related to some of the
expanded functionality you are looking for.

Cliff

On Mon, May 21, 2012 at 12:40 PM, Steve Huston <shuston@riverace.com> wrote:
>> -----Original Message-----
>> From: Andrew Stitcher [mailto:astitcher@redhat.com]
>> Sent: Monday, May 21, 2012 3:20 PM
>> To: dev@qpid.apache.org
>> Subject: RE: SSL Connection under Windows [Was: Qpid Enquiry]
>>
>> On Mon, 2012-05-21 at 14:08 -0500, Steve Huston wrote:
>> > Hi Andrew,
>> >
>> > I wrote the code originally, so I'll chime in.
>> >
>> > As for the "why" questions, they may have been misinformed, bad
>> > decisions. I was most likely thinking "broker" instead of client,
>> > which is why I chose to open the store for local machine, not current
>> > user. It was also before running the broker as a service was really
>> > worked on seriously. I may have misunderstood advice on MSDN re that
>> > arg and the store path. I might have just gotten it wrong.
>>
>> A point of clarification - I'm haven't considered the client side at all
>> in any of
>> this, I've only been working to get a broker up with ssl. I've actually
>> been
>> connecting to it from linux. In fact if I read the code correctly the
>> client side
>> doesn't open the certificate store at all (at least explicitly).
>
> Ok.
>
>> I didn't really emphasise this, but I think that using LocalMachine store
>> is
>> probably more insecure than necessary in that it allows anyone with access
>> to the machine access to the certificate to impersonate the broker. So I'd
>> like
>> to change the default, however that wouldn't be backward compatible -
>> would that be an issue do you think?
>
> If you're closing a security  hole, I'd say to change it as long as the
> release notes mention the change.
>
> -Steve
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> For additional commands, e-mail: dev-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message