qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robbie Gemmell (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (QPID-4352) Java client logs key_store_password/trust_store_password from connection url at debug
Date Tue, 02 Oct 2012 17:13:07 GMT

     [ https://issues.apache.org/jira/browse/QPID-4352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robbie Gemmell reassigned QPID-4352:
------------------------------------

    Assignee: Keith Wall  (was: Robbie Gemmell)

Hi Keith,

I noticed that the connection factory was affected by the changes due to its use of the AMQConnectionURL
toString method.

I have updated it to work around the issue, updated SSLTest so that it uses factories and
thus exposes the issue, and updated a couple of tests that were affected by my change due
to their horrible manipulation of connection URLs post-creation.

Can you review my changes?

(I later plan to look into removing the ability to create an AMQConnectionFactory with a ConnectionURL
object instead of a String as it seems no real good comes from having the ability, but potentially
lots of hideousness and lack of testing  does).
                
> Java client logs key_store_password/trust_store_password from connection url at debug
> -------------------------------------------------------------------------------------
>
>                 Key: QPID-4352
>                 URL: https://issues.apache.org/jira/browse/QPID-4352
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Client
>    Affects Versions: 0.14, 0.16, 0.18
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>             Fix For: 0.19
>
>
> When run in DEBUG, the Qpid client logs the trust store/key store passwords to the log.
 This could present a security issue.
> {noformat}
> main 2012-09-29 22:32:54,558 DEBUG [apache.qpid.client.AMQConnection] Connection(1):amqp://guest:********@test/?brokerlist='tcp://localhost:15671?trust_store_password='password'&trust_store='test-profiles/test_resources/ssl/java_client_truststore.jks'&ssl_verify_hostname='true'&ssl='true'&key_store_password='password'&key_store='test-profiles/test_resources/ssl/java_client_keystore.jks''
> {noformat}
> The code should be changed to mask these passwords in the same fashion as the client's
password.  This change was made by QPID-1208.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message