qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wall (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (QPID-7869) [Java Broker] Truststore improvements
Date Wed, 06 Sep 2017 09:40:00 GMT

     [ https://issues.apache.org/jira/browse/QPID-7869?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Keith Wall resolved QPID-7869.
    Resolution: Fixed

Further changes look reasonable.

> [Java Broker] Truststore improvements
> -------------------------------------
>                 Key: QPID-7869
>                 URL: https://issues.apache.org/jira/browse/QPID-7869
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>             Fix For: qpid-java-broker-7.0.0
>         Attachments: 0001-QPID-7869-Proof-of-concept-only-validate-the-trust-a.patch
> The current TrustStore API requires some tidy up/improvements to allow an operator to
better manage certificate expiry.
> # Currently the details of certificates contained within the store are not exposed in
a uniform manner. {#getCertificateDetails}} should be pulled up and implemented by all truststore
types.  I suggest we standardise on the form currently used by {{ManagedPeerCertificateTrustStore#getCertificateDetails}}
(i.e. the List<CertificateDetails>).  For the {{SiteSpecificTrustStore}} it should return
a singleton list.
> # KeyStores currently warn the user certificate are about to expire via operational log
messages.  TrustStores should implement the same feature.
> # For SSL client authentication, we should have a 'strict mode' where the {{validFrom}}/{{validTo}}
date of the peer certificate is validated before the connection is accepted.    This will
help users utilising self signed certificate for client authentication purpose effectively
managed certificate expiration.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message