qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-8135) [JMS AMQP 0-x] Connection URL options for end-to-end encryption keystore/trustore passwords can be logged when log level for 'org.apache.qpid' loggers is lower than 'warn'
Date Thu, 05 Apr 2018 15:30:00 GMT

    [ https://issues.apache.org/jira/browse/QPID-8135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16427111#comment-16427111
] 

ASF subversion and git services commented on QPID-8135:
-------------------------------------------------------

Commit 97347f0fb0e0782398bd16a7ba2d318bbb759bd1 in qpid-jms-amqp-0-x's branch refs/heads/master
from [~k-wall]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-jms-amqp-0-x.git;h=97347f0 ]

QPID-8135: [Qpid JMS AMQP 0-x] Mask passwords associated with end to end encryption in the
BrokerDetails#toString()


> [JMS AMQP 0-x] Connection URL options for end-to-end encryption keystore/trustore passwords
can be logged when log level for 'org.apache.qpid' loggers is lower than 'warn'
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8135
>                 URL: https://issues.apache.org/jira/browse/QPID-8135
>             Project: Qpid
>          Issue Type: Bug
>          Components: JMS AMQP 0-x
>    Affects Versions: qpid-java-client-0-x-6.3.0
>            Reporter: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-client-0-x-6.3.1
>
>
> The connection URL password options can be logged when log level for 'org.apache.qpid'
loggers is lower than 'warn'.
> The following cases are identified when password is logged
>  # when encryption keystore/trustore parameters are declared as part of broker URL ,
'org.apache.qpid' loggers log level is set to ''info' or lower threshold and connectivity
is not established, the encryption_key_store_password or encryption_trust_store_password can
be logged with info log level as below
> {noformat}
> 2018-03-16 12:56:02,196 INFO  [main] o.a.q.c.AMQConnection Unable to connect to broker
at tcp://localhost:5672?encryption_trust_store='/path/to/trustore.jks'&encryption_trust_store_password='password'
> org.apache.qpid.transport.TransportException: Error connecting to broker
> 	at org.apache.qpid.transport.network.io.IoNetworkTransport.connectTcp(IoNetworkTransport.java:151)
> ...
> 2018-03-16 12:56:02,196 INFO  [main] o.a.q.j.f.FailoverRoundRobinServers ==== Checking
failoverAllowed() ====
> 2018-03-16 12:56:02,197 INFO  [main] o.a.q.j.f.FailoverRoundRobinServers Cycle Servers:
> Cycle Retries:20
> Current Cycle:20
> Server Retries:0
> Current Retry:0
> Current Broker:0
> >tcp://localhost:5672?encryption_trust_store='/path/to/trsutsore.jks'&encryption_trust_store_password='password'
> {noformat}
> # when encryption keystore/trustore parameters  or/and SSL trust store  parameters or/and
SSL client-auth parameters are declared as part of connection URL and 'org.apache.qpid' loggers
log level is set to 'debug' or lower threshold, the password options can be logged with DEBUG
log level as below:
> {noformat}
> 2018-03-16 13:03:20,879 DEBUG [main] o.a.q.c.AMQConnection Connection(1):amqp://admin:********@consumer/?encryption_trust_store='/path/to/keystore.jks'&trust_store='/path/to/trsustore.ts'&key_store_password='secret'&encryption_trust_store_password='password'&key_store='/path/to/keystore.ks'&trust_store_password='secret'&brokerlist='tcp://localhost:5672'&failover='roundrobin?cyclecount='20''
> {noformat}
> The work around for the issue would be to set debug log level to warn at least for the
following loggers:
> * org.apache.qpid.client.AMQConnection
> * org.apache.qpid.jms.failover.FailoverRoundRobinServers



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message