I've recently also been looking at setting up SSL on the Windows brokers
and I've noticed a couple of things about the way the Windows code uses
the Windows certificate store which make it harder for a developer to
test. It's not clear to me if these are real deployment issues too so
I'd like an opinion before I check in any changes.
In file
qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp
line 146
We open the certificate store:
certStoreHandle = ::CertOpenStore(CERT_STORE_PROV_SYSTEM_A,
X509_ASN_ENCODING,
0,
CERT_SYSTEM_STORE_LOCAL_MACHINE,
options.certStore.c_str());
Now I'm wondering why we specify CERT_SYSTEM_STORE_LOCAL_MACHINE and not
the default (which would be CERT_SYSTEM_STORE_CURRENT_USER). This
difference means that you have to add the (test) certificate you want to
the machine store rather than the user store requiring administrator
permissions.
The issue here would be mostly for the default "My" store as the other
stores seem to have a search path that ends in local machine anyway if I
understand the documentation correctly.
Also I understand that we want to run the broker as a service and maybe
in that case we should specify CERT_SYSTEM_STORE_CURRENT_SERVICE
instead? The documentation seems to indicate that the local machine
store would be checked in that case anyway.
To get round this I'd like to add a new flag --ssl-cert-store-location
to allow the store location to be specified to make it easier to test as
as a normal user/use a service store. Anyone know whether there is a
specific problem (security or otherwise) with this.
One issue with the current scheme I'll already note is that it involves
publishing the broker ssl certificate with private keys in such a way as
anyone on the local machine can get those keys, which would be avoided
by publishing as a specific user or service running the broker.
---
Additionally by opening the store unnecessarily in read/write mode we
require qpid to be run as administrator too and that seems easily fixed
(at least in my simple testing) by just adding
"|CERT_STORE_READONLY_FLAG" to the flags argument. I can't see any
reason not to open the store read only, is there?
Note that this doesn't add any extra security since someone else could
just look open the local machine certificate in read only mode and use
the certificate in any case.
Thanks
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
