Hi Andrew, I wrote the code originally, so I'll chime in.
As for the "why" questions, they may have been misinformed, bad decisions. I was most likely thinking "broker" instead of client, which is why I chose to open the store for local machine, not current user. It was also before running the broker as a service was really worked on seriously. I may have misunderstood advice on MSDN re that arg and the store path. I might have just gotten it wrong. If you have good reason to change it (and from your explanation below I could certainly see that) I'd support changing it. I like the idea of the command line option to change the store location. Definitely would change to open the store read only. -Steve > -----Original Message----- > From: Andrew Stitcher [mailto:[email protected]] > Sent: Monday, May 21, 2012 2:48 PM > To: [email protected] > Cc: Steve Huston > Subject: SSL Connection under Windows [Was: Qpid Enquiry] > > I've recently also been looking at setting up SSL on the Windows brokers > and > I've noticed a couple of things about the way the Windows code uses the > Windows certificate store which make it harder for a developer to test. > It's > not clear to me if these are real deployment issues too so I'd like an > opinion > before I check in any changes. > > In file > qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp > line 146 > > We open the certificate store: > certStoreHandle = ::CertOpenStore(CERT_STORE_PROV_SYSTEM_A, > X509_ASN_ENCODING, > 0, > CERT_SYSTEM_STORE_LOCAL_MACHINE, > options.certStore.c_str()); > > Now I'm wondering why we specify CERT_SYSTEM_STORE_LOCAL_MACHINE > and not the default (which would be > CERT_SYSTEM_STORE_CURRENT_USER). This difference means that you > have to add the (test) certificate you want to the machine store rather > than > the user store requiring administrator permissions. > > The issue here would be mostly for the default "My" store as the other > stores seem to have a search path that ends in local machine anyway if I > understand the documentation correctly. > > Also I understand that we want to run the broker as a service and maybe in > that case we should specify CERT_SYSTEM_STORE_CURRENT_SERVICE > instead? The documentation seems to indicate that the local machine store > would be checked in that case anyway. > > To get round this I'd like to add a new flag --ssl-cert-store-location to > allow > the store location to be specified to make it easier to test as as a > normal > user/use a service store. Anyone know whether there is a specific problem > (security or otherwise) with this. > > One issue with the current scheme I'll already note is that it involves > publishing the broker ssl certificate with private keys in such a way as > anyone > on the local machine can get those keys, which would be avoided by > publishing as a specific user or service running the broker. > > --- > > Additionally by opening the store unnecessarily in read/write mode we > require qpid to be run as administrator too and that seems easily fixed > (at > least in my simple testing) by just adding "|CERT_STORE_READONLY_FLAG" > to the flags argument. I can't see any reason not to open the store read > only, > is there? > > Note that this doesn't add any extra security since someone else could > just > look open the local machine certificate in read only mode and use the > certificate in any case. > > Thanks > > Andrew > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
