[jira] [Commented] (QPID-4013) Windows Broker SSL is more difficult to use than necessary and possibly less secure than possible

Mon, 21 May 2012 15:21:43 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-4013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280551#comment-13280551
 ] 

Andrew Stitcher commented on QPID-4013:
---------------------------------------

By default with this change the broker will use the current users personal 
certificate store; the default certificate name is the machine name. This means 
that you can generate an appropriate certificate to test with very simply by 
using "makecert".

viz:

makecert -r -pe -ss "My" -sk <MachineName> -n "CN=<MachineName>"

[Actually minimally:
makecert -ss "My" -n "CN=<MachineName>"
would work too]

replace <MachineName> with the name of the machine.

This will create a new certificate and store it in the user's certificate store.

Then starting qpidd with no command line parameters should correctly find the 
certificate and start an SSL listening port.
                
> Windows Broker SSL is more difficult to use than necessary and possibly less 
> secure than possible
> -------------------------------------------------------------------------------------------------
>
>                 Key: QPID-4013
>                 URL: https://issues.apache.org/jira/browse/QPID-4013
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.14, 0.16, 0.17
>         Environment: Windows
>            Reporter: Andrew Stitcher
>            Assignee: Andrew Stitcher
>            Priority: Minor
>             Fix For: 0.17
>
>
> The current Windows Broker SSL code always uses the LocalMachine certificate 
> store opened read/write. This has a number of drawbacks:
> * Opening read/write means that the broker has to run as administrator to use 
> the certificates in the store. The broker only reads from the store so this 
> is actually unnecessary.
> * Forcing use of LocalMachine for the certificates means that they are 
> readable by every user on the machine which might be a security issue. As it 
> would allow any process on the machine to impersonate the qpid broker.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to