[
https://issues.apache.org/jira/browse/DISPATCH-1440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946878#comment-16946878
]
ASF GitHub Bot commented on DISPATCH-1440:
------------------------------------------
kgiusti commented on pull request #582: DISPATCH-1440 - Deprecated passwordFile
attribute in sslProfile and m…
URL: https://github.com/apache/qpid-dispatch/pull/582#discussion_r332512084
##########
File path: docs/books/user-guide/configuration-reference.adoc
##########
@@ -76,8 +76,8 @@ Attributes for setting SSL/TLS configuration for connections.
* *_caCertFile_* (path) : The absolute path to the database that contains the
public certificates of trusted certificate authorities (CA).
* *_certFile_* (path) : The absolute path to the file containing the
PEM-formatted public certificate to be used on the local end of any connections
using this profile.
* *_privateKeyFile_* (path) : The absolute path to the file containing the
PEM-formatted private key for the above certificate.
-* *_passwordFile_* (path) : If the above private key is password protected,
this is the absolute path to a file containing the password that unlocks the
certificate key.
-* *_password_* (string) : An alternative to storing the password in a file
referenced by passwordFile is to supply the password right here in the
configuration file. This option can be used by supplying the password in the
‘password’ option. Don’t use both password and passwordFile in the same profile.
+* *_passwordFile_* (path) : (DEPRECATED) If the above private key is password
protected, this is the absolute path to the file containing the password that
unlocks the certificate key. This file should be permission protected to limit
access. This has been deprecated. Use the file: prefix in the password field to
specify the absolute path of the file containing the password. If both password
and passwordFile are provided, the passwordFile is ignored.
+* *_password_* (string) : Password that unlocks the certificate key. Supports
three openssl style prefixes namely - env:, file: pass:. Also supports the
legacy literal: prefix. env:var obtains the password from the environment
variable var. Since the environment of other processes is visible on certain
platforms (e.g. ps under certain Unix OSes) this option should be used with
caution. file:absolutepath obtains passswrod from the absolute path of the file
containing the password. This option is the safest since permissions can be set
on the file. pass:password or literal:password or password with no prefix is
used to directly specify the password and should only be used where security is
not important. If both password and passwordFile are provided, the passwordFile
is ignored.
Review comment:
Remove "openssl" and fix "passwrod"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Deprecate the passwordFile field in sslProfile and consolidate all password
> scenarios to use the password field
> ----------------------------------------------------------------------------------------------------------------
>
> Key: DISPATCH-1440
> URL: https://issues.apache.org/jira/browse/DISPATCH-1440
> Project: Qpid Dispatch
> Issue Type: Improvement
> Components: Container
> Affects Versions: 1.9.0
> Reporter: Ganesh Murthy
> Assignee: Ganesh Murthy
> Priority: Major
>
> Deprecate the passwordFile field and consolidate all password scenarios to
> use the password field. We will use the password options that
> [openssl|https://www.openssl.org/docs/man1.1.1/man1/openssl.html] uses (see
> Pass Phrase Options sections). Going forward, here are three ways to specify
> a password in an sslProfile
>
> {noformat}
> sslProfile {
> caCertFile: .....
> certFile: .....
> # Get the password from the environment variable TLS_SERVER_PASSWORD.
> Note the env: prefix
> password: env:TLS_SERVER_PASSWORD
> OR
> # Get the password from the absolute file path. Note the file: prefix
> password: file:/home/tls/password-file.txt
> OR
> # Specify the actual password. Note the pass: prefix
> password: pass:actual_password
> } {noformat}
> (We will not be supporting the openssl options fd: and stdin
>
>
> While you can still specify the actual password in the password field using
> the pass: prefix, which casual users might want to do, you are also able to
> specify the file path or environment variable for more robust security.
> This change will be backward compatible which means, you will still be able
> to specify the actual password in the password field without the pass:
> prefix. The "literal" prefix will continue to work as well. The passwordFile
> field will be deprecated and eventually removed when we to a major version.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
