Hi Maxim, my only concern is that if you import an old backup with the v3.1.2 is working as expected and you do not end up in a situation where you do an import and afterwards the login does not work as the password is encrypted with the old crypt class.
I think we have to be careful with that especially as we are releasing security features which include recommendations to update. It would be embarrassing to recommend an update and then discover that the update path is broken. I might be able to do a quick installation and verification. I created a blog post for this release, please review: https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released I already published it as it's pretty much the same content as your email. But please have a quick look. Great work btw for getting the signing of the Webstart App finally out. I can remember discussing this for like 1 year. I think we can also move this discussion the @dev, nothing secret here anymore. The security patch is out now. Thanks, Seb 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <[email protected]>: > Actually right now crypt class from the backup will be taken (no changes > for users) > > We can force change in any version > I would propose 3.2.0 for this > > WBR, Maxim > (from mobile, sorry for the typos) > > On Aug 12, 2016 12:02, "[email protected]" <[email protected]> > wrote: > > Hi Maxim, > > this will be required for anybody that upgrades from an older version to > OpenMeetings v3.1.2 right? So we kind of missed the chance to do that. > > Can we not just automatically change it to the old encryption class for > users that install via a backup ? > > I think (1) is not an option anyway as it would need to have all passwords > in blank to encrypt them. Which we neither have not want to have from a > security point of view. > > (2) is what you would usually do. > > However still, the migration path is kind of like a major thing. We don't > want to loose all of our old user base because they have this upgrade issue. > > Thanks, > Sebastian > > > 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <[email protected]>: > >> Hmmm, >> >> I see couple of options here >> >> 1) Brut-force old user password and re-encrypt (unrealistic) >> 2) Add sort of configurable "admin message" to Sign in dialog, something >> like: "All users unable to login need to reset their passwords, due to >> security of the system was enhanced" >> >> WDYT? >> >> On Fri, Aug 12, 2016 at 11:03 AM, [email protected] < >> [email protected]> wrote: >> >>> "remove MD5*.class from bundle and correct class will be set >>> automatically" >>> >>> Well my point is that in the old backup all passwords are encrypted with >>> MD5. So once you imported that none of the logins will work anymore. >>> >>> Asking every user to type in a new password is quite some usability >>> issue. And we also have no way of prompting users to switch the password >>> once it's invalid other then going through the entire reset password cycle. >>> >>> So how will those be able to migrate ? >>> >>> Thanks, >>> Sebastian >>> >>> >>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <[email protected]>: >>> >>>> Actually there are couple of ways: >>>> >>>> 1) unzip backup, edit xml, zip it back >>>> 2) remove MD5*.class from bundle and correct class will be set >>>> automatically >>>> >>>> I believe I'll choose #2 for 3.2.0 :) >>>> >>>> On Fri, Aug 12, 2016 at 10:50 AM, [email protected] < >>>> [email protected]> wrote: >>>> >>>>> So you need to adjust the config key after you did import the backup. >>>>> >>>>> Is there any way the backup mechanism can do that automatically? I >>>>> think it's a spring config bean right ? >>>>> >>>>> Thanks, >>>>> Sebastian >>>>> >>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <[email protected]>: >>>>> >>>>>> demo is updated: https://om.alteametasoft.com/openmeetings >>>>>> >>>>>> yep, this is the complete list :) >>>>>> >>>>>> new password encryption will work, BUT crypt class need to be >>>>>> manually changed >>>>>> I plan to force it in 3.2.0 >>>>>> >>>>>> >>>>>> On Fri, Aug 12, 2016 at 10:43 AM, [email protected] < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Maxim, >>>>>>> >>>>>>> let me know when you are ready to publish it. >>>>>>> >>>>>>> I would like to create a short blog post with the update. >>>>>>> >>>>>>> Does this represent a complete list of all Jira tickets involved in >>>>>>> this release: >>>>>>> >>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?proje >>>>>>> ctId=12312720&version=12335347 >>>>>>> >>>>>>> One questions regarding the new password encryption. Will that work >>>>>>> for users that migrate from old versions to new OpenMeetings? >>>>>>> >>>>>>> Thanks, >>>>>>> Sebastian >>>>>>> >>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik <[email protected]>: >>>>>>> >>>>>>>> I'm closing the vote >>>>>>>> The VOTE is passed >>>>>>>> >>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner >>>>>>>> >>>>>>>> -- >>>>>>>> WBR >>>>>>>> Maxim aka solomax >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sebastian Wagner >>>>>>> https://twitter.com/#!/dead_lock >>>>>>> [email protected] >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> WBR >>>>>> Maxim aka solomax >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Sebastian Wagner >>>>> https://twitter.com/#!/dead_lock >>>>> [email protected] >>>>> >>>> >>>> >>>> >>>> -- >>>> WBR >>>> Maxim aka solomax >>>> >>> >>> >>> >>> -- >>> Sebastian Wagner >>> https://twitter.com/#!/dead_lock >>> [email protected] >>> >> >> >> >> -- >> WBR >> Maxim aka solomax >> > > > > -- > Sebastian Wagner > https://twitter.com/#!/dead_lock > [email protected] > > > -- Sebastian Wagner https://twitter.com/#!/dead_lock [email protected]
