> -----Original Message----- > From: Andrew Stitcher [mailto:[email protected]] > Sent: Monday, May 21, 2012 3:20 PM > To: [email protected] > Subject: RE: SSL Connection under Windows [Was: Qpid Enquiry] > > On Mon, 2012-05-21 at 14:08 -0500, Steve Huston wrote: > > Hi Andrew, > > > > I wrote the code originally, so I'll chime in. > > > > As for the "why" questions, they may have been misinformed, bad > > decisions. I was most likely thinking "broker" instead of client, > > which is why I chose to open the store for local machine, not current > > user. It was also before running the broker as a service was really > > worked on seriously. I may have misunderstood advice on MSDN re that > > arg and the store path. I might have just gotten it wrong. > > A point of clarification - I'm haven't considered the client side at all > in any of > this, I've only been working to get a broker up with ssl. I've actually > been > connecting to it from linux. In fact if I read the code correctly the > client side > doesn't open the certificate store at all (at least explicitly).
Ok. > I didn't really emphasise this, but I think that using LocalMachine store > is > probably more insecure than necessary in that it allows anyone with access > to the machine access to the certificate to impersonate the broker. So I'd > like > to change the default, however that wouldn't be backward compatible - > would that be an issue do you think? If you're closing a security hole, I'd say to change it as long as the release notes mention the change. -Steve --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
