Andrew: Note that there are pending changes to client side SSL on Windows in QPID-3914. I haven't examined it, but it seems related to some of the expanded functionality you are looking for.
Cliff On Mon, May 21, 2012 at 12:40 PM, Steve Huston <shus...@riverace.com> wrote: >> -----Original Message----- >> From: Andrew Stitcher [mailto:astitc...@redhat.com] >> Sent: Monday, May 21, 2012 3:20 PM >> To: dev@qpid.apache.org >> Subject: RE: SSL Connection under Windows [Was: Qpid Enquiry] >> >> On Mon, 2012-05-21 at 14:08 -0500, Steve Huston wrote: >> > Hi Andrew, >> > >> > I wrote the code originally, so I'll chime in. >> > >> > As for the "why" questions, they may have been misinformed, bad >> > decisions. I was most likely thinking "broker" instead of client, >> > which is why I chose to open the store for local machine, not current >> > user. It was also before running the broker as a service was really >> > worked on seriously. I may have misunderstood advice on MSDN re that >> > arg and the store path. I might have just gotten it wrong. >> >> A point of clarification - I'm haven't considered the client side at all >> in any of >> this, I've only been working to get a broker up with ssl. I've actually >> been >> connecting to it from linux. In fact if I read the code correctly the >> client side >> doesn't open the certificate store at all (at least explicitly). > > Ok. > >> I didn't really emphasise this, but I think that using LocalMachine store >> is >> probably more insecure than necessary in that it allows anyone with access >> to the machine access to the certificate to impersonate the broker. So I'd >> like >> to change the default, however that wouldn't be backward compatible - >> would that be an issue do you think? > > If you're closing a security hole, I'd say to change it as long as the > release notes mention the change. > > -Steve > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org > For additional commands, e-mail: dev-h...@qpid.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
