[jira] [Created] (QPID-4858) [Java Broker] HTTP management ports configured with 'HTTP' protocol and 'SSL' transport options will silently fail to use SSL

Fri, 17 May 2013 05:39:22 -0700 

Robbie Gemmell created QPID-4858:
------------------------------------

             Summary: [Java Broker] HTTP management ports configured with 
'HTTP' protocol and 'SSL' transport options will silently fail to use SSL
                 Key: QPID-4858
                 URL: https://issues.apache.org/jira/browse/QPID-4858
             Project: Qpid
          Issue Type: Bug
          Components: Java Broker
    Affects Versions: 0.21
            Reporter: Robbie Gemmell
            Assignee: Robbie Gemmell
            Priority: Blocker
             Fix For: 0.22


HTTP management ports configured with 'HTTP' protocol and 'SSL' transport 
options will silently fail to use SSL at all.


Since the changes made in the 0.21/0.22 development cycle for QPID-4390 and 
related JIRAs to enable management of the broker entirely through the HTTP 
management interfaces, it has become possible to configure HTTP management 
ports in a way that suggests SSL is in use when it is in fact not.

Fix:
Remove the HTTPS protocol option leaving only HTTP, and making all ports 
consistent in using the SSL transport value to indicate their use of SSL.


Additional Background:

When the HTTP management plugin was added previously, it advertised HTTPS and 
HTTP as different protocol options, despite us using the transport option (TCP 
or SSL) alone to signal use of SSL for all other protocol types (AMQP and 
JMX/RMI). The influence over whether SSL was used for the port or not was 
simply a boolean in the brokers XML configuration file to indicate HTTPS. With 
the configuration model changes from QPID-4390 etc, ports now have a more 
specific configuration that is dependent on both the specified protocols and 
transports to determine what to do but the HTTP management plugin is still only 
using HTTPS protocol value to indicate that it should use SSL and is ignoring 
the SSL transport value, however the REST interface and management UI allow 
this configuration and do not make it in any way clear that SSL is in fact not 
being used.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to