Alex Rudyy created QPID-8135:
--------------------------------
Summary: [JMS AMQP 0-x] Connection URL options for
keystore/trustore passwords can be logged when log level for 'org.apache.qpid'
loggers is lower than 'warn'
Key: QPID-8135
URL: https://issues.apache.org/jira/browse/QPID-8135
Project: Qpid
Issue Type: Bug
Components: JMS AMQP 0-x
Affects Versions: qpid-java-client-0-x-6.3.0
Reporter: Alex Rudyy
Fix For: qpid-java-client-0-x-6.3.1
The connection URL password options can be logged when log level for
'org.apache.qpid' loggers is lower than 'warn'.
The following cases are identified when password is logged
# when encryption keystore/trustore parameters are declared as part of broker
URL , 'org.apache.qpid' loggers log level is set to ''info' or lower threshold
and connectivity is not established, the encryption_key_store_password or
encryption_trust_store_password can be logged with info log level as below
{noformat}
2018-03-16 12:56:02,196 INFO [main] o.a.q.c.AMQConnection Unable to connect to
broker at
tcp://localhost:5672?encryption_trust_store='/path/to/trustore.jks'&encryption_trust_store_password='password'
org.apache.qpid.transport.TransportException: Error connecting to broker
at
org.apache.qpid.transport.network.io.IoNetworkTransport.connectTcp(IoNetworkTransport.java:151)
...
2018-03-16 12:56:02,196 INFO [main] o.a.q.j.f.FailoverRoundRobinServers ====
Checking failoverAllowed() ====
2018-03-16 12:56:02,197 INFO [main] o.a.q.j.f.FailoverRoundRobinServers Cycle
Servers:
Cycle Retries:20
Current Cycle:20
Server Retries:0
Current Retry:0
Current Broker:0
>tcp://localhost:5672?encryption_trust_store='/path/to/trsutsore.jks'&encryption_trust_store_password='password'
{noformat}
# when encryption keystore/trustore parameters or/and SSL trust store
parameters or/and SSL client-auth parameters are declared as part of connection
URL and 'org.apache.qpid' loggers log level is set to 'debug' or lower
threshold, the password options can be logged with DEBUG log level as below:
{noformat}
2018-03-16 13:03:20,879 DEBUG [main] o.a.q.c.AMQConnection
Connection(1):amqp://admin:********@consumer/?encryption_trust_store='/path/to/keystore.jks'&trust_store='/path/to/trsustore.ts'&key_store_password='secret'&encryption_trust_store_password='password'&key_store='/path/to/keystore.ks'&trust_store_password='secret'&brokerlist='tcp://localhost:5672'&failover='roundrobin?cyclecount='20''
{noformat}
The work around for the issue would be to set debug log level to warn at least
for the following loggers:
* org.apache.qpid.client.AMQConnection
* org.apache.qpid.jms.failover.FailoverRoundRobinServers
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
