[jira] [Updated] (QPID-8135) [JMS AMQP 0-x] Connection URL options for end-to-end encryption keystore/trustore passwords can be logged when log level for 'org.apache.qpid' loggers is lower than 'warn'

Wed, 18 Apr 2018 05:53:14 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-8135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Rudyy updated QPID-8135:
-----------------------------
    Status: Reviewable  (was: In Progress)

> [JMS AMQP 0-x] Connection URL options for end-to-end encryption 
> keystore/trustore passwords can be logged when log level for 
> 'org.apache.qpid' loggers is lower than 'warn'
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8135
>                 URL: https://issues.apache.org/jira/browse/QPID-8135
>             Project: Qpid
>          Issue Type: Bug
>          Components: JMS AMQP 0-x
>    Affects Versions: qpid-java-client-0-x-6.3.0
>            Reporter: Alex Rudyy
>            Assignee: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-client-0-x-6.3.1
>
>
> The connection URL password options can be logged when log level for 
> 'org.apache.qpid' loggers is lower than 'warn'.
> The following cases are identified when password is logged
>  # when encryption keystore/trustore parameters are declared as part of 
> broker URL , 'org.apache.qpid' loggers log level is set to ''info' or lower 
> threshold and connectivity is not established, the 
> encryption_key_store_password or encryption_trust_store_password can be 
> logged with info log level as below
> {noformat}
> 2018-03-16 12:56:02,196 INFO  [main] o.a.q.c.AMQConnection Unable to connect 
> to broker at 
> tcp://localhost:5672?encryption_trust_store='/path/to/trustore.jks'&encryption_trust_store_password='password'
> org.apache.qpid.transport.TransportException: Error connecting to broker
>       at 
> org.apache.qpid.transport.network.io.IoNetworkTransport.connectTcp(IoNetworkTransport.java:151)
> ...
> 2018-03-16 12:56:02,196 INFO  [main] o.a.q.j.f.FailoverRoundRobinServers ==== 
> Checking failoverAllowed() ====
> 2018-03-16 12:56:02,197 INFO  [main] o.a.q.j.f.FailoverRoundRobinServers 
> Cycle Servers:
> Cycle Retries:20
> Current Cycle:20
> Server Retries:0
> Current Retry:0
> Current Broker:0
> >tcp://localhost:5672?encryption_trust_store='/path/to/trsutsore.jks'&encryption_trust_store_password='password'
> {noformat}
> # when encryption keystore/trustore parameters  or/and SSL trust store  
> parameters or/and SSL client-auth parameters are declared as part of 
> connection URL and 'org.apache.qpid' loggers log level is set to 'debug' or 
> lower threshold, the password options can be logged with DEBUG log level as 
> below:
> {noformat}
> 2018-03-16 13:03:20,879 DEBUG [main] o.a.q.c.AMQConnection 
> Connection(1):amqp://admin:********@consumer/?encryption_trust_store='/path/to/keystore.jks'&trust_store='/path/to/trsustore.ts'&key_store_password='secret'&encryption_trust_store_password='password'&key_store='/path/to/keystore.ks'&trust_store_password='secret'&brokerlist='tcp://localhost:5672'&failover='roundrobin?cyclecount='20''
> {noformat}
> The work around for the issue would be to set debug log level to warn at 
> least for the following loggers:
> * org.apache.qpid.client.AMQConnection
> * org.apache.qpid.jms.failover.FailoverRoundRobinServers



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to