Ted Ross updated DISPATCH-472:
    Fix Version/s:     (was: Backlog)

> Default value of authenticatePeer parameter in listener configuration
> ---------------------------------------------------------------------
>                 Key: DISPATCH-472
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-472
>             Project: Qpid Dispatch
>          Issue Type: Improvement
>            Reporter: Jakub Scholz
>            Priority: Major
>             Fix For: 1.6.0
> The authenticatePeer parameter in listener configuration has currently 
> default value "no". I believe this can lead to misunderstandings causing 
> security issues. Consider listener configured as this:
> {code}
> listener { 
>     role: normal 
>     host: 
>     port: amqp 
>     saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5 
> } 
> {code}
> It has configured SASL authentication using username and password and on a 
> first look one might believe that such listener is configured properly. 
> However, because of missing "authenticatePeer: yes" parameter, it is still 
> possible to connect anonymously without the SASL layer.
> I believe it would be much better to have either set authenticatePeer 
> parameter to yes by default all the time or at least when SASL is configured.
> Please have a look at the related discussion from the mailing list:
> http://qpid.2158936.n2.nabble.com/Dispatch-Default-value-of-authenticatePeer-td7648676.html

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to