[
https://issues.apache.org/jira/browse/DISPATCH-1440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946049#comment-16946049
]
ASF GitHub Bot commented on DISPATCH-1440:
------------------------------------------
bhardesty commented on pull request #582: DISPATCH-1440 - Deprecated
passwordFile attribute in sslProfile and m…
URL: https://github.com/apache/qpid-dispatch/pull/582#discussion_r332134469
##########
File path: docs/books/user-guide/configuration-security.adoc
##########
@@ -133,7 +133,7 @@ For example:
privateKeyFile: /qdrouterd/ssl_certs/router-key-pwd.pem
----
-`passwordFile` or `password`:: If the private key is password-protected, you
must provide the password by either specifying the absolute path to a file
containing the password that unlocks the certificate key, or entering the
password directly in the configuration file.
+`passwordFile` or `password`:: If the private key is password-protected, you
must provide the password by either specifying the absolute path to a file
containing the password that unlocks the certificate key, or entering the
password directly in the configuration file. Entering the password directly in
the configuration file is unsafe. passwordFile has been deprecated. Use
password.
Review comment:
I know it's not obvious, but this file is an old version that is no longer
published as part of the user guide. Instead of one, generic procedure for
configuring an sslProfile, it's now included within the procedures for each
scenario in which you would use an sslProfile (each of which would probably
require a different sslProfile to be configured):
Connecting routers together (i.e. inter-router):
https://qpid.apache.org/releases/qpid-dispatch-1.9.0/user-guide/index.html#securing-connections-between-routers-router
Enabling encryption/authentication for incoming "normal" connections:
https://qpid.apache.org/releases/qpid-dispatch-1.9.0/user-guide/index.html#enabling-ssl-tls-encryption-router
Connecting securely to an external container with mutual TLS:
https://qpid.apache.org/releases/qpid-dispatch-1.9.0/user-guide/index.html#connecting-using-mutual-ssl-tls-authentication-router
Connecting securely to an external container with one-way TLS:
https://qpid.apache.org/releases/qpid-dispatch-1.9.0/user-guide/index.html#connecting-using-one-way-ssl-tls-authentication-router
For each of these instances of sslProfile, if appropriate to the scenario at
hand, I would add the "password" attribute.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Deprecate the passwordFile field in sslProfile and consolidate all password
> scenarios to use the password field
> ----------------------------------------------------------------------------------------------------------------
>
> Key: DISPATCH-1440
> URL: https://issues.apache.org/jira/browse/DISPATCH-1440
> Project: Qpid Dispatch
> Issue Type: Improvement
> Components: Container
> Affects Versions: 1.9.0
> Reporter: Ganesh Murthy
> Assignee: Ganesh Murthy
> Priority: Major
>
> Deprecate the passwordFile field and consolidate all password scenarios to
> use the password field. We will use the password options that
> [openssl|https://www.openssl.org/docs/man1.1.1/man1/openssl.html] uses (see
> Pass Phrase Options sections). Going forward, here are three ways to specify
> a password in an sslProfile
>
> {noformat}
> sslProfile {
> caCertFile: .....
> certFile: .....
> # Get the password from the environment variable TLS_SERVER_PASSWORD.
> Note the env: prefix
> password: env:TLS_SERVER_PASSWORD
> OR
> # Get the password from the absolute file path. Note the file: prefix
> password: file:/home/tls/password-file.txt
> OR
> # Specify the actual password. Note the pass: prefix
> password: pass:actual_password
> } {noformat}
> (We will not be supporting the openssl options fd: and stdin
>
>
> While you can still specify the actual password in the password field using
> the pass: prefix, which casual users might want to do, you are also able to
> specify the file path or environment variable for more robust security.
> This change will be backward compatible which means, you will still be able
> to specify the actual password in the password field without the pass:
> prefix. The "literal" prefix will continue to work as well. The passwordFile
> field will be deprecated and eventually removed when we to a major version.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
