[jira] [Commented] (ARTEMIS-1157) Do not update ssl client keystore/truststore path on topology update

Tue, 31 Jul 2018 05:42:08 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-1157?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563599#comment-16563599
 ] 

Sinaver Idris commented on ARTEMIS-1157:
----------------------------------------

How about sslEnabled, enabledProtocols, enabledCipherSuites params? Is there 
any way to force it on a client as well?
It is a security concern if a broker can force a client to use sslEnabled 
false, same applies to a broker forcing weaker TLS protocol and cipher suites.

Also, regarding using system properties on the broker so that this information 
is not shared as a part of cluster topology information, can password masking 
be applied here, e.g.: 
-Dorg.apache.activemq.ssl.keyStorePassword=ENC(3a34fd21b82bf2a822fa49a8d8fa115d)?

It seems it is not supported: 
https://activemq.apache.org/artemis/docs/latest/masking-passwords.html

> Do not update ssl client keystore/truststore path on topology update
> --------------------------------------------------------------------
>
>                 Key: ARTEMIS-1157
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1157
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>    Affects Versions: 2.0.0
>            Reporter: Philipp Aeschlimann
>            Priority: Major
>         Attachments: ArtemisMqCrashDemoClient.java, broker.xml
>
>
> We have a 2 node cluster where clients and the refrenced connectors in the 
> cluster-connection do use ssl client auth (all working so far). Now if a 
> failover ocures - live server goes down - the clients try to re-connect with 
> the client keystore path that is defined on the connector in the server.
> We know that it is possible to overwrite this behavoir by using 
> org.apache.activemq.ssl.keyStore system property. But we have multiple 
> keystores and want to use them. Would it be possible, that this settings:
> org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants.KEYSTORE_*
> org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants.TRUSTSTORE_*
> will not be updated from the server? I can not think of a scenario, where it 
> would make sense that the server tells the client where the client has to 
> look for his keystore and truststore settings.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to