[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128825#comment-16128825 ] Martin Krasa commented on QPID-7867: I am sorry for the late reply. Authentication successfully retested. Broker will not allow JMS client to connect with expired self-signed certificate anymore. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16120191#comment-16120191 ] ASF subversion and git services commented on QPID-7867: --- Commit f267226ab091ce1ff08bec9f42e8be9ac66019b0 in qpid-broker-j's branch refs/heads/master from Oleksandr Rudyy [ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=f267226 ] QPID-7867: [Java Broker] Address review comments > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16120186#comment-16120186 ] Alex Rudyy commented on QPID-7867: -- I reviewed the changes. Here are my comments about minor issues # # It looks like that constant {{PEERS_ONLY}} was moved from interface {{FileTrustStore}} into interface {{TrustStore}} by mistake. Only {{FileTrustStore}} has managed attribute {{peersOnly}}. Thus, the constant with an attribute name should be declared in {{FileTrustStore}} rather in its parent # Abstract method {{AbstrauctTrustore#getTrustManagersInternal()}} is declared protected but its visibility is changed to public in inherited classes {{FileTrustStoreImpl}}, {{ManagedPeerCertificateTrustStoreImpl}}, {{NonJavaTrustStoreImpl}} and {{SiteSpecificTrustStoreImpl}} > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16119543#comment-16119543 ] Keith Wall commented on QPID-7867: -- I found the following resources useful when working on the IBM JDK test failures (addressed by efb35e5). https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/debug.html With regard to the change made to {{TrustAnchorValidatingTrustManager.java}} by efb35e5, I was unable to find an authoritative source that states that the peer certificate must appear in the store passed to {{PKIXBuilderParameters}} but I was able to find a number of examples of this usage style online (some with comments regarding working around IBM JDK 'issues'). "Beginning Cryptography with Java", Hook, 2005 also illustrates the same pattern. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16118239#comment-16118239 ] ASF subversion and git services commented on QPID-7867: --- Commit efb35e571dfe606534005a41a36d07d58eb8c129 in qpid-broker-j's branch refs/heads/master from [~k-wall] [ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=efb35e5 ] QPID-7867: Fix failing tests on IBM JDK due to differences in behaviour of the IBMJSSE2 Provider and the Oracle JSSE Provider. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16118101#comment-16118101 ] ASF subversion and git services commented on QPID-7867: --- Commit 00f614e96cea8b588046bb28a93fbeb1b170c90d in qpid-broker-j's branch refs/heads/master from [~k-wall] [ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=00f614e ] QPID-7867: Remove superfluous trust in new test case ExternalAuthenticationTest#testExternalAuthenticationDeniesExpiredClientCert > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16117933#comment-16117933 ] ASF subversion and git services commented on QPID-7867: --- Commit 8f512958a6121466262418b056b901ab7a73050f in qpid-broker-j's branch refs/heads/master from [~k-wall] [ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=8f51295 ] QPID-7867: [FileTrustStore] Avoid the needless wrapping of a singleton TrustManager within a QpidMultipleTrustManager > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116690#comment-16116690 ] Rob Godfrey commented on QPID-7867: --- D'oh - apologies, I misread the patch in concert with reading your comment on needing to enable {{trustAnchorValidityEnforced}} which made me think that you MUST set on a per truststore basis. (For Martin I guess setting the context variable would be the better approach than modifying the individual truststore.) > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116682#comment-16116682 ] Keith Wall commented on QPID-7867: -- Rob, didn't I do that already? The new managed attribute is backed by {{qpid.truststore.trustAnchorValidityEnforced}}. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116554#comment-16116554 ] Rob Godfrey commented on QPID-7867: --- Why not use a context value for the default rather than a literal false; in that way one could easily change the default for a all trust stores (including new trust stores) to enforce this behaviour? > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116549#comment-16116549 ] Keith Wall commented on QPID-7867: -- Martin, the feature has been added. Can you retest? You'll need to enable {{trustAnchorValidityEnforced}} for the truststore. You can do this through the UI or from REST. Comments welcomed. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116545#comment-16116545 ] ASF subversion and git services commented on QPID-7867: --- Commit d55b08e89e2d0755b392bfe291a5e9698a782e4f in qpid-broker-j's branch refs/heads/master from [~k-wall] [ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=d55b08e ] QPID-7867: [Java Broker] Extend UI to allow "Trust Anchor Validity Enforced" to be mutated Added documentation. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: New Feature > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa >Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116467#comment-16116467 ] ASF subversion and git services commented on QPID-7867: --- Commit 93d95fdc2e6ced1377092e9e616a49a37a15 in qpid-broker-j's branch refs/heads/master from [~k-wall] [ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=93d ] QPID-7867: [Java Broker] Add truststore feature that insists trust anchors are within validity period. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: Bug > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[ https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16115891#comment-16115891 ] Keith Wall commented on QPID-7867: -- The issue was discussed on list here: http://qpid.2158936.n2.nabble.com/QPID-7867-Java-Broker-Authentication-using-self-signed-expired-certificates-td7665246.html The agreement was that this was not a security issue but a new feature would be added to the Java Broker to help this specific use-case. > Authentication using expired certificate > > > Key: QPID-7867 > URL: https://issues.apache.org/jira/browse/QPID-7867 > Project: Qpid > Issue Type: Bug > Components: Java Broker >Affects Versions: qpid-java-broker-7.0.0 > Environment: * qpid-jms-client version 0.23.0 > * java qpid broker 7.0.0 >Reporter: Martin Krasa > > Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired > self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can > _successfully authenticate_ against the java qpid broker 7.0.0 > {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14 > 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)] > CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version > : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268] > (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 : > Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 : > SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version > : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO > [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create > 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) - > [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create > {code} {color:blue}*NOTE:* The same behaviour rings true with expired node > certificate{color} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org