[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128825#comment-16128825
]
Martin Krasa commented on QPID-7867:
I am sorry for the late reply.
Authentication successfully retested. Broker will not allow JMS client to
connect with expired self-signed certificate anymore.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16120191#comment-16120191
]
ASF subversion and git services commented on QPID-7867:
---
Commit f267226ab091ce1ff08bec9f42e8be9ac66019b0 in qpid-broker-j's branch
refs/heads/master from Oleksandr Rudyy
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=f267226 ]
QPID-7867: [Java Broker] Address review comments
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16120186#comment-16120186
]
Alex Rudyy commented on QPID-7867:
--
I reviewed the changes. Here are my comments about minor issues
# # It looks like that constant {{PEERS_ONLY}} was moved from interface
{{FileTrustStore}} into interface {{TrustStore}} by mistake. Only
{{FileTrustStore}} has managed attribute {{peersOnly}}. Thus, the constant with
an attribute name should be declared in {{FileTrustStore}} rather in its parent
# Abstract method {{AbstrauctTrustore#getTrustManagersInternal()}} is declared
protected but its visibility is changed to public in inherited classes
{{FileTrustStoreImpl}}, {{ManagedPeerCertificateTrustStoreImpl}},
{{NonJavaTrustStoreImpl}} and {{SiteSpecificTrustStoreImpl}}
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16119543#comment-16119543
]
Keith Wall commented on QPID-7867:
--
I found the following resources useful when working on the IBM JDK test
failures (addressed by efb35e5).
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/debug.html
With regard to the change made to {{TrustAnchorValidatingTrustManager.java}} by
efb35e5, I was unable to find an authoritative source that states that the peer
certificate must appear in the store passed to {{PKIXBuilderParameters}} but I
was able to find a number of examples of this usage style online (some with
comments regarding working around IBM JDK 'issues'). "Beginning Cryptography
with Java", Hook, 2005 also illustrates the same pattern.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16118239#comment-16118239
]
ASF subversion and git services commented on QPID-7867:
---
Commit efb35e571dfe606534005a41a36d07d58eb8c129 in qpid-broker-j's branch
refs/heads/master from [~k-wall]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=efb35e5 ]
QPID-7867: Fix failing tests on IBM JDK due to differences in behaviour of the
IBMJSSE2 Provider and the Oracle JSSE Provider.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16118101#comment-16118101
]
ASF subversion and git services commented on QPID-7867:
---
Commit 00f614e96cea8b588046bb28a93fbeb1b170c90d in qpid-broker-j's branch
refs/heads/master from [~k-wall]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=00f614e ]
QPID-7867: Remove superfluous trust in new test case
ExternalAuthenticationTest#testExternalAuthenticationDeniesExpiredClientCert
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16117933#comment-16117933
]
ASF subversion and git services commented on QPID-7867:
---
Commit 8f512958a6121466262418b056b901ab7a73050f in qpid-broker-j's branch
refs/heads/master from [~k-wall]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=8f51295 ]
QPID-7867: [FileTrustStore] Avoid the needless wrapping of a singleton
TrustManager within a QpidMultipleTrustManager
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116690#comment-16116690
]
Rob Godfrey commented on QPID-7867:
---
D'oh - apologies, I misread the patch in concert with reading your comment on
needing to enable {{trustAnchorValidityEnforced}} which made me think that you
MUST set on a per truststore basis. (For Martin I guess setting the context
variable would be the better approach than modifying the individual truststore.)
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116682#comment-16116682
]
Keith Wall commented on QPID-7867:
--
Rob, didn't I do that already? The new managed attribute is backed by
{{qpid.truststore.trustAnchorValidityEnforced}}.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116554#comment-16116554
]
Rob Godfrey commented on QPID-7867:
---
Why not use a context value for the default rather than a literal false; in
that way one could easily change the default for a all trust stores (including
new trust stores) to enforce this behaviour?
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116549#comment-16116549
]
Keith Wall commented on QPID-7867:
--
Martin, the feature has been added. Can you retest? You'll need to enable
{{trustAnchorValidityEnforced}} for the truststore. You can do this through
the UI or from REST. Comments welcomed.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116545#comment-16116545
]
ASF subversion and git services commented on QPID-7867:
---
Commit d55b08e89e2d0755b392bfe291a5e9698a782e4f in qpid-broker-j's branch
refs/heads/master from [~k-wall]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=d55b08e ]
QPID-7867: [Java Broker] Extend UI to allow "Trust Anchor Validity Enforced" to
be mutated
Added documentation.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>Assignee: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116467#comment-16116467
]
ASF subversion and git services commented on QPID-7867:
---
Commit 93d95fdc2e6ced1377092e9e616a49a37a15 in qpid-broker-j's branch
refs/heads/master from [~k-wall]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=93d ]
QPID-7867: [Java Broker] Add truststore feature that insists trust anchors are
within validity period.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-7867) Authentication using expired certificate
[
https://issues.apache.org/jira/browse/QPID-7867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16115891#comment-16115891
]
Keith Wall commented on QPID-7867:
--
The issue was discussed on list here:
http://qpid.2158936.n2.nabble.com/QPID-7867-Java-Broker-Authentication-using-self-signed-expired-certificates-td7665246.html
The agreement was that this was not a security issue but a new feature would be
added to the Java Broker to help this specific use-case.
> Authentication using expired certificate
>
>
> Key: QPID-7867
> URL: https://issues.apache.org/jira/browse/QPID-7867
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
>Affects Versions: qpid-java-broker-7.0.0
> Environment: * qpid-jms-client version 0.23.0
> * java qpid broker 7.0.0
>Reporter: Martin Krasa
>
> Using qpid-jms-client version 0.23.0 and (as of July 17 2017) expired
> self-signed certificate (Valid until: Sat Dec 17 10:46:56 CET 2016) user can
> _successfully authenticate_ against the java qpid broker 7.0.0
> {code:title=extract from Java broker log file|borderStyle=solid} 2017-07-14
> 16:34:58,022 INFO [Broker-Config] (q.m.c.open) - [con:0(/XXX.XX.XX.XX:54268)]
> CON-1001 : Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version
> : 1.0 : SSL 2017-07-14 16:34:58,093 INFO [IO-/172.23.38.21:54268]
> (q.m.c.open) - [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)] CON-1001 :
> Open : Destination : amqps(XXX.XX.XX.XXX:10202) : Protocol Version : 1.0 :
> SSL : Client ID : ID:6303ba8b-2055-49e5-9bf8-80336865a672:1 : Client Version
> : 0.23.0 : Client Product : QpidJMS 2017-07-14 16:34:58,124 INFO
> [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:0] CHN-1001 : Create
> 2017-07-14 16:34:58,155 INFO [IO-/XXX.XX.XX.XX:54268] (q.m.c.create) -
> [con:0(ACCOUNT_NAME@/XXX.XX.XX.XX:54268/default)/ch:1] CHN-1001 : Create
> {code} {color:blue}*NOTE:* The same behaviour rings true with expired node
> certificate{color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
