You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2012/10/01 00:14:07 UTC
[jira] [Updated] (QPID-4352) Java client logs
key_store_password/trust_store_password from connection url at debug
[ https://issues.apache.org/jira/browse/QPID-4352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall updated QPID-4352:
-----------------------------
Affects Version/s: 0.18
> Java client logs key_store_password/trust_store_password from connection url at debug
> -------------------------------------------------------------------------------------
>
> Key: QPID-4352
> URL: https://issues.apache.org/jira/browse/QPID-4352
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: 0.16, 0.18
> Reporter: Keith Wall
> Assignee: Robbie Gemmell
> Fix For: 0.19
>
>
> When run in DEBUG, the Qpid client logs the trust store/key store passwords to the log. This could present a security issue.
> {noformat}
> main 2012-09-29 22:32:54,558 DEBUG [apache.qpid.client.AMQConnection] Connection(1):amqp://guest:********@test/?brokerlist='tcp://localhost:15671?trust_store_password='password'&trust_store='test-profiles/test_resources/ssl/java_client_truststore.jks'&ssl_verify_hostname='true'&ssl='true'&key_store_password='password'&key_store='test-profiles/test_resources/ssl/java_client_keystore.jks''
> {noformat}
> The code should be changed to mask these passwords in the same fashion as the client's password. This change was made by QPID-1208.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org