You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Andrew Stitcher (JIRA)" <ji...@apache.org> on 2012/05/22 00:25:41 UTC

[jira] [Resolved] (QPID-4013) Windows Broker SSL is more difficult to use than necessary and possibly less secure than possible

     [ https://issues.apache.org/jira/browse/QPID-4013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Stitcher resolved QPID-4013.
-----------------------------------

    Resolution: Fixed

Note that this change represents  a small change in default functionality:

The broker now looks in the CurrentUser certificate store by default. To use the previous default specify "--ssl-cert-store-location LocalMachine" on the qpidd command line. Or set the equivalent option in the configuration file.
                
> Windows Broker SSL is more difficult to use than necessary and possibly less secure than possible
> -------------------------------------------------------------------------------------------------
>
>                 Key: QPID-4013
>                 URL: https://issues.apache.org/jira/browse/QPID-4013
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.14, 0.16, 0.17
>         Environment: Windows
>            Reporter: Andrew Stitcher
>            Assignee: Andrew Stitcher
>            Priority: Minor
>             Fix For: 0.17
>
>
> The current Windows Broker SSL code always uses the LocalMachine certificate store opened read/write. This has a number of drawbacks:
> * Opening read/write means that the broker has to run as administrator to use the certificates in the store. The broker only reads from the store so this is actually unnecessary.
> * Forcing use of LocalMachine for the certificates means that they are readable by every user on the machine which might be a security issue. As it would allow any process on the machine to impersonate the qpid broker.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org