SSL authentication/authorization patch

[Sepand M <se...@gmail.com>]

Hey guys,

The patch is done.
It's here: https://issues.apache.org/activemq/browse/AMQ-912
Hope you like it.
It would be really great if you could give an estimate of when you will
decide if it goes in or not (although I doubt you can =) ).

Regards,
Sepand

Re: SSL authentication/authorization patch

[Sepand M <se...@gmail.com>]

Sorry. Using thunderbird, didn't see the Hiram's reply =)

On 9/22/06, Sepand M <se...@gmail.com> wrote:
>
> Some of the more experienced people can correct me on this, but I think
> you can set socket options using "socket._option_" arguments in the URI
> (e.g. "ssl://localhost:61616?socket.my_option=true"). I'm not sure if
> this would give all the flexibility you need, but it's a start. If that
> doesn't work, for SSL specific stuff, I added a
> SslActiveMQConnectionFactory (or a similar name).
>
> Any good?
> Sepand
>
> Kelly Campbell wrote:
> > Thanks Sepand. I did review those instructions earlier.
> >
> > What about the other requirements to be able to set specific options
> > on the socket, e.g. not allowing weak ciphers? I think having the
> > config in the URL is good, but not sufficient in this case. I'd like
> > to propose adding a SocketFactory parameter to a new constructor on
> > the ActiveMQConnectionFactory (actually the code for this is almost
> > complete). This would be useful for not only SSL connections, but
> > other tcp connections if the user wants to customize some of the
> > socket options.
> >
> > Thanks,
> > Kelly
> >
> > On 9/21/06, Sepand M <se...@gmail.com> wrote:
> >> Yeah, we realized this was needed, but I didn't have time (my work term
> >> at the company was ending).
> >> I've left instructions for people taking over this project on how to do
> >> this (it just takes one setter and a well placed call from that
> setter).
> >> I'm not sure when it will be done though.
> >>
> >> - Sepand
> >>
> >> Hiram Chirino wrote:
> >> > On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> >> >> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
> >> >> > Thanks for getting this submitted Sepand, and thanks for patching
> >> >> it in Hiram.
> >> >> >
> >> >> > I'm looking at how best to configure the keystore settings more
> >> >> > dynamically without using the default system properties or
> >> anything in
> >> >> > the URL. It looks like I'd need to be able to pass in a
> >> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to
> >> be able
> >> >> > to pass these in so I can provide an implementation that does some
> >> >> > extra security checks, e.g. checking that the server's DN is
> >> what we
> >> >> > expect, turning off weak ciphers.
> >> >> >
> >> >>
> >> >> It would be nice if they were properties on the ssl transport server
> >> >> so that you can configure them using the URI... like:
> >> >>
> >> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> >> >>
> >> >> > The part I'm struggling with now is where to create this API for
> >> the
> >> >> > client. Should it be a new constructor on
> >> ActiveMQConnectionFactory,
> >> >> > or should I add a new overridden
> >> ActiveMQSecureConnectionFactory? Or
> >> >> > should I just override it in my own code base, and not have this
> in
> >> >> > the activemq code at all?
> >> >>
> >> >> Just add properties to the SslTransportServer and make sure they
> have
> >> >> setters.
> >> >>
> >> >
> >> > And properties to the SslTransport if you want to set those
> properties
> >> > on the client connect URL
> >> >
> >> >> >
> >> >> > Thanks,
> >> >> > Kelly
> >> >> >
> >> >> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> >> >> > > starting to look into it now. thx for the patch!
> >> >> > >
> >> >> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
> >> >> > > > Hey guys,
> >> >> > > >
> >> >> > > > The patch is done.
> >> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> >> >> > > > Hope you like it.
> >> >> > > > It would be really great if you could give an estimate of when
> >> >> you will
> >> >> > > > decide if it goes in or not (although I doubt you can =) ).
> >> >> > > >
> >> >> > > > Regards,
> >> >> > > > Sepand
> >> >> > > >
> >> >> > > >
> >> >> > >
> >> >> > >
> >> >> > > --
> >> >> > > Regards,
> >> >> > > Hiram
> >> >> > >
> >> >> > > Blog: http://hiramchirino.com
> >> >> > >
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> Regards,
> >> >> Hiram
> >> >>
> >> >> Blog: http://hiramchirino.com
> >> >>
> >> >
> >> >
> >>
> >>
> >
>
>

Re: SSL authentication/authorization patch

[Sepand M <se...@gmail.com>]

The keystore problem has been addressed (the patch we talked about before
should fix it, right?)
Checking the DN should be possible through the
JaasCertificationAuthenticationModule (I'm not too sure about the name, I
haven't looked at the code in a while); the entire client certificate chain
is passed in so you should have all the data you need.
the setEnabledCipherSuites is not currently possible without the heavy
modifications you mentioned (do you agree Hiram?). I think the best method
for doing this would be to create a reflection-based createTransport call
(just like the ones there, but with support for custom objects). That would
take a lot of work too, but it would also be more useful and compatible with
the current architecture.

On 9/25/06, Kelly Campbell <ke...@gmail.com> wrote:
>
> Ok, that works for relatively basic options, but what about the more
> complex stuff I need to do? Specifically turning off weak ciphers on
> the connection (via socket.setEnabledCipherSuites), and verifying the
> server's DN. Also, I need to use different settings for setting up the
> keystore and truststore (e.g. if one is in pkcs12 format and the other
> is in jks format). Someone else on the user's mailing list asked a
> similar question about customizing the ssl keystore.
>
> If I add a SocketFactory param in the createTransport calls, it
> requires lots of changes to support it across all the different
> composite transports and such. Is there perhaps something similar to
> the options that can have objects associated with a key for params to
> the transports that will get passed along to all the sub transports so
> the SSL one will get it?
>
> Thanks,
> Kelly
>
> On 9/22/06, Sepand M <se...@gmail.com> wrote:
> > Some of the more experienced people can correct me on this, but I think
> > you can set socket options using "socket._option_" arguments in the URI
> > (e.g. "ssl://localhost:61616?socket.my_option=true"). I'm not sure if
> > this would give all the flexibility you need, but it's a start. If that
> > doesn't work, for SSL specific stuff, I added a
> > SslActiveMQConnectionFactory (or a similar name).
> >
> > Any good?
> > Sepand
> >
> > Kelly Campbell wrote:
> > > Thanks Sepand. I did review those instructions earlier.
> > >
> > > What about the other requirements to be able to set specific options
> > > on the socket, e.g. not allowing weak ciphers? I think having the
> > > config in the URL is good, but not sufficient in this case. I'd like
> > > to propose adding a SocketFactory parameter to a new constructor on
> > > the ActiveMQConnectionFactory (actually the code for this is almost
> > > complete). This would be useful for not only SSL connections, but
> > > other tcp connections if the user wants to customize some of the
> > > socket options.
> > >
> > > Thanks,
> > > Kelly
> > >
> > > On 9/21/06, Sepand M <se...@gmail.com> wrote:
> > >> Yeah, we realized this was needed, but I didn't have time (my work
> term
> > >> at the company was ending).
> > >> I've left instructions for people taking over this project on how to
> do
> > >> this (it just takes one setter and a well placed call from that
> setter).
> > >> I'm not sure when it will be done though.
> > >>
> > >> - Sepand
> > >>
> > >> Hiram Chirino wrote:
> > >> > On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> > >> >> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
> > >> >> > Thanks for getting this submitted Sepand, and thanks for
> patching
> > >> >> it in Hiram.
> > >> >> >
> > >> >> > I'm looking at how best to configure the keystore settings more
> > >> >> > dynamically without using the default system properties or
> > >> anything in
> > >> >> > the URL. It looks like I'd need to be able to pass in a
> > >> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to
> > >> be able
> > >> >> > to pass these in so I can provide an implementation that does
> some
> > >> >> > extra security checks, e.g. checking that the server's DN is
> > >> what we
> > >> >> > expect, turning off weak ciphers.
> > >> >> >
> > >> >>
> > >> >> It would be nice if they were properties on the ssl transport
> server
> > >> >> so that you can configure them using the URI... like:
> > >> >>
> > >> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> > >> >>
> > >> >> > The part I'm struggling with now is where to create this API for
> > >> the
> > >> >> > client. Should it be a new constructor on
> > >> ActiveMQConnectionFactory,
> > >> >> > or should I add a new overridden
> > >> ActiveMQSecureConnectionFactory? Or
> > >> >> > should I just override it in my own code base, and not have this
> in
> > >> >> > the activemq code at all?
> > >> >>
> > >> >> Just add properties to the SslTransportServer and make sure they
> have
> > >> >> setters.
> > >> >>
> > >> >
> > >> > And properties to the SslTransport if you want to set those
> properties
> > >> > on the client connect URL
> > >> >
> > >> >> >
> > >> >> > Thanks,
> > >> >> > Kelly
> > >> >> >
> > >> >> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> > >> >> > > starting to look into it now. thx for the patch!
> > >> >> > >
> > >> >> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
> > >> >> > > > Hey guys,
> > >> >> > > >
> > >> >> > > > The patch is done.
> > >> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> > >> >> > > > Hope you like it.
> > >> >> > > > It would be really great if you could give an estimate of
> when
> > >> >> you will
> > >> >> > > > decide if it goes in or not (although I doubt you can =) ).
> > >> >> > > >
> > >> >> > > > Regards,
> > >> >> > > > Sepand
> > >> >> > > >
> > >> >> > > >
> > >> >> > >
> > >> >> > >
> > >> >> > > --
> > >> >> > > Regards,
> > >> >> > > Hiram
> > >> >> > >
> > >> >> > > Blog: http://hiramchirino.com
> > >> >> > >
> > >> >> >
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Regards,
> > >> >> Hiram
> > >> >>
> > >> >> Blog: http://hiramchirino.com
> > >> >>
> > >> >
> > >> >
> > >>
> > >>
> > >
> >
> >
>

Re: SSL authentication/authorization patch

[Kelly Campbell <ke...@gmail.com>]

Ok, that works for relatively basic options, but what about the more
complex stuff I need to do? Specifically turning off weak ciphers on
the connection (via socket.setEnabledCipherSuites), and verifying the
server's DN. Also, I need to use different settings for setting up the
keystore and truststore (e.g. if one is in pkcs12 format and the other
is in jks format). Someone else on the user's mailing list asked a
similar question about customizing the ssl keystore.

If I add a SocketFactory param in the createTransport calls, it
requires lots of changes to support it across all the different
composite transports and such. Is there perhaps something similar to
the options that can have objects associated with a key for params to
the transports that will get passed along to all the sub transports so
the SSL one will get it?

Thanks,
Kelly

On 9/22/06, Sepand M <se...@gmail.com> wrote:
> Some of the more experienced people can correct me on this, but I think
> you can set socket options using "socket._option_" arguments in the URI
> (e.g. "ssl://localhost:61616?socket.my_option=true"). I'm not sure if
> this would give all the flexibility you need, but it's a start. If that
> doesn't work, for SSL specific stuff, I added a
> SslActiveMQConnectionFactory (or a similar name).
>
> Any good?
> Sepand
>
> Kelly Campbell wrote:
> > Thanks Sepand. I did review those instructions earlier.
> >
> > What about the other requirements to be able to set specific options
> > on the socket, e.g. not allowing weak ciphers? I think having the
> > config in the URL is good, but not sufficient in this case. I'd like
> > to propose adding a SocketFactory parameter to a new constructor on
> > the ActiveMQConnectionFactory (actually the code for this is almost
> > complete). This would be useful for not only SSL connections, but
> > other tcp connections if the user wants to customize some of the
> > socket options.
> >
> > Thanks,
> > Kelly
> >
> > On 9/21/06, Sepand M <se...@gmail.com> wrote:
> >> Yeah, we realized this was needed, but I didn't have time (my work term
> >> at the company was ending).
> >> I've left instructions for people taking over this project on how to do
> >> this (it just takes one setter and a well placed call from that setter).
> >> I'm not sure when it will be done though.
> >>
> >> - Sepand
> >>
> >> Hiram Chirino wrote:
> >> > On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> >> >> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
> >> >> > Thanks for getting this submitted Sepand, and thanks for patching
> >> >> it in Hiram.
> >> >> >
> >> >> > I'm looking at how best to configure the keystore settings more
> >> >> > dynamically without using the default system properties or
> >> anything in
> >> >> > the URL. It looks like I'd need to be able to pass in a
> >> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to
> >> be able
> >> >> > to pass these in so I can provide an implementation that does some
> >> >> > extra security checks, e.g. checking that the server's DN is
> >> what we
> >> >> > expect, turning off weak ciphers.
> >> >> >
> >> >>
> >> >> It would be nice if they were properties on the ssl transport server
> >> >> so that you can configure them using the URI... like:
> >> >>
> >> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> >> >>
> >> >> > The part I'm struggling with now is where to create this API for
> >> the
> >> >> > client. Should it be a new constructor on
> >> ActiveMQConnectionFactory,
> >> >> > or should I add a new overridden
> >> ActiveMQSecureConnectionFactory? Or
> >> >> > should I just override it in my own code base, and not have this in
> >> >> > the activemq code at all?
> >> >>
> >> >> Just add properties to the SslTransportServer and make sure they have
> >> >> setters.
> >> >>
> >> >
> >> > And properties to the SslTransport if you want to set those properties
> >> > on the client connect URL
> >> >
> >> >> >
> >> >> > Thanks,
> >> >> > Kelly
> >> >> >
> >> >> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> >> >> > > starting to look into it now. thx for the patch!
> >> >> > >
> >> >> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
> >> >> > > > Hey guys,
> >> >> > > >
> >> >> > > > The patch is done.
> >> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> >> >> > > > Hope you like it.
> >> >> > > > It would be really great if you could give an estimate of when
> >> >> you will
> >> >> > > > decide if it goes in or not (although I doubt you can =) ).
> >> >> > > >
> >> >> > > > Regards,
> >> >> > > > Sepand
> >> >> > > >
> >> >> > > >
> >> >> > >
> >> >> > >
> >> >> > > --
> >> >> > > Regards,
> >> >> > > Hiram
> >> >> > >
> >> >> > > Blog: http://hiramchirino.com
> >> >> > >
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> Regards,
> >> >> Hiram
> >> >>
> >> >> Blog: http://hiramchirino.com
> >> >>
> >> >
> >> >
> >>
> >>
> >
>
>

Re: SSL authentication/authorization patch

[Sepand M <se...@gmail.com>]

Some of the more experienced people can correct me on this, but I think 
you can set socket options using "socket._option_" arguments in the URI 
(e.g. "ssl://localhost:61616?socket.my_option=true"). I'm not sure if 
this would give all the flexibility you need, but it's a start. If that 
doesn't work, for SSL specific stuff, I added a 
SslActiveMQConnectionFactory (or a similar name).

Any good?
Sepand

Kelly Campbell wrote:
> Thanks Sepand. I did review those instructions earlier.
>
> What about the other requirements to be able to set specific options
> on the socket, e.g. not allowing weak ciphers? I think having the
> config in the URL is good, but not sufficient in this case. I'd like
> to propose adding a SocketFactory parameter to a new constructor on
> the ActiveMQConnectionFactory (actually the code for this is almost
> complete). This would be useful for not only SSL connections, but
> other tcp connections if the user wants to customize some of the
> socket options.
>
> Thanks,
> Kelly
>
> On 9/21/06, Sepand M <se...@gmail.com> wrote:
>> Yeah, we realized this was needed, but I didn't have time (my work term
>> at the company was ending).
>> I've left instructions for people taking over this project on how to do
>> this (it just takes one setter and a well placed call from that setter).
>> I'm not sure when it will be done though.
>>
>> - Sepand
>>
>> Hiram Chirino wrote:
>> > On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
>> >> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
>> >> > Thanks for getting this submitted Sepand, and thanks for patching
>> >> it in Hiram.
>> >> >
>> >> > I'm looking at how best to configure the keystore settings more
>> >> > dynamically without using the default system properties or 
>> anything in
>> >> > the URL. It looks like I'd need to be able to pass in a
>> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to 
>> be able
>> >> > to pass these in so I can provide an implementation that does some
>> >> > extra security checks, e.g. checking that the server's DN is 
>> what we
>> >> > expect, turning off weak ciphers.
>> >> >
>> >>
>> >> It would be nice if they were properties on the ssl transport server
>> >> so that you can configure them using the URI... like:
>> >>
>> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
>> >>
>> >> > The part I'm struggling with now is where to create this API for 
>> the
>> >> > client. Should it be a new constructor on 
>> ActiveMQConnectionFactory,
>> >> > or should I add a new overridden 
>> ActiveMQSecureConnectionFactory? Or
>> >> > should I just override it in my own code base, and not have this in
>> >> > the activemq code at all?
>> >>
>> >> Just add properties to the SslTransportServer and make sure they have
>> >> setters.
>> >>
>> >
>> > And properties to the SslTransport if you want to set those properties
>> > on the client connect URL
>> >
>> >> >
>> >> > Thanks,
>> >> > Kelly
>> >> >
>> >> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
>> >> > > starting to look into it now. thx for the patch!
>> >> > >
>> >> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
>> >> > > > Hey guys,
>> >> > > >
>> >> > > > The patch is done.
>> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
>> >> > > > Hope you like it.
>> >> > > > It would be really great if you could give an estimate of when
>> >> you will
>> >> > > > decide if it goes in or not (although I doubt you can =) ).
>> >> > > >
>> >> > > > Regards,
>> >> > > > Sepand
>> >> > > >
>> >> > > >
>> >> > >
>> >> > >
>> >> > > --
>> >> > > Regards,
>> >> > > Hiram
>> >> > >
>> >> > > Blog: http://hiramchirino.com
>> >> > >
>> >> >
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Hiram
>> >>
>> >> Blog: http://hiramchirino.com
>> >>
>> >
>> >
>>
>>
>

Re: SSL authentication/authorization patch

[Hiram Chirino <hi...@hiramchirino.com>]

Hi kelly I think that's allready supported.

The client can do something like ssl://localhost:61617?socket.socketOption=xxx

Not sure if the same works on the server side.  I have a feeling that
on the server side, it has to be:
ssl://localhost:61617?transport.socket.socketOption=xxx


On 9/22/06, Kelly Campbell <ke...@gmail.com> wrote:
> Thanks Sepand. I did review those instructions earlier.
>
> What about the other requirements to be able to set specific options
> on the socket, e.g. not allowing weak ciphers? I think having the
> config in the URL is good, but not sufficient in this case. I'd like
> to propose adding a SocketFactory parameter to a new constructor on
> the ActiveMQConnectionFactory (actually the code for this is almost
> complete). This would be useful for not only SSL connections, but
> other tcp connections if the user wants to customize some of the
> socket options.
>
> Thanks,
> Kelly
>
> On 9/21/06, Sepand M <se...@gmail.com> wrote:
> > Yeah, we realized this was needed, but I didn't have time (my work term
> > at the company was ending).
> > I've left instructions for people taking over this project on how to do
> > this (it just takes one setter and a well placed call from that setter).
> > I'm not sure when it will be done though.
> >
> > - Sepand
> >
> > Hiram Chirino wrote:
> > > On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> > >> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
> > >> > Thanks for getting this submitted Sepand, and thanks for patching
> > >> it in Hiram.
> > >> >
> > >> > I'm looking at how best to configure the keystore settings more
> > >> > dynamically without using the default system properties or anything in
> > >> > the URL. It looks like I'd need to be able to pass in a
> > >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be able
> > >> > to pass these in so I can provide an implementation that does some
> > >> > extra security checks, e.g. checking that the server's DN is what we
> > >> > expect, turning off weak ciphers.
> > >> >
> > >>
> > >> It would be nice if they were properties on the ssl transport server
> > >> so that you can configure them using the URI... like:
> > >>
> > >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> > >>
> > >> > The part I'm struggling with now is where to create this API for the
> > >> > client. Should it be a new constructor on ActiveMQConnectionFactory,
> > >> > or should I add a new overridden ActiveMQSecureConnectionFactory? Or
> > >> > should I just override it in my own code base, and not have this in
> > >> > the activemq code at all?
> > >>
> > >> Just add properties to the SslTransportServer and make sure they have
> > >> setters.
> > >>
> > >
> > > And properties to the SslTransport if you want to set those properties
> > > on the client connect URL
> > >
> > >> >
> > >> > Thanks,
> > >> > Kelly
> > >> >
> > >> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> > >> > > starting to look into it now. thx for the patch!
> > >> > >
> > >> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
> > >> > > > Hey guys,
> > >> > > >
> > >> > > > The patch is done.
> > >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> > >> > > > Hope you like it.
> > >> > > > It would be really great if you could give an estimate of when
> > >> you will
> > >> > > > decide if it goes in or not (although I doubt you can =) ).
> > >> > > >
> > >> > > > Regards,
> > >> > > > Sepand
> > >> > > >
> > >> > > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > Regards,
> > >> > > Hiram
> > >> > >
> > >> > > Blog: http://hiramchirino.com
> > >> > >
> > >> >
> > >>
> > >>
> > >> --
> > >> Regards,
> > >> Hiram
> > >>
> > >> Blog: http://hiramchirino.com
> > >>
> > >
> > >
> >
> >
>


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Re: SSL authentication/authorization patch

[Kelly Campbell <ke...@gmail.com>]

Thanks Sepand. I did review those instructions earlier.

What about the other requirements to be able to set specific options
on the socket, e.g. not allowing weak ciphers? I think having the
config in the URL is good, but not sufficient in this case. I'd like
to propose adding a SocketFactory parameter to a new constructor on
the ActiveMQConnectionFactory (actually the code for this is almost
complete). This would be useful for not only SSL connections, but
other tcp connections if the user wants to customize some of the
socket options.

Thanks,
Kelly

On 9/21/06, Sepand M <se...@gmail.com> wrote:
> Yeah, we realized this was needed, but I didn't have time (my work term
> at the company was ending).
> I've left instructions for people taking over this project on how to do
> this (it just takes one setter and a well placed call from that setter).
> I'm not sure when it will be done though.
>
> - Sepand
>
> Hiram Chirino wrote:
> > On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> >> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
> >> > Thanks for getting this submitted Sepand, and thanks for patching
> >> it in Hiram.
> >> >
> >> > I'm looking at how best to configure the keystore settings more
> >> > dynamically without using the default system properties or anything in
> >> > the URL. It looks like I'd need to be able to pass in a
> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be able
> >> > to pass these in so I can provide an implementation that does some
> >> > extra security checks, e.g. checking that the server's DN is what we
> >> > expect, turning off weak ciphers.
> >> >
> >>
> >> It would be nice if they were properties on the ssl transport server
> >> so that you can configure them using the URI... like:
> >>
> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> >>
> >> > The part I'm struggling with now is where to create this API for the
> >> > client. Should it be a new constructor on ActiveMQConnectionFactory,
> >> > or should I add a new overridden ActiveMQSecureConnectionFactory? Or
> >> > should I just override it in my own code base, and not have this in
> >> > the activemq code at all?
> >>
> >> Just add properties to the SslTransportServer and make sure they have
> >> setters.
> >>
> >
> > And properties to the SslTransport if you want to set those properties
> > on the client connect URL
> >
> >> >
> >> > Thanks,
> >> > Kelly
> >> >
> >> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> >> > > starting to look into it now. thx for the patch!
> >> > >
> >> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
> >> > > > Hey guys,
> >> > > >
> >> > > > The patch is done.
> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> >> > > > Hope you like it.
> >> > > > It would be really great if you could give an estimate of when
> >> you will
> >> > > > decide if it goes in or not (although I doubt you can =) ).
> >> > > >
> >> > > > Regards,
> >> > > > Sepand
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> > > --
> >> > > Regards,
> >> > > Hiram
> >> > >
> >> > > Blog: http://hiramchirino.com
> >> > >
> >> >
> >>
> >>
> >> --
> >> Regards,
> >> Hiram
> >>
> >> Blog: http://hiramchirino.com
> >>
> >
> >
>
>

Re: SSL authentication/authorization patch

[Sepand M <se...@gmail.com>]

Yeah, we realized this was needed, but I didn't have time (my work term 
at the company was ending).
I've left instructions for people taking over this project on how to do 
this (it just takes one setter and a well placed call from that setter).
I'm not sure when it will be done though.

- Sepand

Hiram Chirino wrote:
> On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
>> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
>> > Thanks for getting this submitted Sepand, and thanks for patching 
>> it in Hiram.
>> >
>> > I'm looking at how best to configure the keystore settings more
>> > dynamically without using the default system properties or anything in
>> > the URL. It looks like I'd need to be able to pass in a
>> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be able
>> > to pass these in so I can provide an implementation that does some
>> > extra security checks, e.g. checking that the server's DN is what we
>> > expect, turning off weak ciphers.
>> >
>>
>> It would be nice if they were properties on the ssl transport server
>> so that you can configure them using the URI... like:
>>
>> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
>>
>> > The part I'm struggling with now is where to create this API for the
>> > client. Should it be a new constructor on ActiveMQConnectionFactory,
>> > or should I add a new overridden ActiveMQSecureConnectionFactory? Or
>> > should I just override it in my own code base, and not have this in
>> > the activemq code at all?
>>
>> Just add properties to the SslTransportServer and make sure they have 
>> setters.
>>
>
> And properties to the SslTransport if you want to set those properties
> on the client connect URL
>
>> >
>> > Thanks,
>> > Kelly
>> >
>> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
>> > > starting to look into it now. thx for the patch!
>> > >
>> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
>> > > > Hey guys,
>> > > >
>> > > > The patch is done.
>> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
>> > > > Hope you like it.
>> > > > It would be really great if you could give an estimate of when 
>> you will
>> > > > decide if it goes in or not (although I doubt you can =) ).
>> > > >
>> > > > Regards,
>> > > > Sepand
>> > > >
>> > > >
>> > >
>> > >
>> > > --
>> > > Regards,
>> > > Hiram
>> > >
>> > > Blog: http://hiramchirino.com
>> > >
>> >
>>
>>
>> -- 
>> Regards,
>> Hiram
>>
>> Blog: http://hiramchirino.com
>>
>
>

Re: SSL authentication/authorization patch

[Hiram Chirino <hi...@hiramchirino.com>]

On 9/21/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
> > Thanks for getting this submitted Sepand, and thanks for patching it in Hiram.
> >
> > I'm looking at how best to configure the keystore settings more
> > dynamically without using the default system properties or anything in
> > the URL. It looks like I'd need to be able to pass in a
> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be able
> > to pass these in so I can provide an implementation that does some
> > extra security checks, e.g. checking that the server's DN is what we
> > expect, turning off weak ciphers.
> >
>
> It would be nice if they were properties on the ssl transport server
> so that you can configure them using the URI... like:
>
> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
>
> > The part I'm struggling with now is where to create this API for the
> > client. Should it be a new constructor on ActiveMQConnectionFactory,
> > or should I add a new overridden ActiveMQSecureConnectionFactory? Or
> > should I just override it in my own code base, and not have this in
> > the activemq code at all?
>
> Just add properties to the SslTransportServer and make sure they have setters.
>

And properties to the SslTransport if you want to set those properties
on the client connect URL

> >
> > Thanks,
> > Kelly
> >
> > On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> > > starting to look into it now. thx for the patch!
> > >
> > > On 9/5/06, Sepand M <se...@gmail.com> wrote:
> > > > Hey guys,
> > > >
> > > > The patch is done.
> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> > > > Hope you like it.
> > > > It would be really great if you could give an estimate of when you will
> > > > decide if it goes in or not (although I doubt you can =) ).
> > > >
> > > > Regards,
> > > > Sepand
> > > >
> > > >
> > >
> > >
> > > --
> > > Regards,
> > > Hiram
> > >
> > > Blog: http://hiramchirino.com
> > >
> >
>
>
> --
> Regards,
> Hiram
>
> Blog: http://hiramchirino.com
>


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Re: SSL authentication/authorization patch

[Hiram Chirino <hi...@hiramchirino.com>]

On 9/21/06, Kelly Campbell <ke...@gmail.com> wrote:
> Thanks for getting this submitted Sepand, and thanks for patching it in Hiram.
>
> I'm looking at how best to configure the keystore settings more
> dynamically without using the default system properties or anything in
> the URL. It looks like I'd need to be able to pass in a
> javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be able
> to pass these in so I can provide an implementation that does some
> extra security checks, e.g. checking that the server's DN is what we
> expect, turning off weak ciphers.
>

It would be nice if they were properties on the ssl transport server
so that you can configure them using the URI... like:

ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts

> The part I'm struggling with now is where to create this API for the
> client. Should it be a new constructor on ActiveMQConnectionFactory,
> or should I add a new overridden ActiveMQSecureConnectionFactory? Or
> should I just override it in my own code base, and not have this in
> the activemq code at all?

Just add properties to the SslTransportServer and make sure they have setters.

>
> Thanks,
> Kelly
>
> On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> > starting to look into it now. thx for the patch!
> >
> > On 9/5/06, Sepand M <se...@gmail.com> wrote:
> > > Hey guys,
> > >
> > > The patch is done.
> > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> > > Hope you like it.
> > > It would be really great if you could give an estimate of when you will
> > > decide if it goes in or not (although I doubt you can =) ).
> > >
> > > Regards,
> > > Sepand
> > >
> > >
> >
> >
> > --
> > Regards,
> > Hiram
> >
> > Blog: http://hiramchirino.com
> >
>


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Re: SSL authentication/authorization patch

[Kelly Campbell <ke...@gmail.com>]

Thanks for getting this submitted Sepand, and thanks for patching it in Hiram.

I'm looking at how best to configure the keystore settings more
dynamically without using the default system properties or anything in
the URL. It looks like I'd need to be able to pass in a
javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be able
to pass these in so I can provide an implementation that does some
extra security checks, e.g. checking that the server's DN is what we
expect, turning off weak ciphers.

The part I'm struggling with now is where to create this API for the
client. Should it be a new constructor on ActiveMQConnectionFactory,
or should I add a new overridden ActiveMQSecureConnectionFactory? Or
should I just override it in my own code base, and not have this in
the activemq code at all?

Thanks,
Kelly

On 9/11/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> starting to look into it now. thx for the patch!
>
> On 9/5/06, Sepand M <se...@gmail.com> wrote:
> > Hey guys,
> >
> > The patch is done.
> > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> > Hope you like it.
> > It would be really great if you could give an estimate of when you will
> > decide if it goes in or not (although I doubt you can =) ).
> >
> > Regards,
> > Sepand
> >
> >
>
>
> --
> Regards,
> Hiram
>
> Blog: http://hiramchirino.com
>

Re: SSL authentication/authorization patch

[Hiram Chirino <hi...@hiramchirino.com>]

starting to look into it now. thx for the patch!

On 9/5/06, Sepand M <se...@gmail.com> wrote:
> Hey guys,
>
> The patch is done.
> It's here: https://issues.apache.org/activemq/browse/AMQ-912
> Hope you like it.
> It would be really great if you could give an estimate of when you will
> decide if it goes in or not (although I doubt you can =) ).
>
> Regards,
> Sepand
>
>


-- 
Regards,
Hiram

Blog: http://hiramchirino.com