You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Sinaver Idris (JIRA)" <ji...@apache.org> on 2018/07/31 12:42:00 UTC
[jira] [Commented] (ARTEMIS-1157) Do not update ssl client
keystore/truststore path on topology update
[ https://issues.apache.org/jira/browse/ARTEMIS-1157?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563599#comment-16563599 ]
Sinaver Idris commented on ARTEMIS-1157:
----------------------------------------
How about sslEnabled, enabledProtocols, enabledCipherSuites params? Is there any way to force it on a client as well?
It is a security concern if a broker can force a client to use sslEnabled false, same applies to a broker forcing weaker TLS protocol and cipher suites.
Also, regarding using system properties on the broker so that this information is not shared as a part of cluster topology information, can password masking be applied here, e.g.: -Dorg.apache.activemq.ssl.keyStorePassword=ENC(3a34fd21b82bf2a822fa49a8d8fa115d)?
It seems it is not supported: https://activemq.apache.org/artemis/docs/latest/masking-passwords.html
> Do not update ssl client keystore/truststore path on topology update
> --------------------------------------------------------------------
>
> Key: ARTEMIS-1157
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1157
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Affects Versions: 2.0.0
> Reporter: Philipp Aeschlimann
> Priority: Major
> Attachments: ArtemisMqCrashDemoClient.java, broker.xml
>
>
> We have a 2 node cluster where clients and the refrenced connectors in the cluster-connection do use ssl client auth (all working so far). Now if a failover ocures - live server goes down - the clients try to re-connect with the client keystore path that is defined on the connector in the server.
> We know that it is possible to overwrite this behavoir by using org.apache.activemq.ssl.keyStore system property. But we have multiple keystores and want to use them. Would it be possible, that this settings:
> org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants.KEYSTORE_*
> org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants.TRUSTSTORE_*
> will not be updated from the server? I can not think of a scenario, where it would make sense that the server tells the client where the client has to look for his keystore and truststore settings.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)