You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by Gordon Sim <gs...@redhat.com> on 2008/10/17 16:37:04 UTC

require encrypted connections?

Question: would it be desirable to be able to configure a broker to only 
accept e.g. SSL connections, not unencrypted TCP connections?

Re: require encrypted connections?

Posted by Carl Trieloff <cc...@redhat.com>.

Ted Ross wrote:
> Gordon Sim wrote:
>> Question: would it be desirable to be able to configure a broker to 
>> only accept e.g. SSL connections, not unencrypted TCP connections?
> I believe this is desirable (required actually).
>
> We might also want to consider making the transport an input to the 
> ACL process.  An admin could, for example, allow open access but only 
> allow SSL-connected clients to bind to certain exchanges or subscribe 
> to certain queues.
>
> -Ted
>

I agree. should be able to disable non-secure connections

Carl.

Re: require encrypted connections?

Posted by Carl Trieloff <cc...@redhat.com>.

Ted Ross wrote:
> Gordon Sim wrote:
>> Question: would it be desirable to be able to configure a broker to 
>> only accept e.g. SSL connections, not unencrypted TCP connections?
> I believe this is desirable (required actually).
>
> We might also want to consider making the transport an input to the 
> ACL process.  An admin could, for example, allow open access but only 
> allow SSL-connected clients to bind to certain exchanges or subscribe 
> to certain queues.
>
> -Ted
>

I agree. should be able to disable non-secure connections

Carl.

Re: require encrypted connections?

Posted by Ted Ross <tr...@redhat.com>.

Gordon Sim wrote:
> Question: would it be desirable to be able to configure a broker to 
> only accept e.g. SSL connections, not unencrypted TCP connections?
I believe this is desirable (required actually).

We might also want to consider making the transport an input to the ACL 
process.  An admin could, for example, allow open access but only allow 
SSL-connected clients to bind to certain exchanges or subscribe to 
certain queues.

-Ted

Re: require encrypted connections?

Posted by Robert Greig <ro...@gmail.com>.

2008/10/18 Aidan Skinner <ai...@apache.org>:

> Yes. It would also make sense to be able to require one of a set of
> client certificates, or that the client cert is signed by one of a set
> of root certificates.

This is what I meant by mutual SSL.

RG

Re: require encrypted connections?

Posted by Aidan Skinner <ai...@apache.org>.

On Fri, Oct 17, 2008 at 3:37 PM, Gordon Sim <gs...@redhat.com> wrote:

> Question: would it be desirable to be able to configure a broker to only
> accept e.g. SSL connections, not unencrypted TCP connections?

Yes. It would also make sense to be able to require one of a set of
client certificates, or that the client cert is signed by one of a set
of root certificates.

- Aidan
-- 
Apache Qpid - World Domination through Advanced Message Queueing
http://cwiki.apache.org/qpid
"Nine-tenths of wisdom consists in being wise in time." - Theodore Roosevelt

Re: require encrypted connections?

Posted by Gordon Sim <gs...@redhat.com>.

Robert Greig wrote:
> 2008/10/17 Gordon Sim <gs...@redhat.com>:
> 
>> Question: would it be desirable to be able to configure a broker to only
>> accept e.g. SSL connections, not unencrypted TCP connections?
> 
> Yes definitely. Including only mutual SSL.

There is already an option to require client authentication. An 
additional option for requiring that only encrypted connections be 
accepted should be available shortly.

Thanks to all for the feedback!

Re: require encrypted connections?

Posted by Robert Greig <ro...@gmail.com>.

2008/10/17 Gordon Sim <gs...@redhat.com>:

> Question: would it be desirable to be able to configure a broker to only
> accept e.g. SSL connections, not unencrypted TCP connections?

Yes definitely. Including only mutual SSL.

RG

Re: require encrypted connections?

Posted by Ted Ross <tr...@redhat.com>.

Gordon Sim wrote:
> Question: would it be desirable to be able to configure a broker to 
> only accept e.g. SSL connections, not unencrypted TCP connections?
I believe this is desirable (required actually).

We might also want to consider making the transport an input to the ACL 
process.  An admin could, for example, allow open access but only allow 
SSL-connected clients to bind to certain exchanges or subscribe to 
certain queues.

-Ted

Re: require encrypted connections?

Posted by Alan Conway <ac...@redhat.com>.

On Fri, 2008-10-17 at 15:37 +0100, Gordon Sim wrote:
> Question: would it be desirable to be able to configure a broker to only 
> accept e.g. SSL connections, not unencrypted TCP connections?

I would guess yes, I've seen similar config options on other middleware
servers in the past.

RE: require encrypted connections?

Posted by Steve Huston <sh...@riverace.com>.

Hi Gordon,

> Question: would it be desirable to be able to configure a 
> broker to only 
> accept e.g. SSL connections, not unencrypted TCP connections?

Yes, I think so.

-Steve

RE: require encrypted connections?

Posted by Steve Huston <sh...@riverace.com>.

Hi Gordon,

> Question: would it be desirable to be able to configure a 
> broker to only 
> accept e.g. SSL connections, not unencrypted TCP connections?

Yes, I think so.

-Steve