You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Gordon Sim <gs...@redhat.com> on 2008/10/17 16:37:04 UTC
require encrypted connections?
Question: would it be desirable to be able to configure a broker to only
accept e.g. SSL connections, not unencrypted TCP connections?
Re: require encrypted connections?
Posted by Carl Trieloff <cc...@redhat.com>.
Ted Ross wrote:
> Gordon Sim wrote:
>> Question: would it be desirable to be able to configure a broker to
>> only accept e.g. SSL connections, not unencrypted TCP connections?
> I believe this is desirable (required actually).
>
> We might also want to consider making the transport an input to the
> ACL process. An admin could, for example, allow open access but only
> allow SSL-connected clients to bind to certain exchanges or subscribe
> to certain queues.
>
> -Ted
>
I agree. should be able to disable non-secure connections
Carl.
Re: require encrypted connections?
Posted by Carl Trieloff <cc...@redhat.com>.
Ted Ross wrote:
> Gordon Sim wrote:
>> Question: would it be desirable to be able to configure a broker to
>> only accept e.g. SSL connections, not unencrypted TCP connections?
> I believe this is desirable (required actually).
>
> We might also want to consider making the transport an input to the
> ACL process. An admin could, for example, allow open access but only
> allow SSL-connected clients to bind to certain exchanges or subscribe
> to certain queues.
>
> -Ted
>
I agree. should be able to disable non-secure connections
Carl.
Re: require encrypted connections?
Posted by Ted Ross <tr...@redhat.com>.
Gordon Sim wrote:
> Question: would it be desirable to be able to configure a broker to
> only accept e.g. SSL connections, not unencrypted TCP connections?
I believe this is desirable (required actually).
We might also want to consider making the transport an input to the ACL
process. An admin could, for example, allow open access but only allow
SSL-connected clients to bind to certain exchanges or subscribe to
certain queues.
-Ted
Re: require encrypted connections?
Posted by Robert Greig <ro...@gmail.com>.
2008/10/18 Aidan Skinner <ai...@apache.org>:
> Yes. It would also make sense to be able to require one of a set of
> client certificates, or that the client cert is signed by one of a set
> of root certificates.
This is what I meant by mutual SSL.
RG
Re: require encrypted connections?
Posted by Aidan Skinner <ai...@apache.org>.
On Fri, Oct 17, 2008 at 3:37 PM, Gordon Sim <gs...@redhat.com> wrote:
> Question: would it be desirable to be able to configure a broker to only
> accept e.g. SSL connections, not unencrypted TCP connections?
Yes. It would also make sense to be able to require one of a set of
client certificates, or that the client cert is signed by one of a set
of root certificates.
- Aidan
--
Apache Qpid - World Domination through Advanced Message Queueing
http://cwiki.apache.org/qpid
"Nine-tenths of wisdom consists in being wise in time." - Theodore Roosevelt
Re: require encrypted connections?
Posted by Gordon Sim <gs...@redhat.com>.
Robert Greig wrote:
> 2008/10/17 Gordon Sim <gs...@redhat.com>:
>
>> Question: would it be desirable to be able to configure a broker to only
>> accept e.g. SSL connections, not unencrypted TCP connections?
>
> Yes definitely. Including only mutual SSL.
There is already an option to require client authentication. An
additional option for requiring that only encrypted connections be
accepted should be available shortly.
Thanks to all for the feedback!
Re: require encrypted connections?
Posted by Robert Greig <ro...@gmail.com>.
2008/10/17 Gordon Sim <gs...@redhat.com>:
> Question: would it be desirable to be able to configure a broker to only
> accept e.g. SSL connections, not unencrypted TCP connections?
Yes definitely. Including only mutual SSL.
RG
Re: require encrypted connections?
Posted by Ted Ross <tr...@redhat.com>.
Gordon Sim wrote:
> Question: would it be desirable to be able to configure a broker to
> only accept e.g. SSL connections, not unencrypted TCP connections?
I believe this is desirable (required actually).
We might also want to consider making the transport an input to the ACL
process. An admin could, for example, allow open access but only allow
SSL-connected clients to bind to certain exchanges or subscribe to
certain queues.
-Ted
Re: require encrypted connections?
Posted by Alan Conway <ac...@redhat.com>.
On Fri, 2008-10-17 at 15:37 +0100, Gordon Sim wrote:
> Question: would it be desirable to be able to configure a broker to only
> accept e.g. SSL connections, not unencrypted TCP connections?
I would guess yes, I've seen similar config options on other middleware
servers in the past.
RE: require encrypted connections?
Posted by Steve Huston <sh...@riverace.com>.
Hi Gordon,
> Question: would it be desirable to be able to configure a
> broker to only
> accept e.g. SSL connections, not unencrypted TCP connections?
Yes, I think so.
-Steve
RE: require encrypted connections?
Posted by Steve Huston <sh...@riverace.com>.
Hi Gordon,
> Question: would it be desirable to be able to configure a
> broker to only
> accept e.g. SSL connections, not unencrypted TCP connections?
Yes, I think so.
-Steve