You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Andrew Stitcher <as...@redhat.com> on 2012/05/21 20:48:23 UTC
SSL Connection under Windows [Was: Qpid Enquiry]
I've recently also been looking at setting up SSL on the Windows brokers
and I've noticed a couple of things about the way the Windows code uses
the Windows certificate store which make it harder for a developer to
test. It's not clear to me if these are real deployment issues too so
I'd like an opinion before I check in any changes.
In file
qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp
line 146
We open the certificate store:
certStoreHandle = ::CertOpenStore(CERT_STORE_PROV_SYSTEM_A,
X509_ASN_ENCODING,
0,
CERT_SYSTEM_STORE_LOCAL_MACHINE,
options.certStore.c_str());
Now I'm wondering why we specify CERT_SYSTEM_STORE_LOCAL_MACHINE and not
the default (which would be CERT_SYSTEM_STORE_CURRENT_USER). This
difference means that you have to add the (test) certificate you want to
the machine store rather than the user store requiring administrator
permissions.
The issue here would be mostly for the default "My" store as the other
stores seem to have a search path that ends in local machine anyway if I
understand the documentation correctly.
Also I understand that we want to run the broker as a service and maybe
in that case we should specify CERT_SYSTEM_STORE_CURRENT_SERVICE
instead? The documentation seems to indicate that the local machine
store would be checked in that case anyway.
To get round this I'd like to add a new flag --ssl-cert-store-location
to allow the store location to be specified to make it easier to test as
as a normal user/use a service store. Anyone know whether there is a
specific problem (security or otherwise) with this.
One issue with the current scheme I'll already note is that it involves
publishing the broker ssl certificate with private keys in such a way as
anyone on the local machine can get those keys, which would be avoided
by publishing as a specific user or service running the broker.
---
Additionally by opening the store unnecessarily in read/write mode we
require qpid to be run as administrator too and that seems easily fixed
(at least in my simple testing) by just adding
"|CERT_STORE_READONLY_FLAG" to the flags argument. I can't see any
reason not to open the store read only, is there?
Note that this doesn't add any extra security since someone else could
just look open the local machine certificate in read only mode and use
the certificate in any case.
Thanks
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: SSL Connection under Windows [Was: Qpid Enquiry]
Posted by Andrew Stitcher <as...@redhat.com>.
On Mon, 2012-05-21 at 13:04 -0700, Cliff Jansen wrote:
> Andrew:
>
> Note that there are pending changes to client side SSL on Windows in
> QPID-3914. I haven't examined it, but it seems related to some of the
> expanded functionality you are looking for.
>
Thanks for the heads up - I just looked at it - It doesn't conflict with
anything I'm thinking of changing in that it's not the same files, and
that change is purely client changes. I think my changes are really
complementary and orthogonal to that change.
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: SSL Connection under Windows [Was: Qpid Enquiry]
Posted by Cliff Jansen <cl...@gmail.com>.
Andrew:
Note that there are pending changes to client side SSL on Windows in
QPID-3914. I haven't examined it, but it seems related to some of the
expanded functionality you are looking for.
Cliff
On Mon, May 21, 2012 at 12:40 PM, Steve Huston <sh...@riverace.com> wrote:
>> -----Original Message-----
>> From: Andrew Stitcher [mailto:astitcher@redhat.com]
>> Sent: Monday, May 21, 2012 3:20 PM
>> To: dev@qpid.apache.org
>> Subject: RE: SSL Connection under Windows [Was: Qpid Enquiry]
>>
>> On Mon, 2012-05-21 at 14:08 -0500, Steve Huston wrote:
>> > Hi Andrew,
>> >
>> > I wrote the code originally, so I'll chime in.
>> >
>> > As for the "why" questions, they may have been misinformed, bad
>> > decisions. I was most likely thinking "broker" instead of client,
>> > which is why I chose to open the store for local machine, not current
>> > user. It was also before running the broker as a service was really
>> > worked on seriously. I may have misunderstood advice on MSDN re that
>> > arg and the store path. I might have just gotten it wrong.
>>
>> A point of clarification - I'm haven't considered the client side at all
>> in any of
>> this, I've only been working to get a broker up with ssl. I've actually
>> been
>> connecting to it from linux. In fact if I read the code correctly the
>> client side
>> doesn't open the certificate store at all (at least explicitly).
>
> Ok.
>
>> I didn't really emphasise this, but I think that using LocalMachine store
>> is
>> probably more insecure than necessary in that it allows anyone with access
>> to the machine access to the certificate to impersonate the broker. So I'd
>> like
>> to change the default, however that wouldn't be backward compatible -
>> would that be an issue do you think?
>
> If you're closing a security hole, I'd say to change it as long as the
> release notes mention the change.
>
> -Steve
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> For additional commands, e-mail: dev-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
RE: SSL Connection under Windows [Was: Qpid Enquiry]
Posted by Steve Huston <sh...@riverace.com>.
> -----Original Message-----
> From: Andrew Stitcher [mailto:astitcher@redhat.com]
> Sent: Monday, May 21, 2012 3:20 PM
> To: dev@qpid.apache.org
> Subject: RE: SSL Connection under Windows [Was: Qpid Enquiry]
>
> On Mon, 2012-05-21 at 14:08 -0500, Steve Huston wrote:
> > Hi Andrew,
> >
> > I wrote the code originally, so I'll chime in.
> >
> > As for the "why" questions, they may have been misinformed, bad
> > decisions. I was most likely thinking "broker" instead of client,
> > which is why I chose to open the store for local machine, not current
> > user. It was also before running the broker as a service was really
> > worked on seriously. I may have misunderstood advice on MSDN re that
> > arg and the store path. I might have just gotten it wrong.
>
> A point of clarification - I'm haven't considered the client side at all
> in any of
> this, I've only been working to get a broker up with ssl. I've actually
> been
> connecting to it from linux. In fact if I read the code correctly the
> client side
> doesn't open the certificate store at all (at least explicitly).
Ok.
> I didn't really emphasise this, but I think that using LocalMachine store
> is
> probably more insecure than necessary in that it allows anyone with access
> to the machine access to the certificate to impersonate the broker. So I'd
> like
> to change the default, however that wouldn't be backward compatible -
> would that be an issue do you think?
If you're closing a security hole, I'd say to change it as long as the
release notes mention the change.
-Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
RE: SSL Connection under Windows [Was: Qpid Enquiry]
Posted by Andrew Stitcher <as...@redhat.com>.
On Mon, 2012-05-21 at 14:08 -0500, Steve Huston wrote:
> Hi Andrew,
>
> I wrote the code originally, so I'll chime in.
>
> As for the "why" questions, they may have been misinformed, bad decisions. I
> was most likely thinking "broker" instead of client, which is why I chose to
> open the store for local machine, not current user. It was also before
> running the broker as a service was really worked on seriously. I may have
> misunderstood advice on MSDN re that arg and the store path. I might have
> just gotten it wrong.
A point of clarification - I'm haven't considered the client side at all
in any of this, I've only been working to get a broker up with ssl. I've
actually been connecting to it from linux. In fact if I read the code
correctly the client side doesn't open the certificate store at all (at
least explicitly).
I didn't really emphasise this, but I think that using LocalMachine
store is probably more insecure than necessary in that it allows anyone
with access to the machine access to the certificate to impersonate the
broker. So I'd like to change the default, however that wouldn't be
backward compatible - would that be an issue do you think?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
RE: SSL Connection under Windows [Was: Qpid Enquiry]
Posted by Steve Huston <sh...@riverace.com>.
Hi Andrew,
I wrote the code originally, so I'll chime in.
As for the "why" questions, they may have been misinformed, bad decisions. I
was most likely thinking "broker" instead of client, which is why I chose to
open the store for local machine, not current user. It was also before
running the broker as a service was really worked on seriously. I may have
misunderstood advice on MSDN re that arg and the store path. I might have
just gotten it wrong.
If you have good reason to change it (and from your explanation below I
could certainly see that) I'd support changing it. I like the idea of the
command line option to change the store location.
Definitely would change to open the store read only.
-Steve
> -----Original Message-----
> From: Andrew Stitcher [mailto:astitcher@redhat.com]
> Sent: Monday, May 21, 2012 2:48 PM
> To: dev@qpid.apache.org
> Cc: Steve Huston
> Subject: SSL Connection under Windows [Was: Qpid Enquiry]
>
> I've recently also been looking at setting up SSL on the Windows brokers
> and
> I've noticed a couple of things about the way the Windows code uses the
> Windows certificate store which make it harder for a developer to test.
> It's
> not clear to me if these are real deployment issues too so I'd like an
> opinion
> before I check in any changes.
>
> In file
> qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp
> line 146
>
> We open the certificate store:
> certStoreHandle = ::CertOpenStore(CERT_STORE_PROV_SYSTEM_A,
> X509_ASN_ENCODING,
> 0,
> CERT_SYSTEM_STORE_LOCAL_MACHINE,
> options.certStore.c_str());
>
> Now I'm wondering why we specify CERT_SYSTEM_STORE_LOCAL_MACHINE
> and not the default (which would be
> CERT_SYSTEM_STORE_CURRENT_USER). This difference means that you
> have to add the (test) certificate you want to the machine store rather
> than
> the user store requiring administrator permissions.
>
> The issue here would be mostly for the default "My" store as the other
> stores seem to have a search path that ends in local machine anyway if I
> understand the documentation correctly.
>
> Also I understand that we want to run the broker as a service and maybe in
> that case we should specify CERT_SYSTEM_STORE_CURRENT_SERVICE
> instead? The documentation seems to indicate that the local machine store
> would be checked in that case anyway.
>
> To get round this I'd like to add a new flag --ssl-cert-store-location to
> allow
> the store location to be specified to make it easier to test as as a
> normal
> user/use a service store. Anyone know whether there is a specific problem
> (security or otherwise) with this.
>
> One issue with the current scheme I'll already note is that it involves
> publishing the broker ssl certificate with private keys in such a way as
> anyone
> on the local machine can get those keys, which would be avoided by
> publishing as a specific user or service running the broker.
>
> ---
>
> Additionally by opening the store unnecessarily in read/write mode we
> require qpid to be run as administrator too and that seems easily fixed
> (at
> least in my simple testing) by just adding "|CERT_STORE_READONLY_FLAG"
> to the flags argument. I can't see any reason not to open the store read
> only,
> is there?
>
> Note that this doesn't add any extra security since someone else could
> just
> look open the local machine certificate in read only mode and use the
> certificate in any case.
>
> Thanks
>
> Andrew
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org