activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kelly Campbell" <kelly.a.campb...@gmail.com>
Subject Re: SSL authentication/authorization patch
Date Fri, 22 Sep 2006 17:01:13 GMT
Thanks Sepand. I did review those instructions earlier.

What about the other requirements to be able to set specific options
on the socket, e.g. not allowing weak ciphers? I think having the
config in the URL is good, but not sufficient in this case. I'd like
to propose adding a SocketFactory parameter to a new constructor on
the ActiveMQConnectionFactory (actually the code for this is almost
complete). This would be useful for not only SSL connections, but
other tcp connections if the user wants to customize some of the
socket options.

Thanks,
Kelly

On 9/21/06, Sepand M <sepandm@gmail.com> wrote:
> Yeah, we realized this was needed, but I didn't have time (my work term
> at the company was ending).
> I've left instructions for people taking over this project on how to do
> this (it just takes one setter and a well placed call from that setter).
> I'm not sure when it will be done though.
>
> - Sepand
>
> Hiram Chirino wrote:
> > On 9/21/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> >> On 9/21/06, Kelly Campbell <kelly.a.campbell@gmail.com> wrote:
> >> > Thanks for getting this submitted Sepand, and thanks for patching
> >> it in Hiram.
> >> >
> >> > I'm looking at how best to configure the keystore settings more
> >> > dynamically without using the default system properties or anything in
> >> > the URL. It looks like I'd need to be able to pass in a
> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be able
> >> > to pass these in so I can provide an implementation that does some
> >> > extra security checks, e.g. checking that the server's DN is what we
> >> > expect, turning off weak ciphers.
> >> >
> >>
> >> It would be nice if they were properties on the ssl transport server
> >> so that you can configure them using the URI... like:
> >>
> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> >>
> >> > The part I'm struggling with now is where to create this API for the
> >> > client. Should it be a new constructor on ActiveMQConnectionFactory,
> >> > or should I add a new overridden ActiveMQSecureConnectionFactory? Or
> >> > should I just override it in my own code base, and not have this in
> >> > the activemq code at all?
> >>
> >> Just add properties to the SslTransportServer and make sure they have
> >> setters.
> >>
> >
> > And properties to the SslTransport if you want to set those properties
> > on the client connect URL
> >
> >> >
> >> > Thanks,
> >> > Kelly
> >> >
> >> > On 9/11/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> >> > > starting to look into it now. thx for the patch!
> >> > >
> >> > > On 9/5/06, Sepand M <sepandm@gmail.com> wrote:
> >> > > > Hey guys,
> >> > > >
> >> > > > The patch is done.
> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> >> > > > Hope you like it.
> >> > > > It would be really great if you could give an estimate of when
> >> you will
> >> > > > decide if it goes in or not (although I doubt you can =) ).
> >> > > >
> >> > > > Regards,
> >> > > > Sepand
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> > > --
> >> > > Regards,
> >> > > Hiram
> >> > >
> >> > > Blog: http://hiramchirino.com
> >> > >
> >> >
> >>
> >>
> >> --
> >> Regards,
> >> Hiram
> >>
> >> Blog: http://hiramchirino.com
> >>
> >
> >
>
>

Mime
View raw message