activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sepand M" <sepa...@gmail.com>
Subject Re: SSL authentication/authorization patch
Date Sat, 23 Sep 2006 00:51:20 GMT
Sorry. Using thunderbird, didn't see the Hiram's reply =)

On 9/22/06, Sepand M <sepandm@gmail.com> wrote:
>
> Some of the more experienced people can correct me on this, but I think
> you can set socket options using "socket._option_" arguments in the URI
> (e.g. "ssl://localhost:61616?socket.my_option=true"). I'm not sure if
> this would give all the flexibility you need, but it's a start. If that
> doesn't work, for SSL specific stuff, I added a
> SslActiveMQConnectionFactory (or a similar name).
>
> Any good?
> Sepand
>
> Kelly Campbell wrote:
> > Thanks Sepand. I did review those instructions earlier.
> >
> > What about the other requirements to be able to set specific options
> > on the socket, e.g. not allowing weak ciphers? I think having the
> > config in the URL is good, but not sufficient in this case. I'd like
> > to propose adding a SocketFactory parameter to a new constructor on
> > the ActiveMQConnectionFactory (actually the code for this is almost
> > complete). This would be useful for not only SSL connections, but
> > other tcp connections if the user wants to customize some of the
> > socket options.
> >
> > Thanks,
> > Kelly
> >
> > On 9/21/06, Sepand M <sepandm@gmail.com> wrote:
> >> Yeah, we realized this was needed, but I didn't have time (my work term
> >> at the company was ending).
> >> I've left instructions for people taking over this project on how to do
> >> this (it just takes one setter and a well placed call from that
> setter).
> >> I'm not sure when it will be done though.
> >>
> >> - Sepand
> >>
> >> Hiram Chirino wrote:
> >> > On 9/21/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> >> >> On 9/21/06, Kelly Campbell <kelly.a.campbell@gmail.com> wrote:
> >> >> > Thanks for getting this submitted Sepand, and thanks for patching
> >> >> it in Hiram.
> >> >> >
> >> >> > I'm looking at how best to configure the keystore settings more
> >> >> > dynamically without using the default system properties or
> >> anything in
> >> >> > the URL. It looks like I'd need to be able to pass in a
> >> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to
> >> be able
> >> >> > to pass these in so I can provide an implementation that does
some
> >> >> > extra security checks, e.g. checking that the server's DN is
> >> what we
> >> >> > expect, turning off weak ciphers.
> >> >> >
> >> >>
> >> >> It would be nice if they were properties on the ssl transport server
> >> >> so that you can configure them using the URI... like:
> >> >>
> >> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> >> >>
> >> >> > The part I'm struggling with now is where to create this API for
> >> the
> >> >> > client. Should it be a new constructor on
> >> ActiveMQConnectionFactory,
> >> >> > or should I add a new overridden
> >> ActiveMQSecureConnectionFactory? Or
> >> >> > should I just override it in my own code base, and not have this
> in
> >> >> > the activemq code at all?
> >> >>
> >> >> Just add properties to the SslTransportServer and make sure they
> have
> >> >> setters.
> >> >>
> >> >
> >> > And properties to the SslTransport if you want to set those
> properties
> >> > on the client connect URL
> >> >
> >> >> >
> >> >> > Thanks,
> >> >> > Kelly
> >> >> >
> >> >> > On 9/11/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> >> >> > > starting to look into it now. thx for the patch!
> >> >> > >
> >> >> > > On 9/5/06, Sepand M <sepandm@gmail.com> wrote:
> >> >> > > > Hey guys,
> >> >> > > >
> >> >> > > > The patch is done.
> >> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> >> >> > > > Hope you like it.
> >> >> > > > It would be really great if you could give an estimate
of when
> >> >> you will
> >> >> > > > decide if it goes in or not (although I doubt you can
=) ).
> >> >> > > >
> >> >> > > > Regards,
> >> >> > > > Sepand
> >> >> > > >
> >> >> > > >
> >> >> > >
> >> >> > >
> >> >> > > --
> >> >> > > Regards,
> >> >> > > Hiram
> >> >> > >
> >> >> > > Blog: http://hiramchirino.com
> >> >> > >
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> Regards,
> >> >> Hiram
> >> >>
> >> >> Blog: http://hiramchirino.com
> >> >>
> >> >
> >> >
> >>
> >>
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message