activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sepand M" <sepa...@gmail.com>
Subject Re: SSL authentication/authorization patch
Date Mon, 25 Sep 2006 21:56:38 GMT
The keystore problem has been addressed (the patch we talked about before
should fix it, right?)
Checking the DN should be possible through the
JaasCertificationAuthenticationModule (I'm not too sure about the name, I
haven't looked at the code in a while); the entire client certificate chain
is passed in so you should have all the data you need.
the setEnabledCipherSuites is not currently possible without the heavy
modifications you mentioned (do you agree Hiram?). I think the best method
for doing this would be to create a reflection-based createTransport call
(just like the ones there, but with support for custom objects). That would
take a lot of work too, but it would also be more useful and compatible with
the current architecture.

On 9/25/06, Kelly Campbell <kelly.a.campbell@gmail.com> wrote:
>
> Ok, that works for relatively basic options, but what about the more
> complex stuff I need to do? Specifically turning off weak ciphers on
> the connection (via socket.setEnabledCipherSuites), and verifying the
> server's DN. Also, I need to use different settings for setting up the
> keystore and truststore (e.g. if one is in pkcs12 format and the other
> is in jks format). Someone else on the user's mailing list asked a
> similar question about customizing the ssl keystore.
>
> If I add a SocketFactory param in the createTransport calls, it
> requires lots of changes to support it across all the different
> composite transports and such. Is there perhaps something similar to
> the options that can have objects associated with a key for params to
> the transports that will get passed along to all the sub transports so
> the SSL one will get it?
>
> Thanks,
> Kelly
>
> On 9/22/06, Sepand M <sepandm@gmail.com> wrote:
> > Some of the more experienced people can correct me on this, but I think
> > you can set socket options using "socket._option_" arguments in the URI
> > (e.g. "ssl://localhost:61616?socket.my_option=true"). I'm not sure if
> > this would give all the flexibility you need, but it's a start. If that
> > doesn't work, for SSL specific stuff, I added a
> > SslActiveMQConnectionFactory (or a similar name).
> >
> > Any good?
> > Sepand
> >
> > Kelly Campbell wrote:
> > > Thanks Sepand. I did review those instructions earlier.
> > >
> > > What about the other requirements to be able to set specific options
> > > on the socket, e.g. not allowing weak ciphers? I think having the
> > > config in the URL is good, but not sufficient in this case. I'd like
> > > to propose adding a SocketFactory parameter to a new constructor on
> > > the ActiveMQConnectionFactory (actually the code for this is almost
> > > complete). This would be useful for not only SSL connections, but
> > > other tcp connections if the user wants to customize some of the
> > > socket options.
> > >
> > > Thanks,
> > > Kelly
> > >
> > > On 9/21/06, Sepand M <sepandm@gmail.com> wrote:
> > >> Yeah, we realized this was needed, but I didn't have time (my work
> term
> > >> at the company was ending).
> > >> I've left instructions for people taking over this project on how to
> do
> > >> this (it just takes one setter and a well placed call from that
> setter).
> > >> I'm not sure when it will be done though.
> > >>
> > >> - Sepand
> > >>
> > >> Hiram Chirino wrote:
> > >> > On 9/21/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> > >> >> On 9/21/06, Kelly Campbell <kelly.a.campbell@gmail.com>
wrote:
> > >> >> > Thanks for getting this submitted Sepand, and thanks for
> patching
> > >> >> it in Hiram.
> > >> >> >
> > >> >> > I'm looking at how best to configure the keystore settings
more
> > >> >> > dynamically without using the default system properties or
> > >> anything in
> > >> >> > the URL. It looks like I'd need to be able to pass in a
> > >> >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like
to
> > >> be able
> > >> >> > to pass these in so I can provide an implementation that
does
> some
> > >> >> > extra security checks, e.g. checking that the server's DN
is
> > >> what we
> > >> >> > expect, turning off weak ciphers.
> > >> >> >
> > >> >>
> > >> >> It would be nice if they were properties on the ssl transport
> server
> > >> >> so that you can configure them using the URI... like:
> > >> >>
> > >> >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> > >> >>
> > >> >> > The part I'm struggling with now is where to create this
API for
> > >> the
> > >> >> > client. Should it be a new constructor on
> > >> ActiveMQConnectionFactory,
> > >> >> > or should I add a new overridden
> > >> ActiveMQSecureConnectionFactory? Or
> > >> >> > should I just override it in my own code base, and not have
this
> in
> > >> >> > the activemq code at all?
> > >> >>
> > >> >> Just add properties to the SslTransportServer and make sure they
> have
> > >> >> setters.
> > >> >>
> > >> >
> > >> > And properties to the SslTransport if you want to set those
> properties
> > >> > on the client connect URL
> > >> >
> > >> >> >
> > >> >> > Thanks,
> > >> >> > Kelly
> > >> >> >
> > >> >> > On 9/11/06, Hiram Chirino <hiram@hiramchirino.com>
wrote:
> > >> >> > > starting to look into it now. thx for the patch!
> > >> >> > >
> > >> >> > > On 9/5/06, Sepand M <sepandm@gmail.com> wrote:
> > >> >> > > > Hey guys,
> > >> >> > > >
> > >> >> > > > The patch is done.
> > >> >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> > >> >> > > > Hope you like it.
> > >> >> > > > It would be really great if you could give an estimate
of
> when
> > >> >> you will
> > >> >> > > > decide if it goes in or not (although I doubt you
can =) ).
> > >> >> > > >
> > >> >> > > > Regards,
> > >> >> > > > Sepand
> > >> >> > > >
> > >> >> > > >
> > >> >> > >
> > >> >> > >
> > >> >> > > --
> > >> >> > > Regards,
> > >> >> > > Hiram
> > >> >> > >
> > >> >> > > Blog: http://hiramchirino.com
> > >> >> > >
> > >> >> >
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Regards,
> > >> >> Hiram
> > >> >>
> > >> >> Blog: http://hiramchirino.com
> > >> >>
> > >> >
> > >> >
> > >>
> > >>
> > >
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message