Qpid
  1. Qpid
  2. QPID-4013

Windows Broker SSL is more difficult to use than necessary and possibly less secure than possible

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.14, 0.16, 0.17
    • Fix Version/s: 0.17
    • Component/s: C++ Broker
    • Labels:
      None
    • Environment:

      Windows

      Description

      The current Windows Broker SSL code always uses the LocalMachine certificate store opened read/write. This has a number of drawbacks:

      • Opening read/write means that the broker has to run as administrator to use the certificates in the store. The broker only reads from the store so this is actually unnecessary.
      • Forcing use of LocalMachine for the certificates means that they are readable by every user on the machine which might be a security issue. As it would allow any process on the machine to impersonate the qpid broker.

        Activity

        Hide
        Andrew Stitcher added a comment -

        This change adds a new ssl related option to qpidd:

        --ssl-cert-store-location

        with possible values CurrentUser, LocalMachine, CurrentService
        This can be used to set the certificate store location that qpidd uses to find the server certificate it uses.

        Show
        Andrew Stitcher added a comment - This change adds a new ssl related option to qpidd: --ssl-cert-store-location with possible values CurrentUser, LocalMachine, CurrentService This can be used to set the certificate store location that qpidd uses to find the server certificate it uses.
        Hide
        Andrew Stitcher added a comment -

        Note that this change represents a small change in default functionality:

        The broker now looks in the CurrentUser certificate store by default. To use the previous default specify "--ssl-cert-store-location LocalMachine" on the qpidd command line. Or set the equivalent option in the configuration file.

        Show
        Andrew Stitcher added a comment - Note that this change represents a small change in default functionality: The broker now looks in the CurrentUser certificate store by default. To use the previous default specify "--ssl-cert-store-location LocalMachine" on the qpidd command line. Or set the equivalent option in the configuration file.
        Hide
        Andrew Stitcher added a comment -

        By default with this change the broker will use the current users personal certificate store; the default certificate name is the machine name. This means that you can generate an appropriate certificate to test with very simply by using "makecert".

        viz:

        makecert -r -pe -ss "My" -sk <MachineName> -n "CN=<MachineName>"

        [Actually minimally:
        makecert -ss "My" -n "CN=<MachineName>"
        would work too]

        replace <MachineName> with the name of the machine.

        This will create a new certificate and store it in the user's certificate store.

        Then starting qpidd with no command line parameters should correctly find the certificate and start an SSL listening port.

        Show
        Andrew Stitcher added a comment - By default with this change the broker will use the current users personal certificate store; the default certificate name is the machine name. This means that you can generate an appropriate certificate to test with very simply by using "makecert". viz: makecert -r -pe -ss "My" -sk <MachineName> -n "CN=<MachineName>" [Actually minimally: makecert -ss "My" -n "CN=<MachineName>" would work too] replace <MachineName> with the name of the machine. This will create a new certificate and store it in the user's certificate store. Then starting qpidd with no command line parameters should correctly find the certificate and start an SSL listening port.
        Hide
        Andrew Stitcher added a comment -

        It would be better to always open the certificate store readonly.

        The default certificate store should be the usual default, CurrentUser, which wouldn't be visible to other users on the machine.

        However I suggest that the certificate store used should be configurable for flexibility and backwards compatibility. It would also make sense to allow CurrentService as an option as running qpidd as a service is now possible.

        Show
        Andrew Stitcher added a comment - It would be better to always open the certificate store readonly. The default certificate store should be the usual default, CurrentUser, which wouldn't be visible to other users on the machine. However I suggest that the certificate store used should be configurable for flexibility and backwards compatibility. It would also make sense to allow CurrentService as an option as running qpidd as a service is now possible.

          People

          • Assignee:
            Andrew Stitcher
            Reporter:
            Andrew Stitcher
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development