Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-4352

Java client logs key_store_password/trust_store_password from connection url at debug

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.14, 0.16, 0.18
    • Fix Version/s: 0.19
    • Component/s: JMS AMQP 0-x
    • Labels:
      None

      Description

      When run in DEBUG, the Qpid client logs the trust store/key store passwords to the log. This could present a security issue.

      main 2012-09-29 22:32:54,558 DEBUG [apache.qpid.client.AMQConnection] Connection(1):amqp://guest:********@test/?brokerlist='tcp://localhost:15671?trust_store_password='password'&trust_store='test-profiles/test_resources/ssl/java_client_truststore.jks'&ssl_verify_hostname='true'&ssl='true'&key_store_password='password'&key_store='test-profiles/test_resources/ssl/java_client_keystore.jks''
      

      The code should be changed to mask these passwords in the same fashion as the client's password. This change was made by QPID-1208.

        Attachments

          Activity

            People

            • Assignee:
              k-wall Keith Wall
              Reporter:
              k-wall Keith Wall
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: