[QPID-4352] Java client logs key_store_password/trust_store_password from connection url at debug - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.14, 0.16, 0.18
Fix Version/s: 0.19
Component/s: JMS AMQP 0-x
Labels:
None

Description

When run in DEBUG, the Qpid client logs the trust store/key store passwords to the log. This could present a security issue.

main 2012-09-29 22:32:54,558 DEBUG [apache.qpid.client.AMQConnection] Connection(1):amqp://guest:********@test/?brokerlist='tcp://localhost:15671?trust_store_password='password'&trust_store='test-profiles/test_resources/ssl/java_client_truststore.jks'&ssl_verify_hostname='true'&ssl='true'&key_store_password='password'&key_store='test-profiles/test_resources/ssl/java_client_keystore.jks''

The code should be changed to mask these passwords in the same fashion as the client's password. This change was made by ~~QPID-1208~~.

Attachments

Activity

People

Assignee:: Keith Wall

Reporter:: Keith Wall

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 29/Sep/12 21:36

Updated:: 14/Mar/17 20:07

Resolved:: 04/Oct/12 11:53