1339881 – [GSS](6.4.z) HornetQ still logs truststore and keystore passwords in plain text.

Bug 1339881 - [GSS](6.4.z) HornetQ still logs truststore and keystore passwords in plain text.

Summary: [GSS](6.4.z) HornetQ still logs truststore and keystore passwords in plain text.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	HornetQ
Sub Component:
Version:	6.4.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	CR1
Target Release:	EAP 6.4.9
Assignee:	Miroslav Sochurek
QA Contact:	Peter Mackay
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	eap649-payload 1325387
TreeView+	depends on / blocked

Reported:	2016-05-26 04:46 UTC by Tyronne Wickramarathne
Modified:	2019-11-14 08:10 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBEAP-4852	0	Major	Verified	(7.0.z) ARTEMIS-551 - ActiveMQ logs truststore password in plain text	2017-06-22 02:10:04 UTC

Description Tyronne Wickramarathne 2016-05-26 04:46:13 UTC

Description of problem:

It appears HORNETQ-1281[1] is incomplete. HornetQ still logs truststore and keystore passwords in plain text. 

Version-Release number of selected component (if applicable):
JBoss-EAP-6.4.7
HornetQ-2.3.25_SP8

[1] https://issues.jboss.org/browse/HORNETQ-1281

How reproducible:
Always

Steps to Reproduce:
1. Please configure HornetQ data replication over netty-ssl as instructed in this article : https://access.redhat.com/solutions/761453
2. Please start both server instances and observe the server log

Actual results:


Expected results:


Additional info:

I believe the following code is at fault :
 // HORNETQ-1281 - don't log passwords
            String val;
            if (key.equals(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME) || key.equals(TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD))
            {
               val = "****";
            }
            else


That needs to be corrected as :

if (key.equals(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME) || key.equals(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME))
            {
               val = "****";
            }

Comment 5 Peter Mackay 2016-06-28 08:56:01 UTC

Verified with EAP 6.4.9.CP.CR2.

Comment 7 Petr Penicka 2017-01-17 12:58:51 UTC

Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Comment 8 Petr Penicka 2017-01-17 12:58:53 UTC

Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Comment 9 Petr Penicka 2017-01-17 13:00:49 UTC

Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Note You need to log in before you can comment on or make changes to this bug.