Description of problem: It appears HORNETQ-1281[1] is incomplete. HornetQ still logs truststore and keystore passwords in plain text. Version-Release number of selected component (if applicable): JBoss-EAP-6.4.7 HornetQ-2.3.25_SP8 [1] https://issues.jboss.org/browse/HORNETQ-1281 How reproducible: Always Steps to Reproduce: 1. Please configure HornetQ data replication over netty-ssl as instructed in this article : https://access.redhat.com/solutions/761453 2. Please start both server instances and observe the server log Actual results: Expected results: Additional info: I believe the following code is at fault : // HORNETQ-1281 - don't log passwords String val; if (key.equals(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME) || key.equals(TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD)) { val = "****"; } else That needs to be corrected as : if (key.equals(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME) || key.equals(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME)) { val = "****"; }
Verified with EAP 6.4.9.CP.CR2.
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.