Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] RabbitMQ isn't validating security

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] RabbitMQ isn't validating security


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Hyzer, Chris" <>
  • To: Richard Frovarp <>, " Mailing List" <>
  • Subject: RE: [grouper-users] RabbitMQ isn't validating security
  • Date: Wed, 24 Apr 2019 14:19:05 +0000
Vivek fixed in patch: grouper_v2_4_0_api_patch_42

If you send have grouper connected to rabbitmq, you should apply this patch.

Thanks
Chris

-----Original Message-----
From: <>
On Behalf Of Richard Frovarp
Sent: Tuesday, April 23, 2019 7:55 PM
To:
Subject: [grouper-core] RabbitMQ isn't validating security

So contacting this way out of an abundance of caution for a minor
security issue.

https://github.com/Internet2/grouper/blob/f84ac3df3d254bacba51fb69ee4a8fcb2a439cb5/grouper-misc/grouper-messaging-rabbitmq/src/main/java/edu/internet2/middleware/grouperMessagingRabbitmq/RabbitMQConnectionFactoryImpl.java#L82

Starts to go down the TLS verification path. It requires all three
elements to be configured. It then goes through and sets up a SSLContext
requiring that high level of trust. But the following:

factory.useSslProtocol()

doesn't use the SSLContext that was created. So I think that the whole
bringing in the keystore and so forth doesn't have an impact. From the
RabbitMQ docs:

https://www.rabbitmq.com/ssl.html#java-client-connecting

factory.useSslProtocol();
        // Tells the library to setup the default Key and Trust
managers for you
        // which do not do any form of remote server trust verification

This has the example for connecting with peer verification, which is
what the Grouper code is implying:

https://www.rabbitmq.com/ssl.html#java-client-connecting-with-peer-verification

SSLContext c = SSLContext.getInstance("TLSv1.2");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
factory.useSslProtocol(c);

So I think it only works if you pass in the context.

I personally just run with TLS and ignore the peer verification. I'm
connecting our same datacenter, so verification isn't an issue. I just
want to not send anything in the clear over the wire, which is why I am
using TLS.

Also, the first Google search took me here for security issues:

https://spaces.at.internet2.edu/display/Grouper/Grouper+Security+Issues

Which has a link to email this list, which is broken. Then I followed
the contact form link, which it looks like that contact form is broken.
It did have this valid email address though.

  • RE: [grouper-users] RabbitMQ isn't validating security, Hyzer, Chris, 04/24/2019

Archive powered by MHonArc 2.6.19.

Top of Page