Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] RabbitMQ isn't validating security

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] RabbitMQ isn't validating security

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Richard Frovarp <>, " Mailing List" <>
  • Subject: RE: [grouper-users] RabbitMQ isn't validating security
  • Date: Wed, 24 Apr 2019 14:19:05 +0000

Vivek fixed in patch: grouper_v2_4_0_api_patch_42

If you send have grouper connected to rabbitmq, you should apply this patch.


-----Original Message-----
From: <>
On Behalf Of Richard Frovarp
Sent: Tuesday, April 23, 2019 7:55 PM
Subject: [grouper-core] RabbitMQ isn't validating security

So contacting this way out of an abundance of caution for a minor
security issue.

Starts to go down the TLS verification path. It requires all three
elements to be configured. It then goes through and sets up a SSLContext
requiring that high level of trust. But the following:


doesn't use the SSLContext that was created. So I think that the whole
bringing in the keystore and so forth doesn't have an impact. From the
RabbitMQ docs:

        // Tells the library to setup the default Key and Trust
managers for you
        // which do not do any form of remote server trust verification

This has the example for connecting with peer verification, which is
what the Grouper code is implying:

SSLContext c = SSLContext.getInstance("TLSv1.2");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

So I think it only works if you pass in the context.

I personally just run with TLS and ignore the peer verification. I'm
connecting our same datacenter, so verification isn't an issue. I just
want to not send anything in the clear over the wire, which is why I am
using TLS.

Also, the first Google search took me here for security issues:

Which has a link to email this list, which is broken. Then I followed
the contact form link, which it looks like that contact form is broken.
It did have this valid email address though.

  • RE: [grouper-users] RabbitMQ isn't validating security, Hyzer, Chris, 04/24/2019

Archive powered by MHonArc 2.6.19.

Top of Page