| Author |
Message
|
| dhireng |
 Posted: Thu Nov 24, 2011 10:56 am Post subject: Ignore SSL certificate exception |
 |
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
I'm sure this has been asked before....Sorry if someone's already responded...
Is it possible to set the broker to ignore SSLHandshakeException? |
|
| Back to top |
|
 |
| bielesibub |
| Posted: Fri Nov 25, 2011 3:41 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Hi dhireng,
This might seem like an odd response, why would you want to ignore SSL handshake exceptions?
Bielesibub |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 25, 2011 7:30 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can configure the Broker to not log any BIP codes you wish to prevent it from logging.
That is not the same thing as 'ignore'. |
|
| Back to top |
|
|
| dhireng |
| Posted: Fri Nov 25, 2011 8:47 am Post subject: |
|
|
Apprentice
Joined: 13 Jun 2011
Posts: 45
|
@bielesibub: we have partners who implement HTTPS with SSL with self signed certificate. they dont inform us when they change the certs. The hostnames in the certificates dont match the server FQDN and all of this leads to failures. I come from a strong java / Websphere TX background. In Java we just write our own SSL certificate validation implementation or it just ignores the cert returned. In TX you just dont provide the CA certificate name and it ignores it.
I'm trying to find the equivalent in broker. |
|
| Back to top |
|
|
| bielesibub |
| Posted: Fri Nov 25, 2011 9:45 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Hi dhireng,
If you choose to ignore the certificates returned from the partner how can you be sure of who you are really talking to?
Bielesibub |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Nov 28, 2011 5:42 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
No, you cannot ignore exceptions. If your partner is this atrocious in implementing SSL, then suggest to them they abandon SSL. No point in using SSL if you will not follow the rules.
Updating certs is easy in WMB. If you don't know how, then take the WM643 class which will explain to you how to update an SSL cert in the WMB truststore.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Nov 28, 2011 5:48 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bielesibub wrote: |
| If you choose to ignore the certificates returned from the partner how can you be sure of who you are really talking to? |
It's like a bank giving someone money from your account even though the signature was different from yours "because they were certain it was you".
Do your security / audit people know you're doing this? If they know you're using SSL but don't know you're ignoring exceptions they may have a false sense of security (and in some situations you could face legal issues).
You might also want to be sure they know your business partners are "authenticating" with self signed certificates. My cat can forge those. Why not generate certificates yourself (i.e. have yourselves as a CA rather than a commerical charging operation) and give your partners certificates signed by that?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Nov 28, 2011 6:59 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Vitor os spot on.
I could go on at length about Identity Theft (it happend to me nearly 40 years ago) buy ignoring credential errors is akin to leaving your credit card in plain sight with your PIN number written on the back.
Nooooooo Don't do it even if implementing proper SSL is a right PITA.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
