[jira] [Updated] (PROTON-2434) Container.connect doesn't set virtual_host by default, making peer verification harder than it should be

Mon, 01 Nov 2021 03:13:06 -0700 


     [ 
https://issues.apache.org/jira/browse/PROTON-2434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Ross updated PROTON-2434:
--------------------------------
    Labels: tls  (was: )

> Container.connect doesn't set virtual_host by default, making peer 
> verification harder than it should be
> --------------------------------------------------------------------------------------------------------
>
>                 Key: PROTON-2434
>                 URL: https://issues.apache.org/jira/browse/PROTON-2434
>             Project: Qpid Proton
>          Issue Type: Bug
>    Affects Versions: proton-c-0.35.0
>            Reporter: Evgeni Golov
>            Priority: Major
>              Labels: tls
>
> In 0.35 proton-c started to default to PN_SSL_VERIFY_PEER_NAME in client 
> mode, which is good. However, it seems that it does not (by default) extract 
> the peer name from the URL, so a connection can not be established, even if 
> the certs and everything matches, as there is no name to verify against.
> Looking at the Ruby examples 
> ([https://qpid.apache.org/releases/qpid-proton-0.35.0/proton/ruby/examples/ssl_send.rb.html),]
>  you suggest to roll back the default VERIFY_PEER_NAME to ANONYMOUS_PEER:
> {code:ruby}
>     ssl_domain = 
> Qpid::Proton::SSLDomain.new(Qpid::Proton::SSLDomain::MODE_CLIENT)
>     ssl_domain.peer_authentication(Qpid::Proton::SSLDomain::ANONYMOUS_PEER)
>     c = container.connect(@url, { :ssl_domain => ssl_domain })
> {code}
> And indeed, dropping the ANONYMOUS_PEER fails the connection attempt.
> Instead, we can explicitly set the virtual_host of the connection, thus 
> allowing the PEER_NAME verification to succeed:
> {code:ruby}
>     ssl_domain = 
> Qpid::Proton::SSLDomain.new(Qpid::Proton::SSLDomain::MODE_CLIENT)
>     c = container.connect(@url, { :ssl_domain => ssl_domain, :virtual_host => 
> URI.parse(@url).host })
> {code}
> However, I think this is cumbersome and makes users lifes harder than they 
> should be.
> If container.connect would automatically set the virtual_host to the host 
> part of the URL (unless it was defined by the user), SSL verification would 
> just work.
> FWIW, I only tested this all with the Ruby bindings on Ruby 2.7, OpenSSL 
> 1.0.2k-21.el7_9.x86_64 (CentOS 7), so this might behave differently on other 
> environments.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to