Ken Giusti created QPID-4918:
--------------------------------

             Summary: Python client does not enforce SSL certificate validation 
even if CAs configured
                 Key: QPID-4918
                 URL: https://issues.apache.org/jira/browse/QPID-4918
             Project: Qpid
          Issue Type: Bug
          Components: Python Client
    Affects Versions: 0.20
            Reporter: Ken Giusti
            Assignee: Ken Giusti
            Priority: Blocker
             Fix For: 0.22


With SSL, the Python client allows the application to specify the trusted CAs 
that should be used to validate the remote broker's certificate.

However, there is a bug in the implementation that does not enforce the 
validation.  This bug allows the SSL connection to be established even if the 
remote does not provide a valid certificate.

This bug is a security risk.  The application has configured a CA to use to 
validate the remote, but that CA is silently ignored and the remote is allowed 
to connect without validation.  To the application, it appears as if the remote 
certificate has been verified and the remote has been authorized, when in fact 
that hasn't happened.

A CVE has been created for this issue:  CVE-2013-1909


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to