[jira] [Resolved] (QPID-4918) Python client does not enforce SSL certificate validation even if CAs configured

[Ken Giusti (JIRA)]

     [ 
https://issues.apache.org/jira/browse/QPID-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ken Giusti resolved QPID-4918.
------------------------------

    Resolution: Fixed

The fix has been submitted:

http://svn.apache.org/viewvc?view=revision&revision=1460013

The fix include validation of the common name included in the remote's 
certificate.  This is now turned on by default - turning it off opens the 
possibility for attack via a valid certificate issued to a non-trusted 3rd 
party.

A connection option to disable common name checking has been provided - from 
the patch:

+    @type ssl_skip_hostname_check: bool
+    @param ssl_skip_hostname_check: disable verification of hostname in
+    certificate. Use with caution - disabling hostname checking leaves you
+    vulnerable to Man-in-the-Middle attacks.
                
> Python client does not enforce SSL certificate validation even if CAs 
> configured
> --------------------------------------------------------------------------------
>
>                 Key: QPID-4918
>                 URL: https://issues.apache.org/jira/browse/QPID-4918
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>    Affects Versions: 0.20
>            Reporter: Ken Giusti
>            Assignee: Ken Giusti
>            Priority: Blocker
>             Fix For: 0.22
>
>
> With SSL, the Python client allows the application to specify the trusted CAs 
> that should be used to validate the remote broker's certificate.
> However, there is a bug in the implementation that does not enforce the 
> validation.  This bug allows the SSL connection to be established even if the 
> remote does not provide a valid certificate.
> This bug is a security risk.  The application has configured a CA to use to 
> validate the remote, but that CA is silently ignored and the remote is 
> allowed to connect without validation.  To the application, it appears as if 
> the remote certificate has been verified and the remote has been authorized, 
> when in fact that hasn't happened.
> A CVE has been created for this issue:  CVE-2013-1909

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org