[ https://issues.apache.org/jira/browse/QPID-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ken Giusti resolved QPID-4918. ------------------------------ Resolution: Fixed The fix has been submitted: http://svn.apache.org/viewvc?view=revision&revision=1460013 The fix include validation of the common name included in the remote's certificate. This is now turned on by default - turning it off opens the possibility for attack via a valid certificate issued to a non-trusted 3rd party. A connection option to disable common name checking has been provided - from the patch: + @type ssl_skip_hostname_check: bool + @param ssl_skip_hostname_check: disable verification of hostname in + certificate. Use with caution - disabling hostname checking leaves you + vulnerable to Man-in-the-Middle attacks. > Python client does not enforce SSL certificate validation even if CAs > configured > -------------------------------------------------------------------------------- > > Key: QPID-4918 > URL: https://issues.apache.org/jira/browse/QPID-4918 > Project: Qpid > Issue Type: Bug > Components: Python Client > Affects Versions: 0.20 > Reporter: Ken Giusti > Assignee: Ken Giusti > Priority: Blocker > Fix For: 0.22 > > > With SSL, the Python client allows the application to specify the trusted CAs > that should be used to validate the remote broker's certificate. > However, there is a bug in the implementation that does not enforce the > validation. This bug allows the SSL connection to be established even if the > remote does not provide a valid certificate. > This bug is a security risk. The application has configured a CA to use to > validate the remote, but that CA is silently ignored and the remote is > allowed to connect without validation. To the application, it appears as if > the remote certificate has been verified and the remote has been authorized, > when in fact that hasn't happened. > A CVE has been created for this issue: CVE-2013-1909 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org