[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL

Wed, 22 Jun 2016 11:59:31 -0700 

    [ 
https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15344979#comment-15344979
 ] 

ASF GitHub Bot commented on DISPATCH-401:
-----------------------------------------

Github user alanconway commented on a diff in the pull request:

    https://github.com/apache/qpid-dispatch/pull/83#discussion_r68114202
  
    --- Diff: python/qpid_dispatch_internal/tools/command.py ---
    @@ -83,6 +83,11 @@ def connection_options(options, title="Connection 
Options"):
                          help="Trusted Certificate Authority Database file 
(PEM Format)")
         group.add_option("--ssl-password", action="store", type="string", 
metavar="PASSWORD",
                          help="Certificate password, will be prompted if not 
specifed.")
    +    group.add_option("--no-verify-host-name", action="store_true", 
default=False,
    --- End diff --
    
    I'd suggest: --verify-peer-name type=bool, default=true. Bool options with 
negative names are confusing and "host" is a bit vague - peer is more clearly 
the _other_ host. Also the help text is very long, maybe "Verify the peer host 
name matches the certificate. Default true, setting to false is insecure ."


> qdstat and qdmanage client tools do not verify host name when using SSL
> -----------------------------------------------------------------------
>
>                 Key: DISPATCH-401
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-401
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Container
>    Affects Versions: 0.6.0
>            Reporter: Ganesh Murthy
>            Assignee: Ganesh Murthy
>
> qdstat and qdmanage tools do not ensure that when initiating an SSL 
> connection the host name in the URL to which qdstat and qdmanage connect to 
> matches the host name in the digital certificate that the peer sends back as 
> part of the SSL connection.
> Enable host name verification by default on qdstat and qdmanage. Add a 
> command line option called --no-verify-host-name which allows the host name 
> to not match. Add a warning to this command line option saying that it is 
> insecure and should not be used in production environments.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to