[ 
https://issues.apache.org/jira/browse/QPID-8095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Ross updated QPID-8095:
------------------------------
    Fix Version/s: qpid-python-1.38.0

> ssl_skip_hostname_check behaves like having True as default
> -----------------------------------------------------------
>
>                 Key: QPID-8095
>                 URL: https://issues.apache.org/jira/browse/QPID-8095
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>            Reporter: Pavel Moravec
>            Assignee: Justin Ross
>            Priority: Minor
>              Labels: easyfix, patch
>             Fix For: qpid-python-1.38.0
>
>
> Although python client connection option "ssl_skip_hostname_check" has 
> default value False, hostname verification is skipped when one does not 
> specify this option. That means, the evaluation logic of this option 
> overrides the default to True.
>  
> Due to the option name and also the natural request to be more secure by 
> default (and rather weaken security only when specifically asked for), I 
> suggest to change the evaluation logic to stand with default False. I.e. when 
> the option is not specified, SSL hostname check is _not_ skipped / is 
> performed.
>  
> Proposed patch:
>  
>  
> {code:java}
> --- /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    
> 2018-02-05 08:34:22.008242874 +0100
> +++ /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    
> 2018-02-05 09:03:22.232313386 +0100
> @@ -111,7 +111,7 @@ else:
>  
>        # if user manually set flag to false then require cert
>        actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
> -      if actual is not None and conn.ssl_skip_hostname_check is False:
> +      if actual is not True:
>          validate = CERT_REQUIRED
>  
>        self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,
> {code}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to