[
https://issues.apache.org/jira/browse/QPID-8095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Ross updated QPID-8095:
------------------------------
Fix Version/s: qpid-python-1.38.0
> ssl_skip_hostname_check behaves like having True as default
> -----------------------------------------------------------
>
> Key: QPID-8095
> URL: https://issues.apache.org/jira/browse/QPID-8095
> Project: Qpid
> Issue Type: Bug
> Components: Python Client
> Reporter: Pavel Moravec
> Assignee: Justin Ross
> Priority: Minor
> Labels: easyfix, patch
> Fix For: qpid-python-1.38.0
>
>
> Although python client connection option "ssl_skip_hostname_check" has
> default value False, hostname verification is skipped when one does not
> specify this option. That means, the evaluation logic of this option
> overrides the default to True.
>
> Due to the option name and also the natural request to be more secure by
> default (and rather weaken security only when specifically asked for), I
> suggest to change the evaluation logic to stand with default False. I.e. when
> the option is not specified, SSL hostname check is _not_ skipped / is
> performed.
>
> Proposed patch:
>
>
> {code:java}
> --- /usr/lib/python2.7/site-packages/qpid/messaging/transports.py
> 2018-02-05 08:34:22.008242874 +0100
> +++ /usr/lib/python2.7/site-packages/qpid/messaging/transports.py
> 2018-02-05 09:03:22.232313386 +0100
> @@ -111,7 +111,7 @@ else:
>
> # if user manually set flag to false then require cert
> actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
> - if actual is not None and conn.ssl_skip_hostname_check is False:
> + if actual is not True:
> validate = CERT_REQUIRED
>
> self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
