[jira] [Resolved] (PROTON-1962) [CVE-2018-17187] transport TLS wrapper hostname verification mode not implemented

Mon, 12 Nov 2018 03:07:23 -0800 


     [ 
https://issues.apache.org/jira/browse/PROTON-1962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robbie Gemmell resolved PROTON-1962.
------------------------------------
    Resolution: Fixed

> [CVE-2018-17187] transport TLS wrapper hostname verification mode not 
> implemented
> ---------------------------------------------------------------------------------
>
>                 Key: PROTON-1962
>                 URL: https://issues.apache.org/jira/browse/PROTON-1962
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-j
>    Affects Versions: 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.9.1, 0.10, 0.11.0, 
> 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.16.0, 
> proton-j-0.17.0, proton-j-0.18.0, proton-j-0.19.0, proton-j-0.20.0, 
> proton-j-0.21.0, proton-j-0.22.0, proton-j-0.23.0, proton-j-0.24.0, 
> proton-j-0.25.0, proton-j-0.26.0, proton-j-0.27.0, proton-j-0.27.1, 
> proton-j-0.27.2, proton-j-0.28.0, proton-j-0.27.3, proton-j-0.28.1, 
> proton-j-0.29.0
>            Reporter: Robbie Gemmell
>            Assignee: Robbie Gemmell
>            Priority: Major
>             Fix For: proton-j-0.30.0
>
>
> [CVE-2018-17187] transport TLS wrapper hostname verification mode not 
> implemented
> Affects version: 0.3 to 0.29.0
> Fix Version: 0.30.0
> Description:
> The Transport includes an optional wrapper layer to perform TLS,
> enabled by use of the 'transport.ssl(...)' methods. Unless a verification
> mode was explicitly configured, client and server modes previously defaulted
> as documented to not verifying a peer certificate, with options to
> configure this explicitly or select a certificate verification mode with or
> without hostname verification being performed.
> The latter hostname verifying mode was not previously implemented, with
> attempts to use it resulting in an exception. This left only the option to
> verify the certificate is trusted, leaving such a client vulnerable to
> Man In The Middle (MITM) attack.
> The change made here implements the VerifyMode#VERIFY_PEER_NAME config
> option, and makes it the default for client mode usage not configured
> otherwise.
> Uses of the Proton-J protocol engine which do not utilise the optional
> transport TLS wrapper are not impacted, e.g. usage within Qpid JMS.
> See also https://qpid.apache.org/cves/CVE-2018-17187.html



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to