[
https://issues.apache.org/jira/browse/PROTON-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17365260#comment-17365260
]
ASF subversion and git services commented on PROTON-2397:
---------------------------------------------------------
Commit 605bc58009549dff2678961455a7ec86b0acede4 in qpid-proton's branch
refs/heads/main from Clifford Jansen
[ https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=605bc58 ]
PROTON-2397: make client TLS connection verification defaults consistent:
verify peer certificate and name
> Update default client TLS defaults for verifying outbound connections to AMQP
> servers.
> --------------------------------------------------------------------------------------
>
> Key: PROTON-2397
> URL: https://issues.apache.org/jira/browse/PROTON-2397
> Project: Qpid Proton
> Issue Type: Improvement
> Components: cpp-binding, go-binding, proton-c, python-binding,
> ruby-binding
> Affects Versions: proton-c-0.34.0
> Environment: Proton C and its associated bindings do not have
> consistent default client side TLS configuration. Proton libraries will be
> changed on a per-language/binding basis so that all clients verify the
> server's certificate and identifying name by default, i.e. to use
> PN_SSL_VERIFY_PEER_NAME unless the application takes steps to change the
> desired level of authentication.
> This default behaviour is required for the Proton libraries to be compliant
> with the TLS specification 1.3 (RFC 8446). Such compliance is obviously
> highly desirable now and will become mandatory in the future.
> C++ applications will not be affected (this is the existing default).
> C, Python, Ruby and Go applications that fully configure their client
> connections are also unaffected.
> Python programs that use MESSAGING_CONNECT_FILE (or the connect.json
> equivalent) are unaffected.
> Proton applications that do not make outbound connections are unaffected.
> All other applications may run into stricter verification policies that cause
> previously successful TLS negotiations to now fail. These applications will
> need to either:
> - explicitly downgrade the verification mechanism of outgoing connections
> to the old default (PN_SSL_ANONYMOUS_PEER)
> - update server certificates and/or client trusted root CA's as required to
> work in the full PN_SSL_VERIFY_PEER_NAME verification mode.
> Reporter: Clifford Jansen
> Assignee: Clifford Jansen
> Priority: Major
> Fix For: proton-c-0.35.0
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
