[jira] [Updated] (PROTON-2397) Update default client TLS defaults for verifying outbound connections to AMQP servers.

Fri, 18 Jun 2021 08:52:04 -0700 


     [ 
https://issues.apache.org/jira/browse/PROTON-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Clifford Jansen updated PROTON-2397:
------------------------------------
    Environment:     (was: Proton C and its associated bindings do not have 
consistent default client side TLS configuration.  Proton libraries will be 
changed on a per-language/binding basis so that all clients verify the server's 
certificate and identifying name by default, i.e. to use 
PN_SSL_VERIFY_PEER_NAME unless the application takes steps to change the 
desired level of authentication.

This default behaviour is required for the Proton libraries to be compliant 
with the TLS specification 1.3 (RFC 8446).  Such compliance is obviously highly 
desirable now and will become mandatory in the future.

C++ applications will not be affected (this is the existing default).

C, Python, Ruby and Go applications that fully configure their client 
connections are also unaffected.

Python programs that use MESSAGING_CONNECT_FILE (or the connect.json 
equivalent) are unaffected.

Proton applications that do not make outbound connections are unaffected.

All other applications may run into stricter verification policies that cause 
previously successful TLS negotiations to now fail.  These applications will 
need to either:

  - explicitly downgrade the verification mechanism of outgoing connections to 
the old default (PN_SSL_ANONYMOUS_PEER)

  - update server certificates and/or client trusted root CA's as required to 
work in the full PN_SSL_VERIFY_PEER_NAME verification mode.
)

> Update default client TLS defaults for verifying outbound connections to AMQP 
> servers.
> --------------------------------------------------------------------------------------
>
>                 Key: PROTON-2397
>                 URL: https://issues.apache.org/jira/browse/PROTON-2397
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: cpp-binding, go-binding, proton-c, python-binding, 
> ruby-binding
>    Affects Versions: proton-c-0.34.0
>            Reporter: Clifford Jansen
>            Assignee: Clifford Jansen
>            Priority: Major
>             Fix For: proton-c-0.35.0
>
>




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to