[
https://issues.apache.org/jira/browse/PROTON-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17368310#comment-17368310
]
ASF subversion and git services commented on PROTON-2397:
---------------------------------------------------------
Commit 1151c36ee65a43d380f12eeebead2d2fe73b76d7 in qpid-proton's branch
refs/heads/main from Clifford Jansen
[ https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=1151c36 ]
PROTON-2397: test fixes and extra test
> Update default client TLS defaults for verifying outbound connections to AMQP
> servers.
> --------------------------------------------------------------------------------------
>
> Key: PROTON-2397
> URL: https://issues.apache.org/jira/browse/PROTON-2397
> Project: Qpid Proton
> Issue Type: Improvement
> Components: cpp-binding, go-binding, proton-c, python-binding,
> ruby-binding
> Affects Versions: proton-c-0.34.0
> Reporter: Clifford Jansen
> Assignee: Clifford Jansen
> Priority: Major
> Fix For: proton-c-0.35.0
>
>
> Proton C and its associated bindings do not have consistent default client
> side TLS configuration. Proton libraries will be changed on a
> per-language/binding basis so that all clients verify the server's
> certificate and identifying name by default, i.e. to use
> PN_SSL_VERIFY_PEER_NAME unless the application takes steps to change the
> desired level of authentication.
> This default behaviour is required for the Proton libraries to be compliant
> with the TLS specification 1.3 (RFC 8446). Such compliance is obviously
> highly desirable now and will become mandatory in the future.
> C++ applications will not be affected (this is the existing default).
> C, Python, Ruby and Go applications that fully configure their client
> connections are also unaffected.
> Python programs that use MESSAGING_CONNECT_FILE (or the connect.json
> equivalent) are unaffected.
> Proton applications that do not make outbound connections are unaffected.
> All other applications may run into stricter verification policies that cause
> previously successful TLS negotiations to now fail. These applications will
> need to either:
> - explicitly downgrade the verification mechanism of outgoing connections to
> the old default (PN_SSL_ANONYMOUS_PEER)
> - update server certificates and/or client trusted root CA's as required to
> work in the full PN_SSL_VERIFY_PEER_NAME verification mode.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
