[jira] [Updated] (PROTON-2397) Update default client TLS defaults for verifying outbound connections to AMQP servers.

Fri, 25 Jun 2021 07:37:05 -0700 


     [ 
https://issues.apache.org/jira/browse/PROTON-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robbie Gemmell updated PROTON-2397:
-----------------------------------
    Component/s:     (was: cpp-binding)

> Update default client TLS defaults for verifying outbound connections to AMQP 
> servers.
> --------------------------------------------------------------------------------------
>
>                 Key: PROTON-2397
>                 URL: https://issues.apache.org/jira/browse/PROTON-2397
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: go-binding, proton-c, python-binding, ruby-binding
>    Affects Versions: proton-c-0.34.0
>            Reporter: Clifford Jansen
>            Assignee: Clifford Jansen
>            Priority: Major
>             Fix For: proton-c-0.35.0
>
>
> Proton C and its associated bindings do not have consistent default client 
> side TLS configuration. Proton libraries will be changed on a 
> per-language/binding basis so that all clients verify the server's 
> certificate and identifying name by default, i.e. to use 
> PN_SSL_VERIFY_PEER_NAME unless the application takes steps to change the 
> desired level of authentication.
> This default behaviour is required for the Proton libraries to be compliant 
> with the TLS specification 1.3 (RFC 8446). Such compliance is obviously 
> highly desirable now and will become mandatory in the future.
> C++ applications will not be affected (this is the existing default).
> C, Python, Ruby and Go applications that fully configure their client 
> connections are also unaffected.
> Python programs that use MESSAGING_CONNECT_FILE (or the connect.json 
> equivalent) are unaffected.
> Proton applications that do not make outbound connections are unaffected.
> All other applications may run into stricter verification policies that cause 
> previously successful TLS negotiations to now fail. These applications will 
> need to either:
> - explicitly downgrade the verification mechanism of outgoing connections to 
> the old default (PN_SSL_ANONYMOUS_PEER)
> - update server certificates and/or client trusted root CA's as required to 
> work in the full PN_SSL_VERIFY_PEER_NAME verification mode.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to