[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15371319#comment-15371319 ] ASF GitHub Bot commented on DISPATCH-401: - Github user asfgit closed the pull request at: https://github.com/apache/qpid-dispatch/pull/92 > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15371318#comment-15371318 ] ASF subversion and git services commented on DISPATCH-401: -- Commit d7dc541a4ed325548571b7aed4bbc8175dd3bf4b in qpid-dispatch's branch refs/heads/master from [~ganeshmurthy] [ https://git-wip-us.apache.org/repos/asf?p=qpid-dispatch.git;h=d7dc541 ] DISPATCH-401 - Made qdstat and qdmanage verify peer name by default. Added new option --ssl-disable-peer-name-verify to disable peer name verification > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15371135#comment-15371135 ] ASF GitHub Bot commented on DISPATCH-401: - Github user ganeshmurthy closed the pull request at: https://github.com/apache/qpid-dispatch/pull/91 > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15371144#comment-15371144 ] ASF GitHub Bot commented on DISPATCH-401: - GitHub user ganeshmurthy opened a pull request: https://github.com/apache/qpid-dispatch/pull/92 DISPATCH-401 - Made qdstat and qdmanage verify peer name by default. … …Added new option --ssl-disable-peer-name-verify to disable peer name verification You can merge this pull request into a Git repository by running: $ git pull https://github.com/ganeshmurthy/qpid-dispatch DISPATCH-401-4 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/qpid-dispatch/pull/92.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #92 commit d7dc541a4ed325548571b7aed4bbc8175dd3bf4b Author: Ganesh MurthyDate: 2016-07-11T16:42:05Z DISPATCH-401 - Made qdstat and qdmanage verify peer name by default. Added new option --ssl-disable-peer-name-verify to disable peer name verification > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15371127#comment-15371127 ] ASF GitHub Bot commented on DISPATCH-401: - GitHub user ganeshmurthy opened a pull request: https://github.com/apache/qpid-dispatch/pull/91 DISPATCH-401 - Made qdstat and qdmanage verify peer name by default. … …Added new option --ssl-disable-peer-name-verify to disable peer name verification You can merge this pull request into a Git repository by running: $ git pull https://github.com/ganeshmurthy/qpid-dispatch DISPATCH-401-3 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/qpid-dispatch/pull/91.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #91 commit 23729780d4907bebc0b6fcc528bb2a74542c69a5 Author: Ganesh MurthyDate: 2016-07-11T16:42:05Z DISPATCH-401 - Made qdstat and qdmanage verify peer name by default. Added new option --ssl-disable-peer-name-verify to disable peer name verification > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15370941#comment-15370941 ] ASF GitHub Bot commented on DISPATCH-401: - Github user ganeshmurthy closed the pull request at: https://github.com/apache/qpid-dispatch/pull/84 > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15368223#comment-15368223 ] ASF GitHub Bot commented on DISPATCH-401: - Github user ted-ross commented on a diff in the pull request: https://github.com/apache/qpid-dispatch/pull/84#discussion_r70125810 --- Diff: python/qpid_dispatch_internal/tools/command.py --- @@ -83,6 +83,9 @@ def connection_options(options, title="Connection Options"): help="Trusted Certificate Authority Database file (PEM Format)") group.add_option("--ssl-password", action="store", type="string", metavar="PASSWORD", help="Certificate password, will be prompted if not specifed.") +group.add_option("--ssl-allow-peer-name-mismatch", action="store_true", default=False, + help="Verify the peer host name matches the certificate. Default true, " + "setting to false is insecure .") return group --- End diff -- The name of this option seems inverted. Allowing a mismatch is insecure, no? How about "--ssl-verify-hostname"? > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15346529#comment-15346529 ] ASF GitHub Bot commented on DISPATCH-401: - GitHub user ganeshmurthy opened a pull request: https://github.com/apache/qpid-dispatch/pull/84 DISPATCH-401 - Made qdstat and qdmanage verify host name by default. … …Added --ssl-allow-peer-name-mismatch to allow peer name mismatch You can merge this pull request into a Git repository by running: $ git pull https://github.com/ganeshmurthy/qpid-dispatch DISPATCH-401-2 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/qpid-dispatch/pull/84.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #84 commit 6752812bebb509642341d599efad7dfabd333d75 Author: Ganesh MurthyDate: 2016-06-23T14:34:58Z DISPATCH-401 - Made qdstat and qdmanage verify host name by default. Added --ssl-allow-peer-name-mismatch to allow peer name mismatch > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15344998#comment-15344998 ] ASF GitHub Bot commented on DISPATCH-401: - Github user ganeshmurthy commented on the issue: https://github.com/apache/qpid-dispatch/pull/83 alanconway, @alanconway, if I understood correctly, to disable hostname verification, one must do the following - qdstat -c --verify-peer-name=false --ssl-trustfile=/home/gmurthy/opensource/dispatch/tests/config-2/ca-certificate.pem --ssl-certificate=/home/gmurthy/opensource/dispatch/tests/config-2/client-certificate.pem --ssl-key=/home/gmurthy/opensource/dispatch/tests/config-2/client-private-key.pem --ssl-password=client-password > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15344999#comment-15344999 ] ASF GitHub Bot commented on DISPATCH-401: - Github user ganeshmurthy closed the pull request at: https://github.com/apache/qpid-dispatch/pull/83 > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15344984#comment-15344984 ] ASF GitHub Bot commented on DISPATCH-401: - Github user grs commented on a diff in the pull request: https://github.com/apache/qpid-dispatch/pull/83#discussion_r68114603 --- Diff: python/qpid_dispatch_internal/tools/command.py --- @@ -83,6 +83,11 @@ def connection_options(options, title="Connection Options"): help="Trusted Certificate Authority Database file (PEM Format)") group.add_option("--ssl-password", action="store", type="string", metavar="PASSWORD", help="Certificate password, will be prompted if not specifed.") +group.add_option("--no-verify-host-name", action="store_true", default=False, --- End diff -- Maybe add 'ssl' to the option also. > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15344979#comment-15344979 ] ASF GitHub Bot commented on DISPATCH-401: - Github user alanconway commented on a diff in the pull request: https://github.com/apache/qpid-dispatch/pull/83#discussion_r68114202 --- Diff: python/qpid_dispatch_internal/tools/command.py --- @@ -83,6 +83,11 @@ def connection_options(options, title="Connection Options"): help="Trusted Certificate Authority Database file (PEM Format)") group.add_option("--ssl-password", action="store", type="string", metavar="PASSWORD", help="Certificate password, will be prompted if not specifed.") +group.add_option("--no-verify-host-name", action="store_true", default=False, --- End diff -- I'd suggest: --verify-peer-name type=bool, default=true. Bool options with negative names are confusing and "host" is a bit vague - peer is more clearly the _other_ host. Also the help text is very long, maybe "Verify the peer host name matches the certificate. Default true, setting to false is insecure ." > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
[ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15344915#comment-15344915 ] ASF GitHub Bot commented on DISPATCH-401: - GitHub user ganeshmurthy opened a pull request: https://github.com/apache/qpid-dispatch/pull/83 DISPATCH-401 - Verified host name by default and added a --no-verify-… …host-name to disable host name verification You can merge this pull request into a Git repository by running: $ git pull https://github.com/ganeshmurthy/qpid-dispatch DISPATCH-401 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/qpid-dispatch/pull/83.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #83 commit 8ad0df8494eae79c6fc5ffac8ff12a71d932f08a Author: Ganesh MurthyDate: 2016-06-22T18:09:50Z DISPATCH-401 - Verified host name by default and added a --no-verify-host-name to disable host name verification > qdstat and qdmanage client tools do not verify host name when using SSL > --- > > Key: DISPATCH-401 > URL: https://issues.apache.org/jira/browse/DISPATCH-401 > Project: Qpid Dispatch > Issue Type: Bug > Components: Container >Affects Versions: 0.6.0 >Reporter: Ganesh Murthy >Assignee: Ganesh Murthy > > qdstat and qdmanage tools do not ensure that when initiating an SSL > connection the host name in the URL to which qdstat and qdmanage connect to > matches the host name in the digital certificate that the peer sends back as > part of the SSL connection. > Enable host name verification by default on qdstat and qdmanage. Add a > command line option called --no-verify-host-name which allows the host name > to not match. Add a warning to this command line option saying that it is > insecure and should not be used in production environments. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org