[ https://issues.apache.org/jira/browse/QPID-8095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Ross reassigned QPID-8095: --------------------------------- Assignee: Justin Ross > ssl_skip_hostname_check behaves like having True as default > ----------------------------------------------------------- > > Key: QPID-8095 > URL: https://issues.apache.org/jira/browse/QPID-8095 > Project: Qpid > Issue Type: Bug > Components: Python Client > Reporter: Pavel Moravec > Assignee: Justin Ross > Priority: Minor > Labels: easyfix, patch > Fix For: qpid-python-1.38.0 > > > Although python client connection option "ssl_skip_hostname_check" has > default value False, hostname verification is skipped when one does not > specify this option. That means, the evaluation logic of this option > overrides the default to True. > > Due to the option name and also the natural request to be more secure by > default (and rather weaken security only when specifically asked for), I > suggest to change the evaluation logic to stand with default False. I.e. when > the option is not specified, SSL hostname check is _not_ skipped / is > performed. > > Proposed patch: > > > {code:java} > --- /usr/lib/python2.7/site-packages/qpid/messaging/transports.py > 2018-02-05 08:34:22.008242874 +0100 > +++ /usr/lib/python2.7/site-packages/qpid/messaging/transports.py > 2018-02-05 09:03:22.232313386 +0100 > @@ -111,7 +111,7 @@ else: > > # if user manually set flag to false then require cert > actual = getattr(conn, "_ssl_skip_hostname_check_actual", None) > - if actual is not None and conn.ssl_skip_hostname_check is False: > + if actual is not True: > validate = CERT_REQUIRED > > self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile, > {code} > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org