I want to make QPID-5960 "ssl_verify_hostname should default to true rather than false" visible on the users list. This proposed change affects the Java Client (0-10.0-8) only.
The intention is to change the default for the ssl_verify_hostname broker list option [1] from false to true for the next release (0.30). This means that the Java client will always validate the the server's identity as presented in the server's Certificate message in order to prevent man-in-the-middle attacks. This change is made in order to be secure by default. Users wishing for the old behaviour, will be to revert by simply adding the ssl_verify_hostname='false' to the connection url. Comments welcome. Keith. [1] http://qpid.apache.org/releases/qpid-trunk/programming/book/QpidJNDI.html#idm233123779008 ---------- Forwarded message ---------- From: Keith Wall (JIRA) <[email protected]> Date: 4 August 2014 17:36 Subject: [jira] [Created] (QPID-5960) ssl_verify_hostname should default to true rather than false To: [email protected] Keith Wall created QPID-5960: -------------------------------- Summary: ssl_verify_hostname should default to true rather than false Key: QPID-5960 URL: https://issues.apache.org/jira/browse/QPID-5960 Project: Qpid Issue Type: Improvement Components: Java Client Reporter: Keith Wall Fix For: 0.29 The Java Client's connection url option ssl_verify_hostname has traditionally defaulted to false meaning that during the SSL negotiation the Java client ignores hostname errors. This is weak: by default the client should validate the hostname. If users should be forced to turn host name verification off if desired. I believe this will also bring the behaviour of the Java client in line with the CPP client (QPID-5841) -- This message was sent by Atlassian JIRA (v6.2#6252) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
