We might also want to improve out hostname verification code a bit (e.g. to support wildcard certificates). Perhaps this might help: https://svn.apache.org/repos/asf/synapse/branches/1.0/modules/nhttp/src/org/apache/axis2/transport/nhttp/HostnameVerifier.java
-- Rob On 6 August 2014 12:27, Robbie Gemmell <[email protected]> wrote: > Kieths original proposal and Robs subsequent suggestion both seem sensible > to me. > > Robbie > > On 5 August 2014 23:47, Rob Godfrey <[email protected]> wrote: > > > I strongly support the change - we should be secure by default. > > > > For convenience for those upgrading from earlier versions, would it make > > sense to add a system property to be able to set the global default, in > > addition to the existing ability to set at the individual connection > level? > > In this way those who do not want to have to edit a number of connection > > URLs could simply set a system property to restore the previous (broken) > > behaviour. > > > > -- Rob > > > > > > On 6 August 2014 00:11, Keith W <[email protected]> wrote: > > > > > I want to make QPID-5960 "ssl_verify_hostname should default to true > > > rather than false" visible on the users list. This proposed change > > > affects the Java Client (0-10.0-8) only. > > > > > > The intention is to change the default for the ssl_verify_hostname > > > broker list option [1] from false to true for the next release (0.30). > > > This means that the Java client will always validate the the server's > > > identity as presented in the server's Certificate message in order to > > > prevent man-in-the-middle attacks. This change is made in order to be > > > secure by default. > > > > > > Users wishing for the old behaviour, will be to revert by simply > > > adding the ssl_verify_hostname='false' to the connection url. > > > > > > Comments welcome. > > > > > > Keith. > > > > > > [1] > > > > > > http://qpid.apache.org/releases/qpid-trunk/programming/book/QpidJNDI.html#idm233123779008 > > > > > > > > > > > > ---------- Forwarded message ---------- > > > From: Keith Wall (JIRA) <[email protected]> > > > Date: 4 August 2014 17:36 > > > Subject: [jira] [Created] (QPID-5960) ssl_verify_hostname should > > > default to true rather than false > > > To: [email protected] > > > > > > > > > Keith Wall created QPID-5960: > > > -------------------------------- > > > > > > Summary: ssl_verify_hostname should default to true > > > rather than false > > > Key: QPID-5960 > > > URL: https://issues.apache.org/jira/browse/QPID-5960 > > > Project: Qpid > > > Issue Type: Improvement > > > Components: Java Client > > > Reporter: Keith Wall > > > Fix For: 0.29 > > > > > > > > > The Java Client's connection url option ssl_verify_hostname has > > > traditionally defaulted to false meaning that during the SSL > > > negotiation the Java client ignores hostname errors. This is weak: > > > by default the client should validate the hostname. If users should > > > be forced to turn host name verification off if desired. > > > > > > I believe this will also bring the behaviour of the Java client in > > > line with the CPP client (QPID-5841) > > > > > > > > > > > > > > > > > > > > > > > > -- > > > This message was sent by Atlassian JIRA > > > (v6.2#6252) > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > >
