You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Justin Ross (JIRA)" <ji...@apache.org> on 2017/10/20 22:36:00 UTC
[jira] [Updated] (PROTON-161) SSL impl does not allow verification
of the peer's identity
[ https://issues.apache.org/jira/browse/PROTON-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Ross updated PROTON-161:
-------------------------------
Labels: security (was: close-pending security)
> SSL impl does not allow verification of the peer's identity
> -----------------------------------------------------------
>
> Key: PROTON-161
> URL: https://issues.apache.org/jira/browse/PROTON-161
> Project: Qpid Proton
> Issue Type: Improvement
> Components: proton-j
> Affects Versions: 0.3
> Reporter: Ken Giusti
> Priority: Minor
> Labels: security
>
> The current SSL implementation validates the peer's certificate, and will not permit the connection to come up if the certificate is invalid.
> However - it does not provide a way to check if the peer's identity as provided in the certificate is the expected identity (eg, the same hostname used to set up the TCP connection). While a certificate may be valid (that is, signed by a CA trusted by the client), it may not belong to the intended destination.
> RFC2818 explains how this should be done - see section 3.1 Server Identity.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org