You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Ken Giusti (JIRA)" <ji...@apache.org> on 2013/06/12 16:35:22 UTC

[jira] [Resolved] (QPID-4918) Python client does not enforce SSL certificate validation even if CAs configured

     [ https://issues.apache.org/jira/browse/QPID-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ken Giusti resolved QPID-4918.
------------------------------

    Resolution: Fixed

The fix has been submitted:

http://svn.apache.org/viewvc?view=revision&revision=1460013

The fix include validation of the common name included in the remote's certificate.  This is now turned on by default - turning it off opens the possibility for attack via a valid certificate issued to a non-trusted 3rd party.

A connection option to disable common name checking has been provided - from the patch:

+    @type ssl_skip_hostname_check: bool
+    @param ssl_skip_hostname_check: disable verification of hostname in
+    certificate. Use with caution - disabling hostname checking leaves you
+    vulnerable to Man-in-the-Middle attacks.
                
> Python client does not enforce SSL certificate validation even if CAs configured
> --------------------------------------------------------------------------------
>
>                 Key: QPID-4918
>                 URL: https://issues.apache.org/jira/browse/QPID-4918
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>    Affects Versions: 0.20
>            Reporter: Ken Giusti
>            Assignee: Ken Giusti
>            Priority: Blocker
>             Fix For: 0.22
>
>
> With SSL, the Python client allows the application to specify the trusted CAs that should be used to validate the remote broker's certificate.
> However, there is a bug in the implementation that does not enforce the validation.  This bug allows the SSL connection to be established even if the remote does not provide a valid certificate.
> This bug is a security risk.  The application has configured a CA to use to validate the remote, but that CA is silently ignored and the remote is allowed to connect without validation.  To the application, it appears as if the remote certificate has been verified and the remote has been authorized, when in fact that hasn't happened.
> A CVE has been created for this issue:  CVE-2013-1909

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org