qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL
Date Fri, 08 Jul 2016 19:11:11 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368223#comment-15368223

ASF GitHub Bot commented on DISPATCH-401:

Github user ted-ross commented on a diff in the pull request:

    --- Diff: python/qpid_dispatch_internal/tools/command.py ---
    @@ -83,6 +83,9 @@ def connection_options(options, title="Connection Options"):
                          help="Trusted Certificate Authority Database file (PEM Format)")
         group.add_option("--ssl-password", action="store", type="string", metavar="PASSWORD",
                          help="Certificate password, will be prompted if not specifed.")
    +    group.add_option("--ssl-allow-peer-name-mismatch", action="store_true", default=False,
    +                     help="Verify the peer host name matches the certificate. Default
true, "
    +                          "setting to false is insecure .")
         return group
    --- End diff --
    The name of this option seems inverted.  Allowing a mismatch is insecure, no?  How about

> qdstat and qdmanage client tools do not verify host name when using SSL
> -----------------------------------------------------------------------
>                 Key: DISPATCH-401
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-401
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Container
>    Affects Versions: 0.6.0
>            Reporter: Ganesh Murthy
>            Assignee: Ganesh Murthy
> qdstat and qdmanage tools do not ensure that when initiating an SSL connection the host
name in the URL to which qdstat and qdmanage connect to matches the host name in the digital
certificate that the peer sends back as part of the SSL connection.
> Enable host name verification by default on qdstat and qdmanage. Add a command line option
called --no-verify-host-name which allows the host name to not match. Add a warning to this
command line option saying that it is insecure and should not be used in production environments.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message