qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pavel Moravec (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-8095) ssl_skip_hostname_check behaves like having True as default
Date Mon, 05 Feb 2018 08:12:00 GMT
Pavel Moravec created QPID-8095:
-----------------------------------

             Summary: ssl_skip_hostname_check behaves like having True as default
                 Key: QPID-8095
                 URL: https://issues.apache.org/jira/browse/QPID-8095
             Project: Qpid
          Issue Type: Bug
          Components: Python Client
            Reporter: Pavel Moravec


Although python client connection option "ssl_skip_hostname_check" has default value False,
hostname verification is skipped when one does not specify this option. That means, the evaluation
logic of this option overrides the default to True.

 

Due to the option name and also the natural request to be more secure by default (and rather
weaken security only when specifically asked for), I suggest to change the evaluation logic
to stand with default False. I.e. when the option is not specified, SSL hostname check is
_not_ skipped / is performed.

 

Proposed patch:

 

 
{code:java}
--- /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    2018-02-05 08:34:22.008242874
+0100
+++ /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    2018-02-05 09:03:22.232313386
+0100
@@ -111,7 +111,7 @@ else:
 
       # if user manually set flag to false then require cert
       actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
-      if actual is not None and conn.ssl_skip_hostname_check is False:
+      if actual is not True:
         validate = CERT_REQUIRED
 
       self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,
{code}
 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message