qpid-proton mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rafael H. Schloming (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (PROTON-161) SSL impl does not allow verification of the peer's identity
Date Thu, 17 Oct 2013 18:18:44 GMT

     [ https://issues.apache.org/jira/browse/PROTON-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Rafael H. Schloming updated PROTON-161:

    Priority: Critical  (was: Blocker)

> SSL impl does not allow verification of the peer's identity
> -----------------------------------------------------------
>                 Key: PROTON-161
>                 URL: https://issues.apache.org/jira/browse/PROTON-161
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-j
>    Affects Versions: 0.3
>            Reporter: Ken Giusti
>            Assignee: Philip Harvey
>            Priority: Critical
>              Labels: security
> The current SSL implementation validates the peer's certificate, and will not permit
the connection to come up if the certificate is invalid.
> However - it does not provide a way to check if the peer's identity as provided in the
certificate is the expected identity (eg, the same hostname used to set up the TCP connection).
 While a certificate may be valid (that is, signed by a CA trusted by the client), it may
not belong to the intended destination.
> RFC2818 explains how this should be done - see section 3.1 Server Identity. 

This message was sent by Atlassian JIRA

View raw message